// Trust & Security Report
Cision Group Ltd (trading as Brandwatch)
Social media management, consumer intelligence, influencer marketing, search intelligence, and media intelligence platform. Key sub-products: Consumer Research, Social Media Management Suite (Publish, Listen, Engage, Measure, Benchmark, Advertise, Influence/Paladin), Vizia, Brandwatch Reviews, Iris AI (generative AI assistant).
Certifications held
2
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on brandwatch.com“All Brandwatch products are ISO 27001:2022 certified. For our customers, this means that the products you use are safely operating under the requirements of ISO 27001 and that all data is processed accordingly. We engage a third party to audit our adherence to these standards at least annually. Our current ISO 27001 certificate is available upon request.”
Verify on brandwatch.com“Brandwatch is a member of the Data Privacy Framework and participates in the EU-U.S. Data Privacy Framework (adequacy decision adopted July 10, 2023). Standard Contractual Clauses (SCCs) are in place with customers and vendors. A Customer Data Processing Addendum (DPA) is available, and the Brandwatch Group has a data protection officer responsible for privacy and compliance.”
> Show 8 unconfirmed / not-held certifications
source: brandwatch.comNo public mention of SOC 2 on brandwatch.com. Not referenced in security programme, legal hub, or help center articles. No evidence found across vendor domain or independent searches.
source: brandwatch.comNo mention of HIPAA compliance on brandwatch.com or in the security programme documentation. No evidence found via search.
source: applytosupply.digitalmarketplace.service.gov.ukExplicitly listed as 'No' on the UK Government G-Cloud Digital Marketplace listing for Brandwatch.
source: applytosupply.digitalmarketplace.service.gov.ukExplicitly listed as 'No' on the UK Government G-Cloud Digital Marketplace listing for Brandwatch.
source: applytosupply.digitalmarketplace.service.gov.ukBoth Cyber Essentials and Cyber Essentials Plus explicitly listed as 'No' on the UK Government G-Cloud Digital Marketplace listing.
source: brandwatch.comNo mention of FedRAMP on brandwatch.com or in any security documentation reviewed. No evidence found.
source: brandwatch.comNo mention of ISO 42001 on brandwatch.com. Not referenced in security programme, privacy documentation, or AI feature pages.
source: brandwatch.comNo mention of ISO 27701 on brandwatch.com. Not referenced in any security or privacy documentation reviewed.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Mixed: Consumer Research raw data ingested and stored in AWS US (North Virginia). Consumer Research frontend in GCP Belgium. Customer metadata/analysis results in UK colocation (Hayes, Virtus DC). Social Media Management on AWS/GCP EU (Germany/Netherlands), except Listening product which is US/UK. Users cannot control data storage location. Uploading personal data to Brandwatch results in US transfer.
Privacy policy explicitly states: 'We do not use any Personal Data that we have collected to train either our own AI models or any 3rd party AI models.' OpenAI and Google Gemini are listed as AI sub-processors for inference features (Iris AI). Brandwatch states these third parties 'will not use customer data for their own purposes and will only store it for 30 days for support/security purposes.' An opt-out setting disables all AI features in Social Media Management.
// Security controls
Encryption in transit
HTTPS enforced for all products; TLS 1.2 and 1.3 supported, TLS 1.2 default.
brandwatch.comEncryption at rest
Customer uploaded data: SSE-S3 (Amazon S3-Managed Keys). Physical backup tapes: AES-256. Falcon platform and Paladin (Influence): encrypted at rest. Employee devices: full disk encryption (BitLocker/FileVault 2/LUKS).
brandwatch.comMFA
Required for all Brandwatch employee accounts. SSO (SAML 2.0, Google Auth) offered to enterprise customers; 2FA available for Social Media Management end users.
brandwatch.comPenetration testing
Monthly vulnerability testing; annual third-party manual and automated penetration and web application testing. Results available on request under NDA.
brandwatch.comAccess control
Principle of least privilege; role-based access; customer data access limited to staff with business need; quarterly access reviews; VPN + hardware MFA token required for infrastructure access.
brandwatch.comData breach notification
Dedicated data breach notification section (Section 8) in security programme. Specific SLA not publicly stated in the evidence reviewed.
brandwatch.comIncident response / BC-DR
Formal incident response procedure for Consumer Research, Audiences, and Vizia. RPO: 24 hours max for BCR. RTO: less than one business day for most products. 24/7 on-call engineering rotation.
brandwatch.comSub-processors
Key sub-processors include AWS, GCP, OpenAI (US), Google Gemini (US), Zendesk, Intercom, Linode, Aiven, Heroku. Full list with locations and email notification subscription available.
brandwatch.com// Products & data scope
data: Public social media and web content; customer-uploaded data. Raw data stored in AWS US.
Flagship analytics and research product. Includes Vizia visualization. ISO 27001 covered.
data: Social accounts, content drafts, customer messages, team data. Hosted in AWS/GCP EU.
Comprises Publish, Listen, Audience, Engage, Measure, Advertise, Benchmark sub-products. Includes SSO, 2FA, SAML, audit logs.
data: Influencer profiles, campaign data, payment data. Hosted in Heroku and AWS US.
US-hosted. Uses legacy manually configured servers; migrating to Infrastructure as Code.
data: Uses social data already within the platform. Calls OpenAI and Google Gemini APIs.
Generative AI features for summarization, trend identification, search. No AI training on customer data. Opt-out available in Social Media Management settings.
data: Global search data; monitors GenAI-generated content.
Newer product line for search data insights and AI-generated content monitoring.
data: Public review platform data.
Part of Consumer Intelligence group. ISO 27001 covered.
// What to watch
- SOC 2 Type 2 not publicly evidenced on brandwatch.com and not mentioned in any security documentation. Enterprise customers in regulated industries commonly require SOC 2 attestation. This is a notable gap for compliance-driven procurement.
- OpenAI (US) and Google Gemini (US) listed as AI sub-processors. Customer data passes through US-based third-party AI providers for Iris AI features. Brandwatch states contractual protections prevent training use, but independent verification of those API terms is not possible from public documentation.
- DPA is hosted at cision.com (parent company domain), not brandwatch.com. The DPA URL on brandwatch.com redirects to https://www.cision.com/legal/customerdpa/. Customers should confirm the contracting entity aligns with their vendor relationship (Brandwatch Ltd vs. Cision Group Ltd).
- Consumer Research raw data ingested and stored in AWS US North Virginia. EU customers subject to transatlantic data transfer for core product data. SCCs and EU-US Data Privacy Framework participation are cited as safeguards, but no data residency option appears available.
- HIPAA not addressed anywhere in public documentation. Brandwatch markets to pharma and healthcare verticals on its website, but no BAA offering or HIPAA controls are documented publicly. Healthcare-sector customers should request clarification.
- No SOC 2, CSA STAR, FedRAMP, ISO 27701, or ISO 42001 certifications found. ISO 27001 is the only independently-audited security standard publicly confirmed.
// At a glance
Pricing model
Enterprise SaaS; annual subscription. Pricing not publicly listed; quote-based. Multiple tiers (Essentials, Full Suite, Enterprise).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Cision Group Ltd (trading as Brandwatch)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
brandwatch.com