// Trust & Security Report

    StackBlitz, Inc. logo

    StackBlitz, Inc.

    Bolt (bolt.new) - AI full-stack web app builder. Built and operated by StackBlitz; legal/privacy entity is StackBlitz, Inc.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 1
    HELD

    Listed under Certifications on the trust center: 'SOC 2 Type 1, GDPR, CCPA.' Supporting context: 'Our security program is built on industry-standard practices, including enterprise-grade encryption, continuous monitoring, and browser-level isolation to safeguard customer intellectual property.' Note: SOC 2 Type 1 is a point-in-time design attestation, weaker than a Type II operating-effectiveness report.

    Verify on trust.bolt.new
    GDPR
    HELD

    Listed under Certifications on the trust center: 'SOC 2 Type 1, GDPR, CCPA.' Vendor self-attests GDPR compliance; this is a regulatory/compliance framework, not a third-party audit certification.

    Verify on trust.bolt.new
    CCPA
    HELD

    Listed under Certifications on the trust center: 'SOC 2 Type 1, GDPR, CCPA.' Vendor self-attests CCPA compliance; this is a regulatory/compliance framework, not a third-party audit certification.

    Verify on trust.bolt.new
    > Show 3 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    February 25, 2026: SOC 2 Type II report availability. SOC 2 Type II audit report will be available at the end of the 2nd quarter of 2026.

    source: trust.bolt.new
    ISO 27001
    NOT CONFIRMED

    Not listed among certifications on the trust center; only SOC 2 Type 1, GDPR, and CCPA are shown.

    source: trust.bolt.new
    HIPAA
    NOT CONFIRMED

    Not listed on the trust center; bolt.new does not advertise HIPAA compliance or sign BAAs. Do not use for PHI without contractual confirmation.

    source: trust.bolt.new

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United States (data may be transferred to / processed / stored outside user's jurisdiction). Verbatim: 'Bolt is headquartered in the United States, and personal information may be transferred to, processed, and stored in countries outside of your jurisdiction, including the United States.'

    Trains/improves models on customer AI inputs and outputs BY DEFAULT, but only on aggregated, anonymized, or de-identified data, with a plan-dependent opt-out. Verbatim: 'We may use AI Inputs and AI Outputs to operate, maintain, and improve the Services, including improving AI performance, reliability, and safety. Such use shall be on aggregated, anonymized, or de-identified data.' Opt-out: 'Depending on account type or plan, users may have the ability to limit or opt out of the use of AI Inputs and AI Outputs for model training or improvement.' Third-party LLM providers (Anthropic Claude and others) 'process AI Inputs solely to provide services to Bolt and are subject to contractual confidentiality and data protection obligations.'

    // Security controls

    Encryption at rest

    Yes (control listed: 'Encryption-at-rest' under Data Security; 'enterprise-grade encryption' referenced)

    trust.bolt.new

    Encryption in transit

    Implied via 'enterprise-grade encryption' and HTTPS; not separately itemized on trust center

    trust.bolt.new

    Penetration testing

    unknown - not explicitly stated; a 'Vulnerability Management Policy' document is listed but no pen-test attestation is published

    trust.bolt.new

    Bug bounty / vulnerability disclosure

    No public bug bounty platform (HackerOne/Bugcrowd) found for bolt.new. NOTE: Bugcrowd results for 'Bolt' belong to the unrelated ride-hailing company bolt.eu, not StackBlitz/bolt.new.

    trust.bolt.new

    Architecture / isolation

    Client-side code execution; 'It executes code entirely client-side, ensuring a zero-trust environment that minimizes server-side attack surfaces' plus browser-level isolation

    trust.bolt.new

    Endpoint security

    Disk Encryption, MDM Solution, Endpoint Detection and Response (controls listed)

    trust.bolt.new

    BC/DR

    Business Continuity & Disaster Recovery program with RTO/RPO; Disaster Recovery Plan and Business Continuity Plan documents available on request

    trust.bolt.new

    Subprocessors disclosed

    Yes - cloud/data hosting, CDN, code repository, and two code-generation LLM service providers listed on trust center

    trust.bolt.new

    Policy documents (request access)

    Information Security, Encryption, Data Protection, Vulnerability Management, Incident Response, Access Control, SDLC, Bolt AI Policy and others available on request

    trust.bolt.new

    // Products & data scope

    Bolt (bolt.new) - Standard / FreeAI app & website builder (vibe coding)

    data: User prompts (AI Inputs) and generated code (AI Outputs) processed by StackBlitz and third-party LLM providers. May be used to improve models on anonymized/aggregated basis by default; opt-out may be limited on lower tiers.

    Best for prototypes and non-sensitive projects. No HIPAA; treat as US-hosted, may-train-by-default.

    Bolt Pro / TeamsAI app builder - team plan

    data: Same data flow as Standard; access to Max (higher-intelligence) agent. Plan-dependent ability to limit/opt out of training.

    Adds team collaboration; verify training opt-out status in account settings.

    Bolt EnterpriseAI app builder - enterprise

    data: Marketed as the tier for organizations needing contractual data protection and compliance support; DPA available where applicable. Enterprise contracts can add data-use clauses and training opt-outs. Specific feature claims (SSO, audit logs) are typical of enterprise tiers but were not individually confirmed in the collected trust-center or marketing evidence; verify in contract.

    Path for organizations needing contractual data protection and a DPA. Confirm SSO/audit-log availability with sales.

    Bolt CloudBackend infrastructure (hosting, databases, auth)

    data: Hosts deployed apps including their databases, user management and auth. Data processed within customer-built apps is governed by customer agreements/DPA, not StackBlitz's own privacy policy.

    Production data in deployed apps falls under a separate DPA scope.

    // What to watch

    • Trains/improves AI models on customer inputs and outputs BY DEFAULT (anonymized/aggregated), with opt-out only 'depending on account type or plan' - material for sensitive code/IP.
    • Name collision: multiple unrelated 'Bolt'-named companies pollute search results and must NOT be credited to bolt.new/StackBlitz - e.g. the Bugcrowd bug bounty and the ISO 27001/27701 certifications belong to ride-hailing 'Bolt' (bolt.eu), and a 'SOC 2 Type II Certified' result belongs to 'Bolt Insight' (market research). No public bug bounty and no ISO/SOC 2 Type II confirmed for bolt.new itself.
    • SOC 2 is only Type 1 today; Type II not expected until end of Q2 2026 (effectively now-ish, but report not yet published as held).
    • No ISO 27001 and not HIPAA-compliant - unsuitable for PHI/regulated data without contractual confirmation.
    • Penetration testing not explicitly attested on the trust center.
    • Privacy/legal entity is StackBlitz, Inc. (parent), policy hosted on stackblitz.com, not bolt.new domain.

    // At a glance

    Pricing model

    Freemium with paid Pro/Teams subscriptions and an Enterprise tier; token/usage-based agent access (Standard vs Max models)

    Self-hostable

    Not stated

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on StackBlitz, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.bolt.new

    > Browse all vendor trust reports