// Trust & Security Report
StackBlitz, Inc.
Bolt (bolt.new) - AI full-stack web app builder. Built and operated by StackBlitz; legal/privacy entity is StackBlitz, Inc.
Certifications held
3
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.bolt.new“Listed under Certifications on the trust center: 'SOC 2 Type 1, GDPR, CCPA.' Supporting context: 'Our security program is built on industry-standard practices, including enterprise-grade encryption, continuous monitoring, and browser-level isolation to safeguard customer intellectual property.' Note: SOC 2 Type 1 is a point-in-time design attestation, weaker than a Type II operating-effectiveness report.”
Verify on trust.bolt.new“Listed under Certifications on the trust center: 'SOC 2 Type 1, GDPR, CCPA.' Vendor self-attests GDPR compliance; this is a regulatory/compliance framework, not a third-party audit certification.”
Verify on trust.bolt.new“Listed under Certifications on the trust center: 'SOC 2 Type 1, GDPR, CCPA.' Vendor self-attests CCPA compliance; this is a regulatory/compliance framework, not a third-party audit certification.”
> Show 3 unconfirmed / not-held certifications
source: trust.bolt.newFebruary 25, 2026: SOC 2 Type II report availability. SOC 2 Type II audit report will be available at the end of the 2nd quarter of 2026.
source: trust.bolt.newNot listed among certifications on the trust center; only SOC 2 Type 1, GDPR, and CCPA are shown.
source: trust.bolt.newNot listed on the trust center; bolt.new does not advertise HIPAA compliance or sign BAAs. Do not use for PHI without contractual confirmation.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
United States (data may be transferred to / processed / stored outside user's jurisdiction). Verbatim: 'Bolt is headquartered in the United States, and personal information may be transferred to, processed, and stored in countries outside of your jurisdiction, including the United States.'
Trains/improves models on customer AI inputs and outputs BY DEFAULT, but only on aggregated, anonymized, or de-identified data, with a plan-dependent opt-out. Verbatim: 'We may use AI Inputs and AI Outputs to operate, maintain, and improve the Services, including improving AI performance, reliability, and safety. Such use shall be on aggregated, anonymized, or de-identified data.' Opt-out: 'Depending on account type or plan, users may have the ability to limit or opt out of the use of AI Inputs and AI Outputs for model training or improvement.' Third-party LLM providers (Anthropic Claude and others) 'process AI Inputs solely to provide services to Bolt and are subject to contractual confidentiality and data protection obligations.'
// Security controls
Encryption at rest
Yes (control listed: 'Encryption-at-rest' under Data Security; 'enterprise-grade encryption' referenced)
trust.bolt.newEncryption in transit
Implied via 'enterprise-grade encryption' and HTTPS; not separately itemized on trust center
trust.bolt.newPenetration testing
unknown - not explicitly stated; a 'Vulnerability Management Policy' document is listed but no pen-test attestation is published
trust.bolt.newBug bounty / vulnerability disclosure
No public bug bounty platform (HackerOne/Bugcrowd) found for bolt.new. NOTE: Bugcrowd results for 'Bolt' belong to the unrelated ride-hailing company bolt.eu, not StackBlitz/bolt.new.
trust.bolt.newArchitecture / isolation
Client-side code execution; 'It executes code entirely client-side, ensuring a zero-trust environment that minimizes server-side attack surfaces' plus browser-level isolation
trust.bolt.newEndpoint security
Disk Encryption, MDM Solution, Endpoint Detection and Response (controls listed)
trust.bolt.newBC/DR
Business Continuity & Disaster Recovery program with RTO/RPO; Disaster Recovery Plan and Business Continuity Plan documents available on request
trust.bolt.newSubprocessors disclosed
Yes - cloud/data hosting, CDN, code repository, and two code-generation LLM service providers listed on trust center
trust.bolt.newPolicy documents (request access)
Information Security, Encryption, Data Protection, Vulnerability Management, Incident Response, Access Control, SDLC, Bolt AI Policy and others available on request
trust.bolt.new// Products & data scope
data: User prompts (AI Inputs) and generated code (AI Outputs) processed by StackBlitz and third-party LLM providers. May be used to improve models on anonymized/aggregated basis by default; opt-out may be limited on lower tiers.
Best for prototypes and non-sensitive projects. No HIPAA; treat as US-hosted, may-train-by-default.
data: Same data flow as Standard; access to Max (higher-intelligence) agent. Plan-dependent ability to limit/opt out of training.
Adds team collaboration; verify training opt-out status in account settings.
data: Marketed as the tier for organizations needing contractual data protection and compliance support; DPA available where applicable. Enterprise contracts can add data-use clauses and training opt-outs. Specific feature claims (SSO, audit logs) are typical of enterprise tiers but were not individually confirmed in the collected trust-center or marketing evidence; verify in contract.
Path for organizations needing contractual data protection and a DPA. Confirm SSO/audit-log availability with sales.
data: Hosts deployed apps including their databases, user management and auth. Data processed within customer-built apps is governed by customer agreements/DPA, not StackBlitz's own privacy policy.
Production data in deployed apps falls under a separate DPA scope.
// What to watch
- Trains/improves AI models on customer inputs and outputs BY DEFAULT (anonymized/aggregated), with opt-out only 'depending on account type or plan' - material for sensitive code/IP.
- Name collision: multiple unrelated 'Bolt'-named companies pollute search results and must NOT be credited to bolt.new/StackBlitz - e.g. the Bugcrowd bug bounty and the ISO 27001/27701 certifications belong to ride-hailing 'Bolt' (bolt.eu), and a 'SOC 2 Type II Certified' result belongs to 'Bolt Insight' (market research). No public bug bounty and no ISO/SOC 2 Type II confirmed for bolt.new itself.
- SOC 2 is only Type 1 today; Type II not expected until end of Q2 2026 (effectively now-ish, but report not yet published as held).
- No ISO 27001 and not HIPAA-compliant - unsuitable for PHI/regulated data without contractual confirmation.
- Penetration testing not explicitly attested on the trust center.
- Privacy/legal entity is StackBlitz, Inc. (parent), policy hosted on stackblitz.com, not bolt.new domain.
// At a glance
Pricing model
Freemium with paid Pro/Teams subscriptions and an Enterprise tier; token/usage-based agent access (Standard vs Max models)
Self-hostable
Not stated
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on StackBlitz, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.bolt.new