// Trust & Security Report

    Avalara, Inc. logo

    Avalara, Inc.

    Avalara tax compliance and agentic AI platform: AvaTax (tax calculation), Avalara Returns / Managed Returns / Returns for Accountants, Exemption Certificate Management (ECM), e-invoicing and Property Tax modules, plus new Avi/agentic AI compliance agents ("ALFA" AI foundry). No dedicated public trust center was located; evidence is pieced together from press releases, product marketing pages, and legal/privacy pages.

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Avalara AvaTax, Avalara Managed Returns, Avalara Returns for Accountants, Avalara Managed Returns for Accountants, and Avalara Exemption Certificate Management solutions have successfully completed the Service Organization Control (SOC) 2 Type 2 examination.

    Verify on newsroom.avalara.com
    ISO 27001
    HELD

    With role-based access and certifications, including SOC 2 and ISO 27001, Avalara is ready for the most demanding compliance environments.

    Verify on avalara.com
    GDPR (posture, not a certification)
    HELD

    Avalara, Inc. Services Data Processing Agreement ... EEA & United Kingdom Privacy Notice ... Subprocessors ... This Privacy Notice describes our privacy practices where we are acting as the controller of personal data.

    Verify on legal.avalara.com
    > Show 7 unconfirmed / not-held certifications
    SOC 1 Type 2
    NOT CONFIRMED

    Avalara's own Knowledge Center references an 'SSAE 18 SOC 1 Type 2 report' available on customer request (help.avalara.com FAQ 'How can I request a copy of Avalara's SSAE 18 SOC 1 Type 2 report'), but the full article body and report scope could not be retrieved to confirm current validity, so this is recorded as unconfirmed rather than held.

    source: help.avalara.com
    ISO 27017 / ISO 27018
    NOT CONFIRMED

    No public evidence on any avalara.com or newsroom.avalara.com page. Third-party aggregator sites (e.g. a finance-tools review blog) list these alongside SOC 1/2 and ISO 27001, but that claim could not be traced to a vendor-domain source and is not counted.

    source: avalara.com
    HIPAA
    NOT CONFIRMED

    No public evidence. A third-party security-scoring site (nudgesecurity.com) lists Avalara as 'HIPAA Compliant, PCI Compliant, FedRamp Compliant, CSA Star Level 1 Compliant' but this is not a vendor-domain source, is not corroborated anywhere on avalara.com, legal.avalara.com, or newsroom.avalara.com, and looks like an automated badge inference rather than a verified claim. Avalara is a tax-compliance platform, not a healthcare data processor, so HIPAA is likely out of scope.

    source: legal.avalara.com
    PCI DSS
    NOT CONFIRMED

    We use third-party payment provider CyberSource and Fiserv, to process payments made to us... We do not retain any personally identifiable financial information, such as payment card number, you provide these third-party payment providers in connection with payments.

    source: legal.avalara.com
    FedRAMP
    NOT CONFIRMED

    No public evidence on any avalara.com page or in Avalara newsroom releases. Only a third-party (non-vendor) site makes this claim, unverified.

    source: legal.avalara.com
    CSA STAR
    NOT CONFIRMED

    No public evidence on any avalara.com page. Only an unverified third-party claim exists.

    source: legal.avalara.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 or an equivalent AI-governance certification despite Avalara's heavy marketing push around agentic AI (ALFA, Avi).

    source: avalara.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Multiple regional privacy notices found (US, EEA/UK, Australia, India, Brazil), indicating global data handling with region-specific entities (Avalara, Inc. and Avalara Europe Ltd. each have their own DPA). No single consolidated data-residency statement found on a vendor page.

    No vendor-domain page found that states whether customer transaction/tax data is used to train Avalara's AI models (ALFA foundry, Avi agents) or how to opt out. Avalara's Services Data Processing Agreement states Avalara processes Customer Data only per customer instructions and 'shall not process Customer Data for any other purpose,' which would argue against training on customer data, but no explicit AI-training statement or opt-out mechanism was located. This is a gap Avalara should be asked to clarify directly given its new agentic AI push.

    // Security controls

    Access control

    Role-based access controls and audit trails referenced on the AI-compliance product page.

    avalara.com

    Uptime / availability

    '99.99% uptime with multicloud, active-active redundancy' claimed on the homepage; no independent status-page evidence reviewed.

    avalara.com

    Payment data handling

    Avalara does not retain payment card data itself; card payments are processed by third parties CyberSource and Fiserv.

    legal.avalara.com

    TLS / API certificates

    Developer documentation references TLS/SSL certificates used for the AvaTax REST API in both sandbox and production environments.

    developer.avalara.com

    // Products & data scope

    AvaTaxTax calculation engine (API/integration)

    data: Transaction-level tax data, product/SKU data, exemption info

    Named directly in the 2023 SOC 2 Type 2 scope.

    Avalara Managed Returns / Returns for AccountantsTax filing automation

    data: Filed return data, business tax IDs, jurisdiction data

    Named directly in the 2023 SOC 2 Type 2 scope.

    Exemption Certificate Management (ECM)Compliance document management

    data: Customer exemption certificates, buyer identity data

    Named directly in the 2023 SOC 2 Type 2 scope.

    Avi / agentic AI compliance agents (ALFA foundry)AI agents embedded in ERPs/billing platforms

    data: Transaction and compliance data from connected business systems, aggregated across 60,000+ regulatory sources

    Newest product line (launched 2025); no dedicated SOC 2/ISO scope statement found for this line specifically, only a general company-level 'SOC 2 and ISO 27001' claim on its own marketing page.

    E-Invoicing / Live ReportingCountry-specific e-invoicing compliance

    data: Invoice-level transaction data for regulatory submission

    Third-party research indicates a related Avalara-owned entity (formerly Impendulo, now part of Avalara Europe) held an ISO 27001 certificate for this scope, but the source page redirected to a generic blog and could not be independently confirmed on avalara.com; not counted as held for the parent Avalara brand.

    // What to watch

    • SOC 2 Type 2 proof is scoped to five named products (AvaTax, Managed Returns, Returns for Accountants, Managed Returns for Accountants, ECM) as of January 2023 -- not a blanket company-wide certification, and no more recent renewal announcement was found.
    • ISO 27001 claim only appears as unscoped marketing copy on the ai-compliance.html product page ('certifications, including SOC 2 and ISO 27001'), with no cert number, issuing body, scope, or date found on any vendor page -- weaker evidence than the SOC 2 press release. Recommend independent verification (e.g. requesting the certificate) before treating this as fully confirmed.
    • Third-party security-scoring sites (not vendor-owned) claim Avalara also holds HIPAA, PCI DSS, FedRAMP, and CSA STAR certifications; none of these could be corroborated on any avalara.com, legal.avalara.com, or newsroom.avalara.com page. Treating these as an over-claim risk and grading them held=false pending vendor confirmation.
    • No public statement found on whether customer/transaction data is used to train Avalara's AI agents (Avi, ALFA) or how to opt out -- notable gap given the company's heavy 2025-2026 push into agentic AI.
    • A separate ISO 27001 certificate reportedly held by 'Impendulo by Avalara' (an acquired French e-invoicing subsidiary) surfaced in search results but the source URL redirected away from the original content and scope could not be confirmed; excluded from the parent-brand cert list to avoid conflating a subsidiary's product-specific certification with company-wide coverage.

    // At a glance

    Pricing model

    Quote-based / tiered by transaction volume and modules (not publicly listed pricing)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Avalara, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    legal.avalara.com

    > Browse all vendor trust reports