// Trust & Security Report

    Cision Group Ltd (trading as Brandwatch) logo

    Cision Group Ltd (trading as Brandwatch)

    Social media management, consumer intelligence, influencer marketing, search intelligence, and media intelligence platform. Key sub-products: Consumer Research, Social Media Management Suite (Publish, Listen, Engage, Measure, Benchmark, Advertise, Influence/Paladin), Vizia, Brandwatch Reviews, Iris AI (generative AI assistant).

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001:2022
    HELD

    All Brandwatch products are ISO 27001:2022 certified. For our customers, this means that the products you use are safely operating under the requirements of ISO 27001 and that all data is processed accordingly. We engage a third party to audit our adherence to these standards at least annually. Our current ISO 27001 certificate is available upon request.

    Verify on brandwatch.com
    GDPR Compliance Posture
    HELD

    Brandwatch is a member of the Data Privacy Framework and participates in the EU-U.S. Data Privacy Framework (adequacy decision adopted July 10, 2023). Standard Contractual Clauses (SCCs) are in place with customers and vendors. A Customer Data Processing Addendum (DPA) is available, and the Brandwatch Group has a data protection officer responsible for privacy and compliance.

    Verify on brandwatch.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    No public mention of SOC 2 on brandwatch.com. Not referenced in security programme, legal hub, or help center articles. No evidence found across vendor domain or independent searches.

    source: brandwatch.com
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA compliance on brandwatch.com or in the security programme documentation. No evidence found via search.

    source: brandwatch.com
    PCI DSS
    NOT CONFIRMED

    Explicitly listed as 'No' on the UK Government G-Cloud Digital Marketplace listing for Brandwatch.

    source: applytosupply.digitalmarketplace.service.gov.uk
    CSA STAR
    NOT CONFIRMED

    Explicitly listed as 'No' on the UK Government G-Cloud Digital Marketplace listing for Brandwatch.

    source: applytosupply.digitalmarketplace.service.gov.uk
    Cyber Essentials / Cyber Essentials Plus
    NOT CONFIRMED

    Both Cyber Essentials and Cyber Essentials Plus explicitly listed as 'No' on the UK Government G-Cloud Digital Marketplace listing.

    source: applytosupply.digitalmarketplace.service.gov.uk
    FedRAMP
    NOT CONFIRMED

    No mention of FedRAMP on brandwatch.com or in any security documentation reviewed. No evidence found.

    source: brandwatch.com
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No mention of ISO 42001 on brandwatch.com. Not referenced in security programme, privacy documentation, or AI feature pages.

    source: brandwatch.com
    ISO 27701 (Privacy Information Management)
    NOT CONFIRMED

    No mention of ISO 27701 on brandwatch.com. Not referenced in any security or privacy documentation reviewed.

    source: brandwatch.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Mixed: Consumer Research raw data ingested and stored in AWS US (North Virginia). Consumer Research frontend in GCP Belgium. Customer metadata/analysis results in UK colocation (Hayes, Virtus DC). Social Media Management on AWS/GCP EU (Germany/Netherlands), except Listening product which is US/UK. Users cannot control data storage location. Uploading personal data to Brandwatch results in US transfer.

    Privacy policy explicitly states: 'We do not use any Personal Data that we have collected to train either our own AI models or any 3rd party AI models.' OpenAI and Google Gemini are listed as AI sub-processors for inference features (Iris AI). Brandwatch states these third parties 'will not use customer data for their own purposes and will only store it for 30 days for support/security purposes.' An opt-out setting disables all AI features in Social Media Management.

    // Security controls

    Encryption in transit

    HTTPS enforced for all products; TLS 1.2 and 1.3 supported, TLS 1.2 default.

    brandwatch.com

    Encryption at rest

    Customer uploaded data: SSE-S3 (Amazon S3-Managed Keys). Physical backup tapes: AES-256. Falcon platform and Paladin (Influence): encrypted at rest. Employee devices: full disk encryption (BitLocker/FileVault 2/LUKS).

    brandwatch.com

    MFA

    Required for all Brandwatch employee accounts. SSO (SAML 2.0, Google Auth) offered to enterprise customers; 2FA available for Social Media Management end users.

    brandwatch.com

    Penetration testing

    Monthly vulnerability testing; annual third-party manual and automated penetration and web application testing. Results available on request under NDA.

    brandwatch.com

    Access control

    Principle of least privilege; role-based access; customer data access limited to staff with business need; quarterly access reviews; VPN + hardware MFA token required for infrastructure access.

    brandwatch.com

    Data breach notification

    Dedicated data breach notification section (Section 8) in security programme. Specific SLA not publicly stated in the evidence reviewed.

    brandwatch.com

    Incident response / BC-DR

    Formal incident response procedure for Consumer Research, Audiences, and Vizia. RPO: 24 hours max for BCR. RTO: less than one business day for most products. 24/7 on-call engineering rotation.

    brandwatch.com

    Sub-processors

    Key sub-processors include AWS, GCP, OpenAI (US), Google Gemini (US), Zendesk, Intercom, Linode, Aiven, Heroku. Full list with locations and email notification subscription available.

    brandwatch.com

    // Products & data scope

    Consumer Research (BCR)Consumer Intelligence / Social Listening

    data: Public social media and web content; customer-uploaded data. Raw data stored in AWS US.

    Flagship analytics and research product. Includes Vizia visualization. ISO 27001 covered.

    Social Media Management SuiteSocial Media Management

    data: Social accounts, content drafts, customer messages, team data. Hosted in AWS/GCP EU.

    Comprises Publish, Listen, Audience, Engage, Measure, Advertise, Benchmark sub-products. Includes SSO, 2FA, SAML, audit logs.

    Influence (formerly Paladin)Influencer Marketing

    data: Influencer profiles, campaign data, payment data. Hosted in Heroku and AWS US.

    US-hosted. Uses legacy manually configured servers; migrating to Infrastructure as Code.

    Iris AIAI Assistant

    data: Uses social data already within the platform. Calls OpenAI and Google Gemini APIs.

    Generative AI features for summarization, trend identification, search. No AI training on customer data. Opt-out available in Social Media Management settings.

    Search IntelligenceSearch and GenAI Monitoring

    data: Global search data; monitors GenAI-generated content.

    Newer product line for search data insights and AI-generated content monitoring.

    Brandwatch ReviewsReview Monitoring

    data: Public review platform data.

    Part of Consumer Intelligence group. ISO 27001 covered.

    // What to watch

    • SOC 2 Type 2 not publicly evidenced on brandwatch.com and not mentioned in any security documentation. Enterprise customers in regulated industries commonly require SOC 2 attestation. This is a notable gap for compliance-driven procurement.
    • OpenAI (US) and Google Gemini (US) listed as AI sub-processors. Customer data passes through US-based third-party AI providers for Iris AI features. Brandwatch states contractual protections prevent training use, but independent verification of those API terms is not possible from public documentation.
    • DPA is hosted at cision.com (parent company domain), not brandwatch.com. The DPA URL on brandwatch.com redirects to https://www.cision.com/legal/customerdpa/. Customers should confirm the contracting entity aligns with their vendor relationship (Brandwatch Ltd vs. Cision Group Ltd).
    • Consumer Research raw data ingested and stored in AWS US North Virginia. EU customers subject to transatlantic data transfer for core product data. SCCs and EU-US Data Privacy Framework participation are cited as safeguards, but no data residency option appears available.
    • HIPAA not addressed anywhere in public documentation. Brandwatch markets to pharma and healthcare verticals on its website, but no BAA offering or HIPAA controls are documented publicly. Healthcare-sector customers should request clarification.
    • No SOC 2, CSA STAR, FedRAMP, ISO 27701, or ISO 42001 certifications found. ISO 27001 is the only independently-audited security standard publicly confirmed.

    // At a glance

    Pricing model

    Enterprise SaaS; annual subscription. Pricing not publicly listed; quote-based. Multiple tiers (Essentials, Full Suite, Enterprise).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Cision Group Ltd (trading as Brandwatch)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    brandwatch.com

    > Browse all vendor trust reports