// Trust & Security Report
Bloomberg L.P.
Bloomberg Terminal is an integrated financial data, analytics, trading, and communications platform. Sub-products include Bloomberg Terminal AI (ASKB, a conversational AI interface in beta) and Bloomberg Vault (compliance and surveillance with AI-powered query expansion).
Certifications held
4
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on professional.bloomberg.com“Bloomberg's operational resilience page states it provides 'third-party assessments – such as system and organization controls (SOC3 and SOC2) reports – in accordance with globally accepted standards and trust services criteria.' Note: the vendor page confirms SOC 2 reports but does not explicitly state the 'Type II' designation.”
Verify on professional.bloomberg.com“Bloomberg provides third-party assessments – such as system and organization controls (SOC3 and SOC2) reports – in accordance with globally accepted standards and trust services criteria.”
Verify on bloomberg.com“Bloomberg complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, and has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles.”
Verify on professional.bloomberg.com“Bloomberg has been designated a 'critical third-party provider' (CTPP) of ICT services under the EU's Digital Operational Resilience Act, which involves enhanced security and operational risk management requirements.”
> Show 7 unconfirmed / not-held certifications
source: professional.bloomberg.comNo public evidence of ISO 27001 certification found on Bloomberg's own domain. Bloomberg's operational resilience page lists only SOC 2 and SOC 3 third-party assessments and does not mention ISO 27001. The ISO 27001 claim originates from a third-party aggregator (findings.co), not a Bloomberg-domain source, and is unverified.
source: bloomberg.comNo public evidence of HIPAA compliance found on Bloomberg Terminal or Bloomberg Professional Services documentation. HIPAA likely not applicable as Bloomberg Terminal is designed for financial markets, not healthcare.
source: professional.bloomberg.comNo evidence of PCI DSS certification for Bloomberg Terminal found in vendor documentation. PCI DSS not mentioned in operational resilience or compliance pages.
source: bloomberg.comNo public evidence of ISO 27017 certification found for Bloomberg Terminal in vendor documentation.
source: bloomberg.comNo public evidence of ISO 27018 certification found for Bloomberg Terminal in vendor documentation.
source: bloomberg.comNo public evidence of ISO 27701 certification found for Bloomberg Terminal in vendor documentation.
source: fedramp.govNo evidence of FedRAMP certification found. Bloomberg Terminal is not listed in the FedRAMP Marketplace for U.S. government cloud services.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Multiple dedicated data centers located in the northeastern U.S. Bloomberg Vault offers 'configurable storage locations' for compliance with regional data-handling requirements, suggesting flexibility for enterprise clients. No specific data residency guarantee for Bloomberg Terminal published.
Bloomberg does NOT explicitly state whether customer data from Bloomberg Terminal is used to train AI models. The company emphasizes 'Responsible AI principles' and states that ASKB (their conversational AI) 'grounds every response in high-quality, trusted data,' but the source of this training data is not publicly disclosed. Bloomberg employs thousands of analysts and data scientists to manually label training data, suggesting synthetic or Bloomberg-provided datasets may be used alongside public sources. No public opt-out mechanism found for customer data used in AI training.
// Security controls
Access Control
Role-based access control (RBAC), organization-level permissions management
professional.bloomberg.comBusiness Continuity
Disaster recovery service with temporary remote access to fixed-location subscriptions; multiple data centers with full fire-suppression and redundant power/telecom grids
professional.bloomberg.comThird-Party Assessment
Regular SOC 2 Type II and SOC 3 audits per globally accepted standards
professional.bloomberg.comData Governance
Bloomberg acts as both Data Controller (independent) and Data Processor (for specific products like Vault, Regulatory Reporting). SCCs (Standard Contractual Clauses) available for processor arrangements.
bloomberg.com// Products & data scope
data: Financial data, market data, news, research, analytics, communications metadata
Core product for institutional investors, traders, and financial professionals. Includes real-time market data, historical analytics, trading execution, and compliance tools. Does not inherit HIPAA or PCI DSS unless explicitly stated in procurement agreements.
data: Conversational queries and responses grounded in Bloomberg data
Beta feature. Agentic AI system built on commercial and open-weight LLMs. Claims to be 'grounded in high-quality, trusted data' and aligned with Bloomberg Responsible AI principles. Does not explicitly disclose whether customer queries or customer financial data are used for model training or improvement.
data: Communications data, trading data, compliance records. Uses AI for query expansion and content discovery.
Offers configurable storage locations for regional compliance. Data Processing Agreement available. Includes AI-powered features (LLM-based query expansion, misspelling interpretation, keyword surface discovery) but does not explicitly disclose customer data training implications.
// What to watch
- No dedicated trust center page found for Bloomberg Terminal; security certifications and compliance information dispersed across operational resilience documentation and notices pages.
- Bloomberg Terminal product page (professional.bloomberg.com) does not explicitly list security certifications or compliance standards; assumes inheritance from parent company Bloomberg L.P. infrastructure.
- AI Training Data Opacity: Bloomberg does not publicly disclose whether customer data (queries, financial data, communications) is used to train or improve Bloomberg Terminal AI features (ASKB). Company emphasizes 'Responsible AI' and 'trusted data sources' but does not clarify training data sources or offer explicit opt-outs.
- HIPAA Not Claimed: No evidence of HIPAA compliance for Bloomberg Terminal. This is likely intentional (Terminal targets financial markets, not healthcare) but should be flagged if vendor claims healthcare use.
- PCI DSS, ISO 27017/27018/27701, FedRAMP Not Claimed: No public evidence of these certifications. For enterprise deals involving payment processing or healthcare data, verification required.
- ISO 27001 Unverified: Bloomberg's own operational resilience page lists only SOC 2 and SOC 3 third-party assessments, not ISO 27001. An ISO 27001 claim appears on a third-party aggregator (findings.co) but is not confirmed on any Bloomberg-domain source; do not list ISO 27001 without direct vendor verification.
- DPA availability confirmed for Vault and Regulatory Reporting Services; confirmation needed for core Bloomberg Terminal product.
- Operational Resilience focus on DORA reflects EU regulatory posture; less emphasis on U.S. government (FedRAMP) or industry-specific (HIPAA, PCI DSS) frameworks.
- Identity Confidence: vendor confirmed as Bloomberg L.P. (established 1981, global financial data leader). No identity-conflation risk.
// At a glance
Pricing model
Subscription-based (Terminal, Terminal with AI, enterprise compliance bundles). Exact pricing not public; contact-to-quote model.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Bloomberg L.P.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
service.bloomberg.com