// Trust & Security Report
Convex, Inc.
Backend database platform with realtime updates, authentication, file storage, vector search, cron jobs, and AI code generation. Designed as a TypeScript-first alternative to Firebase/Supabase.
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on convex.dev“Convex is SOC 2 Type II compliant, demonstrating our dedication to the highest security and privacy standards for your data's safe management”
Verify on convex.dev“HIPAA Compliant - Businesses subject to HIPAA can process PHI on the platform if they sign Convex's Business Associate Agreement”
Verify on convex.dev“GDPR Verified - Convex complies with the GDPR in the delivery of our service to customers and monitors our privacy program to ensure continuous compliance”
> Show 4 unconfirmed / not-held certifications
source: convex.devNo public evidence of ISO 27001 certification found on vendor domain
source: convex.devNo public evidence of these certifications found on vendor domain
source: convex.devNo public evidence of ISO 42001 certification found on vendor domain
source: convex.devNo public evidence of CSA STAR certification found on vendor domain
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US East (N. Virginia) and EU West (Ireland); enterprise customers can deploy privately to their own AWS accounts
AI code generation features use large public training set of TypeScript code. Convex supports Retrieval-Augmented Generation (RAG) for customers to use their own data with LLMs, but does not train on customer data. No public policy restricting training found, but inference-only model usage implies no ongoing training.
// Security controls
Data replication
Database state replicated across multiple physical availability zones for durability
docs.convex.devBackup durability
Regular periodic and incremental database backups with 99.999999999% (11 9's) durability
docs.convex.devAvailability SLA
99.99% availability target for Convex Cloud deployments (excludes maintenance downtime)
docs.convex.dev// Products & data scope
data: Fully managed cloud deployment in Convex-controlled AWS accounts (US East or EU West regions)
99.99% SLA, automatic scaling, realtime updates, vector search, file storage, cron jobs, ACID semantics, authentication with 80+ OAuth providers
data: Customer-controlled AWS account with customer-managed KMS, IAM, and networking
Enterprise feature; customers retain full control over encryption keys and infrastructure
data: TypeScript code generation for backend functions
AI generates Convex code using public TypeScript training set; does not train on customer code
// What to watch
- No ISO 27001 certification despite enterprise positioning; typical for growth-stage database vendors but notable gap vs. traditional enterprise competitors
- SOC 2 Type I mentioned on enterprise page but Type II is the primary/current certification per security page
- GDPR listed as 'verified' rather than explicitly certified; implies compliance review rather than third-party audit
- Hosting on AWS infrastructure; AWS carries FedRamp and other certs but these belong to AWS, not Convex
- No AI governance certifications (ISO 42001, CSA STAR AI) despite prominent AI coding features
// At a glance
Pricing model
Usage-based (storage, API calls) with free tier for development
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Convex, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
convex.dev