// Trust & Security Report

    CoSchedule LLC logo

    CoSchedule LLC

    Marketing calendar and AI content platform (social scheduling, editorial calendar, AI writing assistant)

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 11 unconfirmed / not-held certifications
    SOC 2
    NOT CONFIRMED

    No public evidence of SOC 2 certification found on any coschedule.com page. No trust center, dedicated security page, or compliance documentation references SOC 2.

    source: coschedule.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on any coschedule.com page.

    source: coschedule.com
    GDPR
    NOT CONFIRMED

    No public DPA, GDPR compliance statement, or EU data processing agreement found on coschedule.com. CoSchedule offers a 'GDPR Compliance Generator' as an AI writing tool for customers but makes no public GDPR compliance commitment of its own on any coschedule.com page reviewed.

    source: coschedule.com
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA compliance or BAA availability found on coschedule.com. Third-party healthcare compliance analysis (paubox.com) confirmed: 'We found no information about CoSchedule's willingness to execute a BAA. Therefore, CoSchedule is not HIPAA compliant.' CoSchedule also offers a 'HIPAA Compliance Assessment' as an AI writing tool for customers - this is a content generation product, not a CoSchedule compliance certification.

    source: coschedule.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on any coschedule.com page. CoSchedule offers a 'PCI DSS Compliance Generator' as an AI writing tool for customers - this is a content generation product, not a CoSchedule compliance certification.

    source: coschedule.com
    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found on any coschedule.com page.

    source: coschedule.com
    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found on any coschedule.com page.

    source: coschedule.com
    ISO 27701
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found on any coschedule.com page.

    source: coschedule.com
    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 AI management certification found on any coschedule.com page.

    source: coschedule.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification or registration found on any coschedule.com page.

    source: coschedule.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on any coschedule.com page.

    source: coschedule.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    US only. CoSchedule LLC is headquartered at 318 E Broadway, Bismarck, ND 58501. Specific cloud infrastructure provider and region not publicly disclosed.

    Hire Mia marketing pages assert 'your proprietary data stays private and secure within your account' and 'The data you share in documents and chats doesn't train ChatGPT's LLM for other users.' This implies CoSchedule routes content through third-party LLMs (e.g., OpenAI) and claims data is not used to train those models. However, this is a marketing claim, not a legally binding privacy policy commitment. The public Terms of Service was last modified 8/11/2016, which predates CoSchedule's AI products entirely - meaning AI data handling has no verifiable legal grounding in the publicly accessible ToS. Whether CoSchedule itself ingests or trains internal models on customer content is not addressed on any public page.

    // Security controls

    Single Sign-On (SSO)

    SAML SSO available on Marketing Suite plan only ('Service Provider Initiated SAML (Security Assertion Markup Language)')

    coschedule.com

    Encryption in transit

    HTTPS enforced site-wide (observed in practice; not explicitly documented in vendor security pages)

    coschedule.com

    Encryption at rest

    Not publicly disclosed on any coschedule.com page

    coschedule.com

    Security and access logs

    Security and Access Logs available in Marketing Suite to track all changes inside CoSchedule

    coschedule.com

    Role-based access control

    Custom Permissions available on Content Calendar and Marketing Suite plans

    coschedule.com

    Penetration testing

    Not publicly disclosed

    coschedule.com

    Bug bounty / vulnerability disclosure

    Not publicly disclosed

    coschedule.com

    Two-factor authentication (2FA/MFA)

    Not publicly documented; SSO via SAML available on Marketing Suite only

    coschedule.com

    // Products & data scope

    Social CalendarSocial media scheduling

    data: Social media content, credentials for connected social accounts (Facebook, Instagram, X/Twitter, LinkedIn, Pinterest, TikTok, etc.)

    Free tier: 1 user, up to 15 scheduled messages. Paid from $19/user/month (annual). Up to 3 seats on paid plan.

    Agency CalendarMulti-client social and content scheduling

    data: Multi-client social content and campaign data

    $59/user/month (annual). Designed for agencies and freelancers managing multiple client accounts.

    Content CalendarEditorial and content planning

    data: Marketing projects, tasks, campaigns, and content assets

    Targets mid-sized marketing teams. Includes approval workflows, custom fields, and team dashboards. Pricing on request.

    Marketing SuiteEnterprise marketing orchestration

    data: Full marketing stack: projects, campaigns, digital assets, team workflows

    Enterprise tier. Includes SAML SSO, Security & Access Logs, custom permissions, intake request forms. Pricing on request.

    Hire MiaAI writing and content generation

    data: User-provided brand voice data, documents, and chat inputs; routed through third-party LLMs

    Free tier: 25 AI credits/month. Paid from $16/user/month (Creator) to $59/user/month (Business). Claims data isolation from LLM training but no legally binding privacy policy commitment found. Business plan adds dedicated account manager and advanced brand training modules.

    Headline StudioAI headline analysis and SEO scoring

    data: Headlines and content metadata submitted for analysis

    Available as standalone tool. AI-powered headline scoring with SEO feedback.

    Actionable Marketing InstituteOnline marketing education

    data: User enrollment and course progress data

    On-demand marketing course library. Separate from calendar and AI tools.

    // What to watch

    • No public security certifications found: SOC 2, ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 42001, HIPAA, PCI DSS, CSA STAR, FedRAMP - none are evidenced on coschedule.com
    • Not HIPAA compliant: no BAA available per independent third-party healthcare compliance analysis (paubox.com); confirmed by absence of any BAA or HIPAA language on coschedule.com
    • CRITICAL CONFUSION RISK: CoSchedule sells AI generators for GDPR, HIPAA, SOC, PCI DSS, and FINRA compliance documents as content tools for customers. These are AI writing products, NOT CoSchedule's own compliance certifications. Directory listings must clearly distinguish these.
    • Terms of Service last modified 8/11/2016 - predates all CoSchedule AI products by approximately 7 years. AI data handling, GDPR, and modern privacy obligations have no legally verifiable footing in the public ToS.
    • No public Data Processing Agreement (DPA) available. EU and EEA customers cannot confirm a GDPR-compliant processor relationship without requesting documentation directly.
    • AI training posture for Hire Mia relies on marketing-page claims only ('your proprietary data stays private and secure within your account'). No binding legal commitment found in a current privacy policy.
    • No dedicated trust center or public security documentation portal
    • Privacy policy is embedded within the general terms page (coschedule.com/terms) without a standalone URL; full text content was not fully accessible during live verification
    • Company is approximately 49 employees and $10M ARR (2024 data) - SMB-scale vendor with no publicly evidenced enterprise compliance program
    • No information publicly available on penetration testing cadence, bug bounty program, or vulnerability disclosure policy
    • No mention of 2FA/MFA for standard accounts; SSO limited to enterprise Marketing Suite tier

    // At a glance

    Pricing model

    Freemium plus per-seat SaaS subscription. Free tier available for Social Calendar. Paid plans from $16/user/month (Hire Mia Creator) and $19/user/month (Social Calendar). Enterprise (Content Calendar, Marketing Suite) pricing on request.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on CoSchedule LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    coschedule.com

    > Browse all vendor trust reports