// Trust & Security Report

    Amazon Web Services, Inc. logo

    Amazon Web Services, Inc.

    Amazon Lex is AWS's conversational AI / chatbot-building service (voice and text), available as Lex V1 (legacy) and Lex V2, and embedded in Amazon Connect contact-center flows; it inherits AWS's platform-wide compliance program rather than holding independent certifications.

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 1 / SOC 2 / SOC 3
    HELD

    Third-party auditors assess the security and compliance of Amazon Lex V2 as part of multiple AWS compliance programs... It is PCI, SOC, and ISO compliant.

    Verify on docs.aws.amazon.com
    ISO 27001
    HELD

    Amazon Lex is now one of the AWS services under ISO Compliance for the ISO 9001, ISO 27001, ISO 27017, and ISO 27018 standards.

    Verify on aws.amazon.com
    ISO 27017 (cloud security)
    HELD

    Amazon Lex is now one of the AWS services under ISO Compliance for the ISO 9001, ISO 27001, ISO 27017, and ISO 27018 standards.

    Verify on aws.amazon.com
    ISO 27018 (PII in cloud)
    HELD

    Amazon Lex is now one of the AWS services under ISO Compliance for the ISO 9001, ISO 27001, ISO 27017, and ISO 27018 standards.

    Verify on aws.amazon.com
    PCI DSS Level 1
    HELD

    Amazon Lex is now a Payment Card Industry Data Security Standard (PCI DSS) compliant service. Customers can now use Amazon Lex to capture, transmit, and retrieve sensitive payment card data for use cases such as payment processing, and mobile wallet that are subject to PCI DSS compliance.

    Verify on aws.amazon.com
    HIPAA (eligible service, BAA required)
    HELD

    Amazon Lex V2 is a HIPAA eligible service.

    Verify on docs.aws.amazon.com
    FedRAMP
    HELD

    Amazon Lex is an AWS service for building conversational interfaces into applications using voice and text. [Amazon Lex] ... achieved FedRAMP Moderate authorization in the AWS US East/West Regions.

    Verify on aws.amazon.com
    > Show 3 unconfirmed / not-held certifications
    ISO 27701 (privacy information management)
    NOT CONFIRMED

    AWS holds ISO/IEC 27701:2019 certification at the platform level (aws.amazon.com/compliance/iso-27701-faqs/), but no vendor-domain source specifically lists Amazon Lex as in-scope for this certificate; no public evidence found for Lex specifically.

    source: aws.amazon.com
    ISO 42001 (AI management system)
    NOT CONFIRMED

    AWS holds an ISO/IEC 42001:2023 certificate at the platform level, but the FAQ states covered services are listed only inside the certificate document itself; Amazon Lex is not named on the public FAQ page, so Lex-specific scope is unconfirmed. No public evidence found for Lex specifically.

    source: aws.amazon.com
    CSA STAR
    NOT CONFIRMED

    AWS publishes CSA STAR certificates covering an evolving list of in-scope services (see 2023-2025 AWS Security Blog updates), but no vendor-domain source names Amazon Lex specifically as in-scope. No public evidence found for Lex specifically.

    source: aws.amazon.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Customer selects the AWS Region for Lex deployment; content used for service improvement/model training may be stored in a different AWS Region unless the customer opts out.

    AWS's own documentation states AI services including Lex may use and store customer content by default for service improvement, including model training, and may store it outside the region of use; this is opt-out (not opt-in) via an AWS Organizations AI services opt-out policy. Opting out stops future use and deletes previously stored training copies, but does not delete content needed to run the service itself.

    // Security controls

    Encryption in transit

    AWS documentation for Lex V2 recommends and defaults to SSL/TLS for all communication with AWS resources/APIs.

    docs.aws.amazon.com

    Shared responsibility model

    AWS is responsible for securing the underlying global infrastructure; customers/APN partners are responsible, as data controllers or processors, for personal data they put into Lex.

    docs.aws.amazon.com

    Access control

    AWS recommends IAM with least-privilege user accounts and multi-factor authentication (MFA) for accounts using Lex.

    docs.aws.amazon.com

    Audit logging

    AWS recommends enabling AWS CloudTrail for API and user activity logging around Lex usage.

    docs.aws.amazon.com

    PCI DSS Level 1 assessment

    AWS is certified as a PCI DSS Level 1 Service Provider (highest level), independently assessed by Coalfire Systems Inc., and Lex specifically is named as PCI DSS compliant.

    aws.amazon.com

    // Products & data scope

    Amazon Lex V2Conversational AI / chatbot builder

    data: Voice and text conversation input, intent/slot data, session attributes; can be configured to process payment-card and PHI data under BAA/PCI scope.

    Current generation; explicitly named HIPAA-eligible, PCI DSS compliant, ISO 9001/27001/27017/27018 compliant, and SOC/PCI/ISO compliant per AWS's own compliance-validation documentation.

    Amazon Lex V1Conversational AI / chatbot builder (legacy)

    data: Same conversational data as V2.

    Legacy version, still documented separately (docs.aws.amazon.com/lex/latest/dg/compliance.html); AWS steers new builds to V2.

    Amazon Connect + Lex integrationContact-center / IVR conversational AI

    data: Call/chat transcripts and routing data flowing between Amazon Connect and Lex bots.

    Used for enterprise IVR and self-service automation (per AWS customer case studies on the product page); inherits Connect's own compliance scope in addition to Lex's.

    // What to watch

    • AWS AI services (Lex included) train/use customer content for service improvement by default; it is opt-out, not opt-in. This should be surfaced prominently rather than assumed 'no training' just because the vendor is AWS.
    • ISO 27701, ISO 42001, and CSA STAR are held by AWS at the platform level but Lex's specific inclusion in the certified service list could not be confirmed from public vendor pages; graded held=false to avoid over-claiming.
    • FedRAMP authorization confirmed for Lex is Moderate in AWS US East/West commercial regions per the cited 2019 announcement; do not represent this as FedRAMP High or GovCloud-authorized without re-verifying current AWS GovCloud service-in-scope lists, since AWS's authorized-service lists change over time.
    • Because Amazon Lex is a feature/service of the AWS platform rather than an independently operated company, its compliance posture is entirely inherited from AWS's platform-wide programs (AWS Artifact) rather than product-specific audits; list it as 'part of AWS' rather than a standalone vendor with its own security team.

    // At a glance

    Pricing model

    Pay-as-you-go, usage-based (per AWS product page: "Pay-as-you-go pricing")

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Amazon Web Services, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    aws.amazon.com

    > Browse all vendor trust reports