// Trust & Security Report

    Brevo (formerly Sendinblue) logo

    Brevo (formerly Sendinblue)

    All-in-one marketing automation, CRM, and customer engagement platform with email, SMS, WhatsApp, push notifications, live chat, chatbot, and AI-powered agents (Aura). Includes Brevo Data Platform for customer data unification.

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001:2022
    HELD

    Brevo is ISO 27001:2022-certified. Data is protected by multi-factor authentication, IP address whitelisting, and more.

    Verify on brevo.com
    GDPR
    HELD

    Brevo is fully GDPR-compliant with a Data Processing Agreement (DPA) available. Brevo's DPO is responsible for continued GDPR compliance, and Brevo commits to breach notification within 72 hours.

    Verify on brevo.com
    PCI DSS (Data Center Compliance)
    HELD

    All data is stored on secure servers in Tier 3 and PCI DSS certified data centers. Brevo uses PCI DSS-compliant third-party payment providers (Adyen, PayPal, GoCardless, Stripe, Chargebee).

    Verify on brevo.com
    > Show 4 unconfirmed / not-held certifications
    SOC 2 Type I/II
    NOT CONFIRMED

    Brevo's Terms of Service state: 'Brevo does not hold any certification that is not expressly described on the Site.' SOC 2 is not listed on Brevo's official security or data protection pages.

    source: brevo.com
    HIPAA
    NOT CONFIRMED

    Brevo advises that users should NOT use the Services where communications would be subject to HIPAA. Brevo does not offer a BAA (Business Associate Agreement) and does not support HIPAA-regulated use cases.

    source: brevo.com
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence of ISO 27017 certification on Brevo's website or official documentation.

    ISO 27018 (PII Protection in Cloud)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification on Brevo's website or official documentation.

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    EU-based (France, Germany primary; Google Cloud Belgium for backup). Customers can opt for dedicated EU data hosting.

    Brevo operates an AI Lab and offers Aura AI (AI-powered assistant for marketing, sales, and support). Aura can analyze customer data for trends and personalization. However, explicit policy on whether customer contact data is used to train underlying AI models is not publicly documented. Aura agents run on Brevo's EU-based infrastructure in compliance with GDPR.

    // Security controls

    Encryption in Transit

    TLS protocol used for outgoing connections; SHA256 encryption on port 465 for SMTP; all connections encrypted as much as possible

    brevo.com

    Multi-Factor Authentication

    MFA available for accounts; IP address whitelisting supported

    brevo.com

    Data Backup Strategy

    Data backed up across three geographically distinct servers; replicated at least 3 times in at least 2 different geographic locations

    brevo.com

    Data Center Security

    Tier 3 certified data centers; multi-layer firewall; anti-virus and intrusion detection solutions

    brevo.com

    Data Retention

    Customer personal data is destroyed or anonymized within 100 days after agreement termination

    help.brevo.com

    // Products & data scope

    Email MarketingEmail

    data: Customer contact lists, email content, engagement metrics

    Core product with spam filtering, authentication (SPF, DKIM, DMARC), transactional email via SMTP relay

    SMS & WhatsApp MarketingMessaging

    data: Phone numbers, message content, delivery logs

    Real-time messaging triggered via API or automation

    Brevo CRMCRM

    data: Contact records, deal pipelines, interaction history

    Sales management with custom pipelines, chat, sales automation

    Brevo Data Platform (CDP)Data Platform

    data: Customer data unification, audience segmentation, behavioral data

    Unifies and activates customer data across channels

    Aura AIAI Agents

    data: Customer data, contacts, campaign data for AI analysis and optimization

    AI-powered assistant for marketing, sales, support, and data analysis. Runs on EU infrastructure. Explicit training policy unclear.

    Customer Loyalty ProgramLoyalty

    data: Loyalty points, customer segments, reward redemptions

    Fully integrated rewards program with mobile wallet

    // What to watch

    • No SOC 2 certification despite third-party claims. Brevo's Terms of Service explicitly state they only hold certifications 'expressly described on the Site,' and SOC 2 is not listed.
    • HIPAA explicitly not supported. Brevo advises users NOT to use the platform for HIPAA-regulated communications. No BAA available.
    • AI training posture unclear: Brevo's Aura AI can analyze and process customer contact data, but no public documentation explicitly states whether underlying AI models are trained on customer data or if opt-out is available. This should be clarified for regulated use cases.
    • ISO 27017 and ISO 27018 not held. Only ISO 27001:2022 is certified for cloud/data protection.

    // At a glance

    Pricing model

    Freemium to enterprise; pay-as-you-go for contacts and sends; tiered plans for features

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Brevo (formerly Sendinblue)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    brevo.com

    > Browse all vendor trust reports