// Trust & Security Report
Bloomreach, Inc.
AI-powered commerce experience platform; sub-products include Loomi AI (intelligence layer), Email Marketing, Marketing Automation (13+ channels), Ecommerce Search, Conversational Agent, Marketing Agent, Loomi Connect (extensibility), and Enterprise CMS.
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on bloomreach.com“successful completion of its System and Organization Controls 2 Type II audit... Passing the audit means Bloomreach has met the rigorous standards set by the American Institute of Certified Public Accountants (AICPA), and confirms that customer data is being properly managed, controlled, and secured.”
Verify on bloomreach.com“successful completion of its renewal of its ISO Certifications, including the recently updated ISO 27001:2022, which ensure organizations meet international standards for products, services, and processes.”
Verify on trust.bloomreach.com“ISO 27017:2015 – Information Security Controls applicable to the use of cloud services. Listed under Security Compliance on Bloomreach Trust Portal.”
Verify on trust.bloomreach.com“ISO 27018_2025 listed under Security Compliance documentation on the Bloomreach Trust Portal. Prior news announcements reference ISO 27018:2015 Protection of PII in Public Clouds acting as a PII Processor.”
Verify on trust.bloomreach.com“ISO 9001_2015 listed under Security Compliance on Bloomreach Trust Portal. Confirmed via 2024 ISO recertification announcement covering Quality Management Systems.”
Verify on trust.bloomreach.com“ISO 22301_2019 listed under Security Compliance on Bloomreach Trust Portal. Confirmed as ISO 22301:2019 – Business Continuity Management Processes in 2024 ISO recertification announcement.”
Verify on bloomreach.com“Bloomreach Engagement was the first to be GDPR certified. Bloomreach maintains... GDPR compliance certification. DPA covers SCCs (Module Two/Three) and EU-US, UK Extension, and Swiss-US Data Privacy Framework certification.”
Verify on bloomreach.com“Certification to EU-U.S., UK Extension, and Swiss-US Data Privacy Framework... Standard Contractual Clauses (including as amended by the UK Data Transfer Addendum)”
> Show 5 unconfirmed / not-held certifications
source: bloomreach.comNo mention of HIPAA compliance or BAA availability found on any Bloomreach vendor-domain page, trust center, security page, or DPA documentation.
source: bloomreach.comNo mention of PCI DSS compliance found on any Bloomreach vendor-domain page, trust center, security page, or DPA documentation.
source: bloomreach.comNo mention of FedRAMP authorization found on any Bloomreach vendor-domain page.
source: trust.bloomreach.comNo mention of ISO 42001 or AI-specific governance certification found on any Bloomreach vendor-domain page or trust center.
source: trust.bloomreach.comNo mention of CSA STAR certification or registration found on any Bloomreach vendor-domain page.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
EU customers (Engagement/Clarity): Google Cloud EMEA Ltd, Ireland. US customers: Google LLC, Mountain View, CA. Discovery and Content products: based on relevant hosting provider and customer location.
Loomi Analytics documentation explicitly states: 'No project data (schema or data examples) is used for model training.' Loomi Analytics does not handle PII - it never accesses properties marked as PII in Data Manager. Prompts are discarded when a new conversation starts. However, Bloomreach lists Anthropic (Product development, Content), OpenAI (Content, Support), and Databricks (Product development) as active subprocessors as of April 2026 - meaning customer data may flow through these AI providers for product functionality during service delivery. The DPA restricts processing to Permitted Purposes only and prohibits processing for Bloomreach's own purposes.
// Security controls
Encryption in transit
TLS (Transport Layer Security) for all data in transit between facilities and clients.
bloomreach.comEncryption at rest
AES (Advanced Encryption Standard) via Google Cloud and Amazon Web Services infrastructure.
bloomreach.comPenetration testing
Annual third-party penetration testing per product pillar (Engagement, Content, Discovery). 2025 summaries published on trust portal.
trust.bloomreach.comVulnerability management
Dedicated program listed under Security Management on trust portal with endpoint security and monitoring.
trust.bloomreach.comSecurity awareness training
All new employees required to agree to NDA and complete Security Awareness training as part of onboarding.
trust.bloomreach.comData Protection Officer
Dedicated DPO oversees privacy compliance and governance; DPO contact available on bloomreach.com.
bloomreach.comSub-processor management
Customer sub-processor list maintained at bloomreach.com/en/legal/subprocessors; customers may object to new sub-processors within 10 days on data protection grounds.
bloomreach.com// Products & data scope
data: First-party customer data, product catalog, behavioral events, campaign performance. PII flagging supported; Loomi Analytics does not access PII fields.
Core AI layer powering all Bloomreach products. Includes real-time decisioning (5ms to 2s latency). Explicitly does not train on customer data per documentation.
data: Customer contact data, behavioral signals, campaign metrics.
AI-powered personalization; intent-driven email campaigns. EU data processed via Google Cloud Ireland.
data: Cross-channel customer data (email, SMS, web, mobile, ads). Handles contact PII.
13+ channel orchestration. Supports consent management and GDPR data subject rights workflows.
data: Product catalog, search query logs, behavioral data. No direct PII in search indexes.
Three-times Gartner Magic Quadrant Leader for Search and Product Discovery (2026). Self-learning search.
data: Session-level shopping data, product catalog. Minimal persistent PII.
End-to-end shopping companion. Uses Loomi AI with AI provider subprocessors (Anthropic, OpenAI).
data: Campaign performance data, customer segments, email templates.
Builds full lifecycle email campaigns from a single prompt. Uses LLM subprocessors for content generation.
data: Dependent on customer integrations; connects to 175+ tools.
Allows custom agents and workflows. Data scope varies by configured integration.
data: Content assets, web page data. Minimal customer PII.
Headless CMS; hosting location based on customer geography per subprocessors list.
// What to watch
- Trust center (trust.bloomreach.com) returned HTTP 403 during live fetch in this assessment session. Cert list was captured via the initial evidence scrape (Drata-powered portal listing ISO 27001:2022, ISO 27017, ISO 27018, ISO 9001, ISO 22301, SOC 2 Type II) and cross-confirmed against multiple bloomreach.com news announcements. Confidence in cert list remains high.
- Anthropic, OpenAI, and Databricks are listed as active subprocessors (last updated April 2026) for 'Product development, Content, Support'. Customer data may flow through these LLM providers during service execution. The DPA restricts this to Permitted Purposes; Loomi Analytics documentation explicitly states no customer data trains models. Nonetheless, procurement teams should review subprocessor list and request detailed data flow documentation.
- GDPR 'certification' claim: Bloomreach states it was 'the first to be GDPR certified' but no specific certification body, Article 42 approval reference, or certificate number is publicly documented. This likely refers to an internal compliance attestation or an early industry certification program rather than a formal EU supervisory authority-issued cert under GDPR Art. 42. Graded as compliance posture held=true; formal Art. 42 cert status unverified.
- DPA text references ISO 27001:2013 (older version) while 2024 public announcements confirm upgrade to ISO 27001:2022. Minor documentation lag in the DPA but not an over-claim. Recommend confirming latest DPA version reflects :2022.
- No HIPAA BAA or PCI DSS compliance documentation found. Organizations in US healthcare or payment card processing should not assume coverage and must verify directly with Bloomreach.
// At a glance
Pricing model
Enterprise SaaS subscription; custom pricing per product. Demo/sales-led. No public self-serve pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Bloomreach, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.bloomreach.com