// Trust & Security Report

    Bloomberg L.P. logo

    Bloomberg L.P.

    Bloomberg Terminal is an integrated financial data, analytics, trading, and communications platform. Sub-products include Bloomberg Terminal AI (ASKB, a conversational AI interface in beta) and Bloomberg Vault (compliance and surveillance with AI-powered query expansion).

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Bloomberg's operational resilience page states it provides 'third-party assessments – such as system and organization controls (SOC3 and SOC2) reports – in accordance with globally accepted standards and trust services criteria.' Note: the vendor page confirms SOC 2 reports but does not explicitly state the 'Type II' designation.

    Verify on professional.bloomberg.com
    SOC 3
    HELD

    Bloomberg provides third-party assessments – such as system and organization controls (SOC3 and SOC2) reports – in accordance with globally accepted standards and trust services criteria.

    Verify on professional.bloomberg.com
    GDPR Compliance
    HELD

    Bloomberg complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, and has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles.

    Verify on bloomberg.com
    EU DORA Compliance
    HELD

    Bloomberg has been designated a 'critical third-party provider' (CTPP) of ICT services under the EU's Digital Operational Resilience Act, which involves enhanced security and operational risk management requirements.

    Verify on professional.bloomberg.com
    > Show 7 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on Bloomberg's own domain. Bloomberg's operational resilience page lists only SOC 2 and SOC 3 third-party assessments and does not mention ISO 27001. The ISO 27001 claim originates from a third-party aggregator (findings.co), not a Bloomberg-domain source, and is unverified.

    source: professional.bloomberg.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance found on Bloomberg Terminal or Bloomberg Professional Services documentation. HIPAA likely not applicable as Bloomberg Terminal is designed for financial markets, not healthcare.

    source: bloomberg.com
    PCI DSS
    NOT CONFIRMED

    No evidence of PCI DSS certification for Bloomberg Terminal found in vendor documentation. PCI DSS not mentioned in operational resilience or compliance pages.

    source: professional.bloomberg.com
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found for Bloomberg Terminal in vendor documentation.

    source: bloomberg.com
    ISO 27018 (PII Protection)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found for Bloomberg Terminal in vendor documentation.

    source: bloomberg.com
    ISO 27701 (Privacy Management)
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found for Bloomberg Terminal in vendor documentation.

    source: bloomberg.com
    FedRAMP
    NOT CONFIRMED

    No evidence of FedRAMP certification found. Bloomberg Terminal is not listed in the FedRAMP Marketplace for U.S. government cloud services.

    source: fedramp.gov

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Multiple dedicated data centers located in the northeastern U.S. Bloomberg Vault offers 'configurable storage locations' for compliance with regional data-handling requirements, suggesting flexibility for enterprise clients. No specific data residency guarantee for Bloomberg Terminal published.

    Bloomberg does NOT explicitly state whether customer data from Bloomberg Terminal is used to train AI models. The company emphasizes 'Responsible AI principles' and states that ASKB (their conversational AI) 'grounds every response in high-quality, trusted data,' but the source of this training data is not publicly disclosed. Bloomberg employs thousands of analysts and data scientists to manually label training data, suggesting synthetic or Bloomberg-provided datasets may be used alongside public sources. No public opt-out mechanism found for customer data used in AI training.

    // Security controls

    Encryption in Transit

    HTTPS (TLS encryption)

    professional.bloomberg.com

    Encryption at Rest

    Data encrypted in database layer

    professional.bloomberg.com

    Access Control

    Role-based access control (RBAC), organization-level permissions management

    professional.bloomberg.com

    Business Continuity

    Disaster recovery service with temporary remote access to fixed-location subscriptions; multiple data centers with full fire-suppression and redundant power/telecom grids

    professional.bloomberg.com

    Third-Party Assessment

    Regular SOC 2 Type II and SOC 3 audits per globally accepted standards

    professional.bloomberg.com

    Data Governance

    Bloomberg acts as both Data Controller (independent) and Data Processor (for specific products like Vault, Regulatory Reporting). SCCs (Standard Contractual Clauses) available for processor arrangements.

    bloomberg.com

    // Products & data scope

    Bloomberg TerminalFinancial Data & Analytics Platform

    data: Financial data, market data, news, research, analytics, communications metadata

    Core product for institutional investors, traders, and financial professionals. Includes real-time market data, historical analytics, trading execution, and compliance tools. Does not inherit HIPAA or PCI DSS unless explicitly stated in procurement agreements.

    Bloomberg Terminal AI (ASKB)Generative AI / Conversational Interface

    data: Conversational queries and responses grounded in Bloomberg data

    Beta feature. Agentic AI system built on commercial and open-weight LLMs. Claims to be 'grounded in high-quality, trusted data' and aligned with Bloomberg Responsible AI principles. Does not explicitly disclose whether customer queries or customer financial data are used for model training or improvement.

    Bloomberg Vault (Compliance & Surveillance)Compliance & Surveillance

    data: Communications data, trading data, compliance records. Uses AI for query expansion and content discovery.

    Offers configurable storage locations for regional compliance. Data Processing Agreement available. Includes AI-powered features (LLM-based query expansion, misspelling interpretation, keyword surface discovery) but does not explicitly disclose customer data training implications.

    // What to watch

    • No dedicated trust center page found for Bloomberg Terminal; security certifications and compliance information dispersed across operational resilience documentation and notices pages.
    • Bloomberg Terminal product page (professional.bloomberg.com) does not explicitly list security certifications or compliance standards; assumes inheritance from parent company Bloomberg L.P. infrastructure.
    • AI Training Data Opacity: Bloomberg does not publicly disclose whether customer data (queries, financial data, communications) is used to train or improve Bloomberg Terminal AI features (ASKB). Company emphasizes 'Responsible AI' and 'trusted data sources' but does not clarify training data sources or offer explicit opt-outs.
    • HIPAA Not Claimed: No evidence of HIPAA compliance for Bloomberg Terminal. This is likely intentional (Terminal targets financial markets, not healthcare) but should be flagged if vendor claims healthcare use.
    • PCI DSS, ISO 27017/27018/27701, FedRAMP Not Claimed: No public evidence of these certifications. For enterprise deals involving payment processing or healthcare data, verification required.
    • ISO 27001 Unverified: Bloomberg's own operational resilience page lists only SOC 2 and SOC 3 third-party assessments, not ISO 27001. An ISO 27001 claim appears on a third-party aggregator (findings.co) but is not confirmed on any Bloomberg-domain source; do not list ISO 27001 without direct vendor verification.
    • DPA availability confirmed for Vault and Regulatory Reporting Services; confirmation needed for core Bloomberg Terminal product.
    • Operational Resilience focus on DORA reflects EU regulatory posture; less emphasis on U.S. government (FedRAMP) or industry-specific (HIPAA, PCI DSS) frameworks.
    • Identity Confidence: vendor confirmed as Bloomberg L.P. (established 1981, global financial data leader). No identity-conflation risk.

    // At a glance

    Pricing model

    Subscription-based (Terminal, Terminal with AI, enterprise compliance bundles). Exact pricing not public; contact-to-quote model.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Bloomberg L.P.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    service.bloomberg.com

    > Browse all vendor trust reports