// Trust & Security Report

    Braze, Inc. logo

    Braze, Inc.

    Braze Customer Engagement Platform — a cloud-based SaaS platform with cross-channel messaging, AI-powered journey orchestration, and data unification. Includes BrazeAI (decisioning & agents), Braze Data Platform, and HIPAA-compliant offerings.

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Braze successfully completed its SOC 2 Type 2 audit for Security and Availability, audit period July 1, 2024 to June 30, 2025, performed by Schellman & Company, LLC

    Verify on braze.com
    ISO 27001
    HELD

    ISO 27001 certification as of December 18, 2018, renewed as of August 29, 2025. Expires December 15, 2027

    Verify on braze.com
    GDPR
    HELD

    Braze enters into EU Standard Contractual Clauses with customers, self-certifies to EU-US and Swiss-US Data Privacy Frameworks and UK Extension. Provides GDPR-compliant data handling and DPA

    Verify on braze.com
    HIPAA
    HELD

    Braze operates a HIPAA-compliant cluster that meets Security and Privacy rules of HIPAA 1996. Separate databases, servers, firewall rules, and virtual networks isolate protected health information. Signs Business Associate Agreements

    Verify on braze.com
    CCPA
    HELD

    Braze supports CCPA compliance through tools enabling data access requests, erasure, and rectification

    Verify on braze.com
    TISAX Assessment Level 3 (AL3)
    HELD

    Successfully achieved TISAX Assessment Level 3 (AL3) with certifications across EU-GDPR data protection, high availability, and confidentiality standards

    Verify on braze.com
    > Show 5 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    No evidence of PCI DSS certification; Braze mentions TLS 1.2+ compliance for REST APIs per PCI Council requirements but does not claim PCI DSS certification

    source: braze.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on Braze's security qualifications or trust center pages

    source: braze.com
    ISO 27017
    NOT CONFIRMED

    No evidence of ISO 27017 (cloud security) certification on public Braze domain

    source: braze.com
    ISO 27018
    NOT CONFIRMED

    No evidence of ISO 27018 (cloud personal data protection) certification on public Braze domain

    source: braze.com
    ISO/IEC 42001
    NOT CONFIRMED

    No evidence of ISO 42001 (AI management systems) certification in 2025 ESG report or security qualifications pages

    source: braze.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region: US (Virginia + 7 additional instances), EU (Frankfurt + Ireland backup), Australia, Indonesia, Japan, South Korea. Customers can select US or EU hosting. Braze will not transfer personal data from the country where it is originally stored.

    Braze does not use customer data to train public AI models. All AI processing happens in secure, first-party data environments where customer information remains protected. Data is not shared externally for training purposes.

    // Security controls

    Encryption in transit

    TLS 1.2+ required; older TLS versions (1.0, 1.1) deprecated per PCI DSS Council requirements

    braze.com

    Encryption at rest

    Industry-standard encryption for data at rest. API keys and passwords additionally encrypted

    braze.com

    Penetration testing

    Regular third-party penetration testing and bug bounty program to identify vulnerabilities

    braze.com

    HIPAA cluster isolation

    Dedicated HIPAA-compliant cluster with separate databases, servers, firewall rules, and virtual networks. Two-factor authorization, IP whitelisting, password expiration policies

    braze.com

    Data Privacy Framework

    EU-U.S. Data Privacy Framework, UK Extension to EU-U.S. DPF, Swiss-U.S. Data Privacy Framework for lawful international transfers

    braze.com

    Standard Contractual Clauses

    Offers EU Standard Contractual Clauses for international data transfers with customers requiring them

    braze.com

    Data Processing Addendum

    Available in English and Japanese; covers processor responsibilities and data handling obligations

    braze.com

    Subprocessor list

    Maintains and publishes list of third-party data handlers for transparency

    braze.com

    // Products & data scope

    Braze Customer Engagement PlatformCloud SaaS

    data: Cross-channel marketing data (customer profiles, engagement history, behavioral data from email, SMS, mobile, web channels)

    Core product; all core certifications apply

    BrazeAIAI/ML features

    data: Uses customer behavioral data for decisioning and predictive features; processing occurs in first-party secure environments without external training

    Does not train on customer data for public models

    Braze Data PlatformData unification / CDP

    data: Unifies customer data from multiple sources for activation in marketing campaigns

    Supports first-party data activation; GDPR and CCPA compliant

    HIPAA-compliant BrazeHealthcare variant

    data: Protected health information (PHI) in dedicated HIPAA cluster

    Separate infrastructure; signs BAAs; ideal for healthcare, financial services, and regulated industries

    BrazeAI AgentsAutonomous AI

    data: Customer engagement data for AI-driven autonomous agent decision-making

    Operates within first-party secure environments; no external data sharing

    // What to watch

    • ISO 27017 and ISO 27018 (cloud-specific standards) not held — vendor is enterprise cloud SaaS but these certifications are not common across the industry and not required for core compliance posture
    • FedRAMP not held — relevant only for US federal government customers; not a gap for commercial customer base
    • ISO 42001 (AI governance) not held — new standard (2024+) and not yet widespread; Braze does maintain governance controls but lacks formal AI certification
    • No evidence of self-hosted or on-premise deployment options — cloud-only SaaS model; customers cannot self-host

    // At a glance

    Pricing model

    SaaS subscription; usage-based pricing with multiple tiers (flexible pricing depending on customer scale)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Braze, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    braze.com

    > Browse all vendor trust reports