// Trust & Security Report
Braze, Inc.
Braze Customer Engagement Platform — a cloud-based SaaS platform with cross-channel messaging, AI-powered journey orchestration, and data unification. Includes BrazeAI (decisioning & agents), Braze Data Platform, and HIPAA-compliant offerings.
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on braze.com“Braze successfully completed its SOC 2 Type 2 audit for Security and Availability, audit period July 1, 2024 to June 30, 2025, performed by Schellman & Company, LLC”
Verify on braze.com“ISO 27001 certification as of December 18, 2018, renewed as of August 29, 2025. Expires December 15, 2027”
Verify on braze.com“Braze enters into EU Standard Contractual Clauses with customers, self-certifies to EU-US and Swiss-US Data Privacy Frameworks and UK Extension. Provides GDPR-compliant data handling and DPA”
Verify on braze.com“Braze operates a HIPAA-compliant cluster that meets Security and Privacy rules of HIPAA 1996. Separate databases, servers, firewall rules, and virtual networks isolate protected health information. Signs Business Associate Agreements”
Verify on braze.com“Braze supports CCPA compliance through tools enabling data access requests, erasure, and rectification”
Verify on braze.com“Successfully achieved TISAX Assessment Level 3 (AL3) with certifications across EU-GDPR data protection, high availability, and confidentiality standards”
> Show 5 unconfirmed / not-held certifications
source: braze.comNo evidence of PCI DSS certification; Braze mentions TLS 1.2+ compliance for REST APIs per PCI Council requirements but does not claim PCI DSS certification
source: braze.comNo public evidence of FedRAMP authorization on Braze's security qualifications or trust center pages
source: braze.comNo evidence of ISO 27017 (cloud security) certification on public Braze domain
source: braze.comNo evidence of ISO 27018 (cloud personal data protection) certification on public Braze domain
source: braze.comNo evidence of ISO 42001 (AI management systems) certification in 2025 ESG report or security qualifications pages
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region: US (Virginia + 7 additional instances), EU (Frankfurt + Ireland backup), Australia, Indonesia, Japan, South Korea. Customers can select US or EU hosting. Braze will not transfer personal data from the country where it is originally stored.
Braze does not use customer data to train public AI models. All AI processing happens in secure, first-party data environments where customer information remains protected. Data is not shared externally for training purposes.
// Security controls
Encryption in transit
TLS 1.2+ required; older TLS versions (1.0, 1.1) deprecated per PCI DSS Council requirements
braze.comEncryption at rest
Industry-standard encryption for data at rest. API keys and passwords additionally encrypted
braze.comPenetration testing
Regular third-party penetration testing and bug bounty program to identify vulnerabilities
braze.comHIPAA cluster isolation
Dedicated HIPAA-compliant cluster with separate databases, servers, firewall rules, and virtual networks. Two-factor authorization, IP whitelisting, password expiration policies
braze.comData Privacy Framework
EU-U.S. Data Privacy Framework, UK Extension to EU-U.S. DPF, Swiss-U.S. Data Privacy Framework for lawful international transfers
braze.comStandard Contractual Clauses
Offers EU Standard Contractual Clauses for international data transfers with customers requiring them
braze.comData Processing Addendum
Available in English and Japanese; covers processor responsibilities and data handling obligations
braze.comSubprocessor list
Maintains and publishes list of third-party data handlers for transparency
braze.com// Products & data scope
data: Cross-channel marketing data (customer profiles, engagement history, behavioral data from email, SMS, mobile, web channels)
Core product; all core certifications apply
data: Uses customer behavioral data for decisioning and predictive features; processing occurs in first-party secure environments without external training
Does not train on customer data for public models
data: Unifies customer data from multiple sources for activation in marketing campaigns
Supports first-party data activation; GDPR and CCPA compliant
data: Protected health information (PHI) in dedicated HIPAA cluster
Separate infrastructure; signs BAAs; ideal for healthcare, financial services, and regulated industries
data: Customer engagement data for AI-driven autonomous agent decision-making
Operates within first-party secure environments; no external data sharing
// What to watch
- ISO 27017 and ISO 27018 (cloud-specific standards) not held — vendor is enterprise cloud SaaS but these certifications are not common across the industry and not required for core compliance posture
- FedRAMP not held — relevant only for US federal government customers; not a gap for commercial customer base
- ISO 42001 (AI governance) not held — new standard (2024+) and not yet widespread; Braze does maintain governance controls but lacks formal AI certification
- No evidence of self-hosted or on-premise deployment options — cloud-only SaaS model; customers cannot self-host
// At a glance
Pricing model
SaaS subscription; usage-based pricing with multiple tiers (flexible pricing depending on customer scale)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Braze, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
braze.com