// Trust & Security Report
Amazon Web Services, Inc.
Amazon Lex is AWS's conversational AI / chatbot-building service (voice and text), available as Lex V1 (legacy) and Lex V2, and embedded in Amazon Connect contact-center flows; it inherits AWS's platform-wide compliance program rather than holding independent certifications.
Certifications held
7
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on docs.aws.amazon.com“Third-party auditors assess the security and compliance of Amazon Lex V2 as part of multiple AWS compliance programs... It is PCI, SOC, and ISO compliant.”
Verify on aws.amazon.com“Amazon Lex is now one of the AWS services under ISO Compliance for the ISO 9001, ISO 27001, ISO 27017, and ISO 27018 standards.”
Verify on aws.amazon.com“Amazon Lex is now one of the AWS services under ISO Compliance for the ISO 9001, ISO 27001, ISO 27017, and ISO 27018 standards.”
Verify on aws.amazon.com“Amazon Lex is now one of the AWS services under ISO Compliance for the ISO 9001, ISO 27001, ISO 27017, and ISO 27018 standards.”
Verify on aws.amazon.com“Amazon Lex is now a Payment Card Industry Data Security Standard (PCI DSS) compliant service. Customers can now use Amazon Lex to capture, transmit, and retrieve sensitive payment card data for use cases such as payment processing, and mobile wallet that are subject to PCI DSS compliance.”
Verify on docs.aws.amazon.com“Amazon Lex V2 is a HIPAA eligible service.”
Verify on aws.amazon.com“Amazon Lex is an AWS service for building conversational interfaces into applications using voice and text. [Amazon Lex] ... achieved FedRAMP Moderate authorization in the AWS US East/West Regions.”
> Show 3 unconfirmed / not-held certifications
source: aws.amazon.comAWS holds ISO/IEC 27701:2019 certification at the platform level (aws.amazon.com/compliance/iso-27701-faqs/), but no vendor-domain source specifically lists Amazon Lex as in-scope for this certificate; no public evidence found for Lex specifically.
source: aws.amazon.comAWS holds an ISO/IEC 42001:2023 certificate at the platform level, but the FAQ states covered services are listed only inside the certificate document itself; Amazon Lex is not named on the public FAQ page, so Lex-specific scope is unconfirmed. No public evidence found for Lex specifically.
source: aws.amazon.comAWS publishes CSA STAR certificates covering an evolving list of in-scope services (see 2023-2025 AWS Security Blog updates), but no vendor-domain source names Amazon Lex specifically as in-scope. No public evidence found for Lex specifically.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Customer selects the AWS Region for Lex deployment; content used for service improvement/model training may be stored in a different AWS Region unless the customer opts out.
AWS's own documentation states AI services including Lex may use and store customer content by default for service improvement, including model training, and may store it outside the region of use; this is opt-out (not opt-in) via an AWS Organizations AI services opt-out policy. Opting out stops future use and deletes previously stored training copies, but does not delete content needed to run the service itself.
// Security controls
Encryption in transit
AWS documentation for Lex V2 recommends and defaults to SSL/TLS for all communication with AWS resources/APIs.
docs.aws.amazon.comShared responsibility model
AWS is responsible for securing the underlying global infrastructure; customers/APN partners are responsible, as data controllers or processors, for personal data they put into Lex.
docs.aws.amazon.comAccess control
AWS recommends IAM with least-privilege user accounts and multi-factor authentication (MFA) for accounts using Lex.
docs.aws.amazon.comAudit logging
AWS recommends enabling AWS CloudTrail for API and user activity logging around Lex usage.
docs.aws.amazon.comPCI DSS Level 1 assessment
AWS is certified as a PCI DSS Level 1 Service Provider (highest level), independently assessed by Coalfire Systems Inc., and Lex specifically is named as PCI DSS compliant.
aws.amazon.com// Products & data scope
data: Voice and text conversation input, intent/slot data, session attributes; can be configured to process payment-card and PHI data under BAA/PCI scope.
Current generation; explicitly named HIPAA-eligible, PCI DSS compliant, ISO 9001/27001/27017/27018 compliant, and SOC/PCI/ISO compliant per AWS's own compliance-validation documentation.
data: Same conversational data as V2.
Legacy version, still documented separately (docs.aws.amazon.com/lex/latest/dg/compliance.html); AWS steers new builds to V2.
data: Call/chat transcripts and routing data flowing between Amazon Connect and Lex bots.
Used for enterprise IVR and self-service automation (per AWS customer case studies on the product page); inherits Connect's own compliance scope in addition to Lex's.
// What to watch
- AWS AI services (Lex included) train/use customer content for service improvement by default; it is opt-out, not opt-in. This should be surfaced prominently rather than assumed 'no training' just because the vendor is AWS.
- ISO 27701, ISO 42001, and CSA STAR are held by AWS at the platform level but Lex's specific inclusion in the certified service list could not be confirmed from public vendor pages; graded held=false to avoid over-claiming.
- FedRAMP authorization confirmed for Lex is Moderate in AWS US East/West commercial regions per the cited 2019 announcement; do not represent this as FedRAMP High or GovCloud-authorized without re-verifying current AWS GovCloud service-in-scope lists, since AWS's authorized-service lists change over time.
- Because Amazon Lex is a feature/service of the AWS platform rather than an independently operated company, its compliance posture is entirely inherited from AWS's platform-wide programs (AWS Artifact) rather than product-specific audits; list it as 'part of AWS' rather than a standalone vendor with its own security team.
// At a glance
Pricing model
Pay-as-you-go, usage-based (per AWS product page: "Pay-as-you-go pricing")
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Amazon Web Services, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
aws.amazon.com