// Trust & Security Report

    Bloomreach, Inc. logo

    Bloomreach, Inc.

    AI-powered commerce experience platform; sub-products include Loomi AI (intelligence layer), Email Marketing, Marketing Automation (13+ channels), Ecommerce Search, Conversational Agent, Marketing Agent, Loomi Connect (extensibility), and Enterprise CMS.

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    successful completion of its System and Organization Controls 2 Type II audit... Passing the audit means Bloomreach has met the rigorous standards set by the American Institute of Certified Public Accountants (AICPA), and confirms that customer data is being properly managed, controlled, and secured.

    Verify on bloomreach.com
    ISO 27001:2022
    HELD

    successful completion of its renewal of its ISO Certifications, including the recently updated ISO 27001:2022, which ensure organizations meet international standards for products, services, and processes.

    Verify on bloomreach.com
    ISO 27017:2015
    HELD

    ISO 27017:2015 – Information Security Controls applicable to the use of cloud services. Listed under Security Compliance on Bloomreach Trust Portal.

    Verify on trust.bloomreach.com
    ISO 27018
    HELD

    ISO 27018_2025 listed under Security Compliance documentation on the Bloomreach Trust Portal. Prior news announcements reference ISO 27018:2015 Protection of PII in Public Clouds acting as a PII Processor.

    Verify on trust.bloomreach.com
    ISO 9001:2015
    HELD

    ISO 9001_2015 listed under Security Compliance on Bloomreach Trust Portal. Confirmed via 2024 ISO recertification announcement covering Quality Management Systems.

    Verify on trust.bloomreach.com
    ISO 22301:2019
    HELD

    ISO 22301_2019 listed under Security Compliance on Bloomreach Trust Portal. Confirmed as ISO 22301:2019 – Business Continuity Management Processes in 2024 ISO recertification announcement.

    Verify on trust.bloomreach.com
    GDPR (regulatory compliance posture + claimed certification)
    HELD

    Bloomreach Engagement was the first to be GDPR certified. Bloomreach maintains... GDPR compliance certification. DPA covers SCCs (Module Two/Three) and EU-US, UK Extension, and Swiss-US Data Privacy Framework certification.

    Verify on bloomreach.com
    EU-US Data Privacy Framework (DPF)
    HELD

    Certification to EU-U.S., UK Extension, and Swiss-US Data Privacy Framework... Standard Contractual Clauses (including as amended by the UK Data Transfer Addendum)

    Verify on bloomreach.com
    > Show 5 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA compliance or BAA availability found on any Bloomreach vendor-domain page, trust center, security page, or DPA documentation.

    source: bloomreach.com
    PCI DSS
    NOT CONFIRMED

    No mention of PCI DSS compliance found on any Bloomreach vendor-domain page, trust center, security page, or DPA documentation.

    source: bloomreach.com
    FedRAMP
    NOT CONFIRMED

    No mention of FedRAMP authorization found on any Bloomreach vendor-domain page.

    source: bloomreach.com
    ISO/IEC 42001 (AI Management Systems)
    NOT CONFIRMED

    No mention of ISO 42001 or AI-specific governance certification found on any Bloomreach vendor-domain page or trust center.

    source: trust.bloomreach.com
    CSA STAR
    NOT CONFIRMED

    No mention of CSA STAR certification or registration found on any Bloomreach vendor-domain page.

    source: trust.bloomreach.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    EU customers (Engagement/Clarity): Google Cloud EMEA Ltd, Ireland. US customers: Google LLC, Mountain View, CA. Discovery and Content products: based on relevant hosting provider and customer location.

    Loomi Analytics documentation explicitly states: 'No project data (schema or data examples) is used for model training.' Loomi Analytics does not handle PII - it never accesses properties marked as PII in Data Manager. Prompts are discarded when a new conversation starts. However, Bloomreach lists Anthropic (Product development, Content), OpenAI (Content, Support), and Databricks (Product development) as active subprocessors as of April 2026 - meaning customer data may flow through these AI providers for product functionality during service delivery. The DPA restricts processing to Permitted Purposes only and prohibits processing for Bloomreach's own purposes.

    // Security controls

    Encryption in transit

    TLS (Transport Layer Security) for all data in transit between facilities and clients.

    bloomreach.com

    Encryption at rest

    AES (Advanced Encryption Standard) via Google Cloud and Amazon Web Services infrastructure.

    bloomreach.com

    Penetration testing

    Annual third-party penetration testing per product pillar (Engagement, Content, Discovery). 2025 summaries published on trust portal.

    trust.bloomreach.com

    Vulnerability management

    Dedicated program listed under Security Management on trust portal with endpoint security and monitoring.

    trust.bloomreach.com

    Security awareness training

    All new employees required to agree to NDA and complete Security Awareness training as part of onboarding.

    trust.bloomreach.com

    Data Protection Officer

    Dedicated DPO oversees privacy compliance and governance; DPO contact available on bloomreach.com.

    bloomreach.com

    Sub-processor management

    Customer sub-processor list maintained at bloomreach.com/en/legal/subprocessors; customers may object to new sub-processors within 10 days on data protection grounds.

    bloomreach.com

    // Products & data scope

    Loomi AIAI Intelligence Platform

    data: First-party customer data, product catalog, behavioral events, campaign performance. PII flagging supported; Loomi Analytics does not access PII fields.

    Core AI layer powering all Bloomreach products. Includes real-time decisioning (5ms to 2s latency). Explicitly does not train on customer data per documentation.

    Email Marketing (ESP)Email Service Provider

    data: Customer contact data, behavioral signals, campaign metrics.

    AI-powered personalization; intent-driven email campaigns. EU data processed via Google Cloud Ireland.

    Marketing AutomationMarketing Automation

    data: Cross-channel customer data (email, SMS, web, mobile, ads). Handles contact PII.

    13+ channel orchestration. Supports consent management and GDPR data subject rights workflows.

    Ecommerce SearchSearch and Product Discovery

    data: Product catalog, search query logs, behavioral data. No direct PII in search indexes.

    Three-times Gartner Magic Quadrant Leader for Search and Product Discovery (2026). Self-learning search.

    Conversational AgentAI Shopping Assistant

    data: Session-level shopping data, product catalog. Minimal persistent PII.

    End-to-end shopping companion. Uses Loomi AI with AI provider subprocessors (Anthropic, OpenAI).

    Marketing AgentAI Marketing Agent

    data: Campaign performance data, customer segments, email templates.

    Builds full lifecycle email campaigns from a single prompt. Uses LLM subprocessors for content generation.

    Loomi ConnectIntegration Platform / Extensibility

    data: Dependent on customer integrations; connects to 175+ tools.

    Allows custom agents and workflows. Data scope varies by configured integration.

    Enterprise CMSContent Management System

    data: Content assets, web page data. Minimal customer PII.

    Headless CMS; hosting location based on customer geography per subprocessors list.

    // What to watch

    • Trust center (trust.bloomreach.com) returned HTTP 403 during live fetch in this assessment session. Cert list was captured via the initial evidence scrape (Drata-powered portal listing ISO 27001:2022, ISO 27017, ISO 27018, ISO 9001, ISO 22301, SOC 2 Type II) and cross-confirmed against multiple bloomreach.com news announcements. Confidence in cert list remains high.
    • Anthropic, OpenAI, and Databricks are listed as active subprocessors (last updated April 2026) for 'Product development, Content, Support'. Customer data may flow through these LLM providers during service execution. The DPA restricts this to Permitted Purposes; Loomi Analytics documentation explicitly states no customer data trains models. Nonetheless, procurement teams should review subprocessor list and request detailed data flow documentation.
    • GDPR 'certification' claim: Bloomreach states it was 'the first to be GDPR certified' but no specific certification body, Article 42 approval reference, or certificate number is publicly documented. This likely refers to an internal compliance attestation or an early industry certification program rather than a formal EU supervisory authority-issued cert under GDPR Art. 42. Graded as compliance posture held=true; formal Art. 42 cert status unverified.
    • DPA text references ISO 27001:2013 (older version) while 2024 public announcements confirm upgrade to ISO 27001:2022. Minor documentation lag in the DPA but not an over-claim. Recommend confirming latest DPA version reflects :2022.
    • No HIPAA BAA or PCI DSS compliance documentation found. Organizations in US healthcare or payment card processing should not assume coverage and must verify directly with Bloomreach.

    // At a glance

    Pricing model

    Enterprise SaaS subscription; custom pricing per product. Demo/sales-led. No public self-serve pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Bloomreach, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.bloomreach.com

    > Browse all vendor trust reports