// Trust & Security Report
Brevo (formerly Sendinblue)
All-in-one marketing automation, CRM, and customer engagement platform with email, SMS, WhatsApp, push notifications, live chat, chatbot, and AI-powered agents (Aura). Includes Brevo Data Platform for customer data unification.
Certifications held
3
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on brevo.com“Brevo is ISO 27001:2022-certified. Data is protected by multi-factor authentication, IP address whitelisting, and more.”
Verify on brevo.com“Brevo is fully GDPR-compliant with a Data Processing Agreement (DPA) available. Brevo's DPO is responsible for continued GDPR compliance, and Brevo commits to breach notification within 72 hours.”
Verify on brevo.com“All data is stored on secure servers in Tier 3 and PCI DSS certified data centers. Brevo uses PCI DSS-compliant third-party payment providers (Adyen, PayPal, GoCardless, Stripe, Chargebee).”
> Show 4 unconfirmed / not-held certifications
source: brevo.comBrevo's Terms of Service state: 'Brevo does not hold any certification that is not expressly described on the Site.' SOC 2 is not listed on Brevo's official security or data protection pages.
source: brevo.comBrevo advises that users should NOT use the Services where communications would be subject to HIPAA. Brevo does not offer a BAA (Business Associate Agreement) and does not support HIPAA-regulated use cases.
No public evidence of ISO 27017 certification on Brevo's website or official documentation.
No public evidence of ISO 27018 certification on Brevo's website or official documentation.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
EU-based (France, Germany primary; Google Cloud Belgium for backup). Customers can opt for dedicated EU data hosting.
Brevo operates an AI Lab and offers Aura AI (AI-powered assistant for marketing, sales, and support). Aura can analyze customer data for trends and personalization. However, explicit policy on whether customer contact data is used to train underlying AI models is not publicly documented. Aura agents run on Brevo's EU-based infrastructure in compliance with GDPR.
// Security controls
Encryption in Transit
TLS protocol used for outgoing connections; SHA256 encryption on port 465 for SMTP; all connections encrypted as much as possible
brevo.comData Backup Strategy
Data backed up across three geographically distinct servers; replicated at least 3 times in at least 2 different geographic locations
brevo.comData Center Security
Tier 3 certified data centers; multi-layer firewall; anti-virus and intrusion detection solutions
brevo.comData Retention
Customer personal data is destroyed or anonymized within 100 days after agreement termination
help.brevo.com// Products & data scope
data: Customer contact lists, email content, engagement metrics
Core product with spam filtering, authentication (SPF, DKIM, DMARC), transactional email via SMTP relay
data: Phone numbers, message content, delivery logs
Real-time messaging triggered via API or automation
data: Contact records, deal pipelines, interaction history
Sales management with custom pipelines, chat, sales automation
data: Customer data unification, audience segmentation, behavioral data
Unifies and activates customer data across channels
data: Customer data, contacts, campaign data for AI analysis and optimization
AI-powered assistant for marketing, sales, support, and data analysis. Runs on EU infrastructure. Explicit training policy unclear.
data: Loyalty points, customer segments, reward redemptions
Fully integrated rewards program with mobile wallet
// What to watch
- No SOC 2 certification despite third-party claims. Brevo's Terms of Service explicitly state they only hold certifications 'expressly described on the Site,' and SOC 2 is not listed.
- HIPAA explicitly not supported. Brevo advises users NOT to use the platform for HIPAA-regulated communications. No BAA available.
- AI training posture unclear: Brevo's Aura AI can analyze and process customer contact data, but no public documentation explicitly states whether underlying AI models are trained on customer data or if opt-out is available. This should be clarified for regulated use cases.
- ISO 27017 and ISO 27018 not held. Only ISO 27001:2022 is certified for cloud/data protection.
// At a glance
Pricing model
Freemium to enterprise; pay-as-you-go for contacts and sends; tiered plans for features
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Brevo (formerly Sendinblue)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
brevo.com