// Trust & Security Report
Darktrace Holdings Limited
AI-native cybersecurity platform covering network, email, cloud, OT, identity, and endpoint detection and response
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on darktrace.com“Certified to globally recognised standards for managing and protecting information across our organization — ISO 27001:2022 Certificate of Registration”
Verify on darktrace.com“Certified to uphold the highest standards for cloud-based personal data protection. — ISO 27018:2019 Certificate of Registration”
Verify on darktrace.com“Darktrace, a global leader in AI for cybersecurity, today announced it has achieved ISO/IEC 42001 certification ... the certification encompasses production and provision of AI systems based on anomaly detection, clustering, classifiers, regressors, neural networks, proprietary and third-party large language models”
Verify on darktrace.com“Cyber Essentials Certificate (downloadable certificate listed under Explore key documentation on the Darktrace Trust Centre, alongside the ISO 27001, ISO 42001:2023 and ISO 27018:2019 certificates)”
Verify on prnewswire.com“Darktrace Federal has achieved its Federal Risk and Authorization Management Program (FedRAMP) High Agency Authority to Operate (ATO). Darktrace Federal's Cyber AI Mission Defense and Cyber AI Email Protection environment have demonstrated compliance with the FedRAMP High security requirements.”
> Show 6 unconfirmed / not-held certifications
source: darktrace.comNo public evidence of SOC 2 Type I or Type II on darktrace.com Trust Centre, legal pages, or news announcements. Not listed among certifications on https://www.darktrace.com/trust.
source: darktrace.comDarktrace offers a Business Associate Agreement (BAA) document for healthcare customers via its legal portal, but no HIPAA audit report or attestation is publicly evidenced. BAA availability is confirmed at https://www.darktrace.com/legal/data-processing-addendum.
source: darktrace.comNo public evidence of PCI DSS compliance or certification on any darktrace.com page.
source: darktrace.comNo public evidence of CSA STAR registration or certification on any darktrace.com page.
source: darktrace.comNo public evidence of ISO 27017 certification on any darktrace.com page.
source: darktrace.comNo public evidence of ISO 27701 certification on any darktrace.com page.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Global by default ('When you give us personal data, that data may be used, processed or stored anywhere in the world, including countries outside the European Economic Area'). A U.S. Eyes Only Service Option is available for US government/federal customers. Darktrace Federal product is US-specific with FedRAMP High ATO.
Darktrace's core AI product learns per-customer in isolation: 'Rather than teaching an AI system what an attack looks like, training it on large data lakes of thousands of organizations data, Darktrace AI learns from your unique business data.' Customer security data is not pooled across deployments for global model training. The privacy policy contains a separate reference to a third-party 'Paradox LLM' used internally by Darktrace for HR/candidate processing ('Some personal data processed through this platform is used to train, improve and refine Paradox LLM and AI models') — this pertains to Darktrace's own internal recruitment chatbot, not the core cybersecurity product. Darktrace also explicitly states: 'We do not sell any data captured as part of your use of Darktrace products or services.'
// Security controls
Encryption in transit
Not publicly specified with exact standards on open pages; ISO 27001:2022 certification scope covers information security management including transmission controls
darktrace.comEncryption at rest
Not publicly specified with exact standards on open pages; covered under ISO 27001:2022 and ISO 27018:2019 certified controls
darktrace.comVulnerability Disclosure Policy
Published at https://www.darktrace.com/legal/vulnerability-disclosure-policy
darktrace.comStandard Contractual Clauses
EU Standard Contractual Clauses incorporated into the Data Processing Addendum for international data transfers
darktrace.comData Processing Addendum
DPA v1.1.6 (2025-06-13) available from legal portal, with SCCs and BAA as separate attachments
darktrace.comFedRAMP High Controls
Over 400 security controls validated under FedRAMP High for Darktrace Federal products (Cyber AI Mission Defense and Cyber AI Email Protection)
darktrace.com// Products & data scope
data: Network traffic metadata, email content, cloud logs, endpoint telemetry, identity events — all processed per-customer in an isolated model
Deployed as on-premises appliance or cloud-native. AI learns each customer's unique environment in isolation; does not pool customer data for global model training. Commercial (non-federal) offering.
data: Cyber AI Mission Defense (network/IT/OT) and Cyber AI Email Protection for federal agencies; handles Controlled Unclassified Information (CUI)
FedRAMP High ATO achieved March 2025. U.S. Eyes Only data residency option. Listed on FedRAMP Marketplace under product ID FR2402468053. Separate legal entity from commercial Darktrace.
data: External attack surface data, vulnerability intelligence, asset discovery
Part of the ActiveAI Security Platform suite. Separate product-specific terms apply.
data: Endpoint and network forensic artifacts collected during investigations
Post-incident investigation service; data scope depends on engagement. Separate product terms.
// What to watch
- No SOC 2 (Type I or Type II) publicly evidenced on darktrace.com — notable gap for enterprise buyers who require a SOC 2 report for vendor risk management.
- FedRAMP High ATO applies specifically to the Darktrace Federal entity and two named products (Cyber AI Mission Defense, Cyber AI Email Protection); the standard commercial platform does not carry FedRAMP.
- Data residency is global by default for commercial customers ('anywhere in the world, including countries outside the EEA'); no contractual guarantee of EU-only or US-only data residency unless the U.S. Eyes Only option or specific DPA terms are negotiated.
- Privacy policy contains a reference to a third-party 'Paradox LLM' training on personal data processed through Darktrace's own HR/recruitment platform — this is not the core cybersecurity product but should be disclosed to privacy-sensitive buyers.
- No CSA STAR, ISO 27017, ISO 27701, or PCI DSS certifications evidenced publicly.
- HIPAA compliance relies on a BAA document (available on request/download) rather than a formal HIPAA audit or attestation; healthcare buyers should evaluate adequacy.
- Trust Centre URL (trust.darktrace.com) returns a 404; the actual Trust Centre lives at www.darktrace.com/trust — directory and crawler links may be stale.
// At a glance
Pricing model
Enterprise subscription; contact-sales only; no self-serve pricing published
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Darktrace Holdings Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
darktrace.com