// Trust & Security Report
Blackbox AI
Multi-agent AI coding platform with IDE, CLI, API, and cloud execution. Supports Claude, Codex, Gemini, and proprietary Blackbox models with end-to-end encryption and zero data retention options.
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on blackbox.ai“Privacy Policy commits to an EU data-transfer safeguard: 'such as using Model Contractual Clauses for the European Union.' Note: the policy does not use the literal term 'GDPR'; this Model Contractual Clauses commitment is the vendor's only stated EU data-protection mechanism, and no GDPR data-subject-rights language was verifiable on the page.”
> Show 7 unconfirmed / not-held certifications
source: nudgesecurity.comSOC 2 Type II audit status unclear - Nudge Security profile lists 'SOC 2 Compliant' but ToolChase May 2026 review states 'No SOC 2 certification is publicly listed'. Company indicates 'interim audit letters available under NDA' via enterprise@blackbox.ai, suggesting audit in progress or not yet publicly released.
source: nudgesecurity.comClaimed by Nudge Security profile as 'ISO 27001 Compliant' but no public verification, audit report, or dedicated documentation found on vendor domain. Status unclear - likely in progress or available under NDA only.
source: blackbox.aiNo verifiable public evidence of HIPAA compliance on the vendor domain. The originally cited enterprise docs page (docs.blackbox.ai/features/enterprise) and www.blackbox.ai/enterprise both return HTTP 404, and the privacy policy does not mention HIPAA. Third-party/search summaries indicate 'HIPAA BAAs available on request' via enterprise@blackbox.ai, but no vendor-domain proof quote could be confirmed verbatim.
source: blackbox.aiNo verifiable public evidence of CCPA compliance on the vendor domain. The original claim was sourced 'via search results', not a vendor-domain page; the cited docs.blackbox.ai/features/enterprise returns HTTP 404 and the privacy policy does not mention CCPA.
source: nudgesecurity.comNudge Security profile lists 'PCI Compliant' but no public documentation or proof found on vendor domain. No vendor-domain evidence.
source: nudgesecurity.comNudge Security profile lists 'FedRamp Compliant' but no public FedRamp.gov listing or vendor documentation found. Likely incorrect attribution or aspirational claim.
source: nudgesecurity.comNudge Security profile lists 'CSA Star Level 1 Compliant' but no CSA registry entry or vendor documentation found. Unverified claim.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Primary: United States. Privacy policy states 'Personal data processing occurs on our systems in the United States.' Enterprise options mentioned for EU data residency but not explicitly detailed.
PRO tier: Privacy policy explicitly states 'If you are on the PRO version: zero data retention will be enabled, and none of your code will ever be stored or trained on.' Standard/free tiers: Policy indicates data is retained for the duration of Service access and used 'to provide and improve the Service,' suggesting standard tiers may permit processing but zero-training is not guaranteed. Enterprise 'never used for model training' language appears only in third-party/search summaries; the cited enterprise docs page returns HTTP 404 and could not be verified. AI training posture is tier-dependent and inconsistently documented.
// Security controls
Encryption in Transit
TLS 1.3 with modern cipher suites and certificate pinning on mobile clients
blackbox.aiEncryption at Rest
AES-256 with keys managed in AWS KMS with automatic rotation. Enterprise tier supports customer-managed keys (BYOK/CMK).
blackbox.aiEnd-to-End Encryption
E2EE available for open-source models. Zero-knowledge architecture so 'even Blackbox infrastructure cannot read your content'. Premium and Enterprise tiers support E2E chat encryption.
blackbox.aiHardware Security
Confidential Computing via NVIDIA H100 Tensor Core GPUs with trusted execution environment (TEE). AES-256 encryption with keys generated and managed entirely within GPU chip.
Data Retention
Zero Data Retention (ZDR) mode: Prompts, code context, completions processed in memory and discarded after response. Nothing written to disk or retained by Blackbox. Default on PRO+ plans.
docs.blackbox.aiAccess Control
Role-based access control (RBAC). SSO via SAML 2.0 with Okta, Azure AD, Google Workspace, OneLogin. SCIM for automated user lifecycle.
blackbox.aiAudit & Logging
Tamper-evident audit logs streamed to customer SIEM. Audit logging for compliance and security monitoring included in Enterprise tier.
blackbox.aiDeployment Options
Dedicated VPC, on-premise deployment, fully air-gapped environments with no outbound internet. 99.9% uptime SLA for Enterprise.
blackbox.aiThreat Protection
PII protection layer that 'strips and substitutes sensitive enterprise data before any request leaves our perimeter' for closed-source models.
blackbox.ai// Products & data scope
data: Data used for service improvement. Data residency: US. Encryption in transit (TLS 1.3). No explicit zero data retention guarantee on free tier.
Freemium model. Claims 15+ million users. Features IDE plugin, VS Code extension, web interface.
data: PRO tier: 'Zero data retention' - no code stored or trained on. Privacy policy explicitly guarantees this tier has zero retention.
Mid-tier with ZDR enabled by default. End-to-end encryption available. Includes desktop agent with E2E encryption.
data: Zero Data Retention enforced end-to-end. Private enclave processing. Data never used for model training. Audit trail with HIPAA-compliant processing. HIPAA BAAs available. Optional EU data residency.
Full compliance suite. SAML SSO, SCIM, on-premise deployment, dedicated VPC, air-gapped options. Customer-managed encryption keys. 99.9% SLA, 24/7 support, named CSM. Confidential Computing via GPU attestation.
data: OpenAI-compatible endpoints. Multi-model support (Claude, Codex, Gemini, Grok, Blackbox). E2E encrypted by default. Zero data retention for Enterprise customers.
Claims 60% faster output throughput vs direct OpenAI. Automatic multi-provider failover. WebSocket streaming. Zero-knowledge proxy architecture.
data: Agent execution from terminal. Multi-agent orchestration. E2E encryption for Enterprise tier.
Dispatch competing agents in parallel. Automatic PR creation. CI/CD integration.
data: Always-on agent execution. E2E encryption available. ZDR on Enterprise plans.
Supports all major agents (Claude Code, Codex, Gemini, etc.). Chairman LLM evaluation for multi-agent workflows.
// What to watch
- OVER-CLAIM: Nudge Security profile lists SOC 2, ISO 27001, PCI, FedRamp, and CSA STAR as compliant, but only GDPR (via EU Model Contractual Clauses in the privacy policy) has verifiable vendor-domain evidence. HIPAA and CCPA were downgraded to held=false: their cited proof pages (docs.blackbox.ai/features/enterprise, www.blackbox.ai/enterprise, www.blackbox.ai/security) all return HTTP 404 and the privacy policy mentions neither. SOC 2 and ISO 27001 audit status is ambiguous - not publicly released per ToolChase (May 2026), but 'interim audit letters available under NDA' suggests in-progress or restricted access.
- MISSING TRUST CENTER: No dedicated trust center or compliance documentation page on vendor domain. Compliance details scattered across privacy policy, enterprise documentation, and blog posts. Requires direct contact with enterprise@blackbox.ai for audit reports, BAAs, DPAs, and detailed compliance status.
- MISSING TERMS OF SERVICE: https://www.blackbox.ai/terms returns 404, preventing verification of data processing terms, liability limitations, and compliance obligations.
- TIER-BASED TRAINING DIFFERENCES: Privacy policy and documentation indicate different data handling across free, PRO, and Enterprise tiers. Standard/free tier training policy is ambiguous ('to provide and improve the Service') vs PRO tier's explicit zero-retention guarantee. This creates potential confusion for customers about default data usage.
- CERTIFICATION DOCUMENTATION GAP: Interim audit letters 'available under NDA' means compliance certifications cannot be independently verified. For Enterprise customers, this requires signed agreements before certification evidence is shared.
- DPA UNCLEAR: Enterprise documentation mentions 'full list of subprocessors available under NDA' but does not publicly state whether a standard Data Processing Agreement or DPA template is available.
- HIPAA BAA CONDITIONAL: HIPAA compliance is contingent on Enterprise plan + BAA execution, not a platform-wide guarantee. Standard/PRO tiers do not mention HIPAA support.
// At a glance
Pricing model
Freemium (free tier) + PRO (monthly) + Enterprise (custom). API pricing: $0.45/M output tokens for encrypted E2E inference on Enterprise.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Blackbox AI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
blackbox.ai