// Trust & Security Report
Avalara, Inc.
Avalara tax compliance and agentic AI platform: AvaTax (tax calculation), Avalara Returns / Managed Returns / Returns for Accountants, Exemption Certificate Management (ECM), e-invoicing and Property Tax modules, plus new Avi/agentic AI compliance agents ("ALFA" AI foundry). No dedicated public trust center was located; evidence is pieced together from press releases, product marketing pages, and legal/privacy pages.
Certifications held
3
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on newsroom.avalara.com“Avalara AvaTax, Avalara Managed Returns, Avalara Returns for Accountants, Avalara Managed Returns for Accountants, and Avalara Exemption Certificate Management solutions have successfully completed the Service Organization Control (SOC) 2 Type 2 examination.”
Verify on avalara.com“With role-based access and certifications, including SOC 2 and ISO 27001, Avalara is ready for the most demanding compliance environments.”
Verify on legal.avalara.com“Avalara, Inc. Services Data Processing Agreement ... EEA & United Kingdom Privacy Notice ... Subprocessors ... This Privacy Notice describes our privacy practices where we are acting as the controller of personal data.”
> Show 7 unconfirmed / not-held certifications
source: help.avalara.comAvalara's own Knowledge Center references an 'SSAE 18 SOC 1 Type 2 report' available on customer request (help.avalara.com FAQ 'How can I request a copy of Avalara's SSAE 18 SOC 1 Type 2 report'), but the full article body and report scope could not be retrieved to confirm current validity, so this is recorded as unconfirmed rather than held.
source: avalara.comNo public evidence on any avalara.com or newsroom.avalara.com page. Third-party aggregator sites (e.g. a finance-tools review blog) list these alongside SOC 1/2 and ISO 27001, but that claim could not be traced to a vendor-domain source and is not counted.
source: legal.avalara.comNo public evidence. A third-party security-scoring site (nudgesecurity.com) lists Avalara as 'HIPAA Compliant, PCI Compliant, FedRamp Compliant, CSA Star Level 1 Compliant' but this is not a vendor-domain source, is not corroborated anywhere on avalara.com, legal.avalara.com, or newsroom.avalara.com, and looks like an automated badge inference rather than a verified claim. Avalara is a tax-compliance platform, not a healthcare data processor, so HIPAA is likely out of scope.
source: legal.avalara.comWe use third-party payment provider CyberSource and Fiserv, to process payments made to us... We do not retain any personally identifiable financial information, such as payment card number, you provide these third-party payment providers in connection with payments.
source: legal.avalara.comNo public evidence on any avalara.com page or in Avalara newsroom releases. Only a third-party (non-vendor) site makes this claim, unverified.
source: legal.avalara.comNo public evidence on any avalara.com page. Only an unverified third-party claim exists.
source: avalara.comNo public evidence of ISO 42001 or an equivalent AI-governance certification despite Avalara's heavy marketing push around agentic AI (ALFA, Avi).
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Multiple regional privacy notices found (US, EEA/UK, Australia, India, Brazil), indicating global data handling with region-specific entities (Avalara, Inc. and Avalara Europe Ltd. each have their own DPA). No single consolidated data-residency statement found on a vendor page.
No vendor-domain page found that states whether customer transaction/tax data is used to train Avalara's AI models (ALFA foundry, Avi agents) or how to opt out. Avalara's Services Data Processing Agreement states Avalara processes Customer Data only per customer instructions and 'shall not process Customer Data for any other purpose,' which would argue against training on customer data, but no explicit AI-training statement or opt-out mechanism was located. This is a gap Avalara should be asked to clarify directly given its new agentic AI push.
// Security controls
Access control
Role-based access controls and audit trails referenced on the AI-compliance product page.
avalara.comUptime / availability
'99.99% uptime with multicloud, active-active redundancy' claimed on the homepage; no independent status-page evidence reviewed.
avalara.comPayment data handling
Avalara does not retain payment card data itself; card payments are processed by third parties CyberSource and Fiserv.
legal.avalara.comTLS / API certificates
Developer documentation references TLS/SSL certificates used for the AvaTax REST API in both sandbox and production environments.
developer.avalara.com// Products & data scope
data: Transaction-level tax data, product/SKU data, exemption info
Named directly in the 2023 SOC 2 Type 2 scope.
data: Filed return data, business tax IDs, jurisdiction data
Named directly in the 2023 SOC 2 Type 2 scope.
data: Customer exemption certificates, buyer identity data
Named directly in the 2023 SOC 2 Type 2 scope.
data: Transaction and compliance data from connected business systems, aggregated across 60,000+ regulatory sources
Newest product line (launched 2025); no dedicated SOC 2/ISO scope statement found for this line specifically, only a general company-level 'SOC 2 and ISO 27001' claim on its own marketing page.
data: Invoice-level transaction data for regulatory submission
Third-party research indicates a related Avalara-owned entity (formerly Impendulo, now part of Avalara Europe) held an ISO 27001 certificate for this scope, but the source page redirected to a generic blog and could not be independently confirmed on avalara.com; not counted as held for the parent Avalara brand.
// What to watch
- SOC 2 Type 2 proof is scoped to five named products (AvaTax, Managed Returns, Returns for Accountants, Managed Returns for Accountants, ECM) as of January 2023 -- not a blanket company-wide certification, and no more recent renewal announcement was found.
- ISO 27001 claim only appears as unscoped marketing copy on the ai-compliance.html product page ('certifications, including SOC 2 and ISO 27001'), with no cert number, issuing body, scope, or date found on any vendor page -- weaker evidence than the SOC 2 press release. Recommend independent verification (e.g. requesting the certificate) before treating this as fully confirmed.
- Third-party security-scoring sites (not vendor-owned) claim Avalara also holds HIPAA, PCI DSS, FedRAMP, and CSA STAR certifications; none of these could be corroborated on any avalara.com, legal.avalara.com, or newsroom.avalara.com page. Treating these as an over-claim risk and grading them held=false pending vendor confirmation.
- No public statement found on whether customer/transaction data is used to train Avalara's AI agents (Avi, ALFA) or how to opt out -- notable gap given the company's heavy 2025-2026 push into agentic AI.
- A separate ISO 27001 certificate reportedly held by 'Impendulo by Avalara' (an acquired French e-invoicing subsidiary) surfaced in search results but the source URL redirected away from the original content and scope could not be confirmed; excluded from the parent-brand cert list to avoid conflating a subsidiary's product-specific certification with company-wide coverage.
// At a glance
Pricing model
Quote-based / tiered by transaction volume and modules (not publicly listed pricing)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Avalara, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
legal.avalara.com