// Trust & Security Report

    Darktrace Holdings Limited logo

    Darktrace Holdings Limited

    AI-native cybersecurity platform covering network, email, cloud, OT, identity, and endpoint detection and response

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001:2022
    HELD

    Certified to globally recognised standards for managing and protecting information across our organization — ISO 27001:2022 Certificate of Registration

    Verify on darktrace.com
    ISO 27018:2019
    HELD

    Certified to uphold the highest standards for cloud-based personal data protection. — ISO 27018:2019 Certificate of Registration

    Verify on darktrace.com
    ISO 42001:2023 (AI Management System)
    HELD

    Darktrace, a global leader in AI for cybersecurity, today announced it has achieved ISO/IEC 42001 certification ... the certification encompasses production and provision of AI systems based on anomaly detection, clustering, classifiers, regressors, neural networks, proprietary and third-party large language models

    Verify on darktrace.com
    Cyber Essentials
    HELD

    Cyber Essentials Certificate (downloadable certificate listed under Explore key documentation on the Darktrace Trust Centre, alongside the ISO 27001, ISO 42001:2023 and ISO 27018:2019 certificates)

    Verify on darktrace.com
    FedRAMP High ATO
    HELD

    Darktrace Federal has achieved its Federal Risk and Authorization Management Program (FedRAMP) High Agency Authority to Operate (ATO). Darktrace Federal's Cyber AI Mission Defense and Cyber AI Email Protection environment have demonstrated compliance with the FedRAMP High security requirements.

    Verify on prnewswire.com
    > Show 6 unconfirmed / not-held certifications
    SOC 2
    NOT CONFIRMED

    No public evidence of SOC 2 Type I or Type II on darktrace.com Trust Centre, legal pages, or news announcements. Not listed among certifications on https://www.darktrace.com/trust.

    source: darktrace.com
    HIPAA (attestation / audit)
    NOT CONFIRMED

    Darktrace offers a Business Associate Agreement (BAA) document for healthcare customers via its legal portal, but no HIPAA audit report or attestation is publicly evidenced. BAA availability is confirmed at https://www.darktrace.com/legal/data-processing-addendum.

    source: darktrace.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS compliance or certification on any darktrace.com page.

    source: darktrace.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification on any darktrace.com page.

    source: darktrace.com
    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 certification on any darktrace.com page.

    source: darktrace.com
    ISO 27701
    NOT CONFIRMED

    No public evidence of ISO 27701 certification on any darktrace.com page.

    source: darktrace.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Global by default ('When you give us personal data, that data may be used, processed or stored anywhere in the world, including countries outside the European Economic Area'). A U.S. Eyes Only Service Option is available for US government/federal customers. Darktrace Federal product is US-specific with FedRAMP High ATO.

    Darktrace's core AI product learns per-customer in isolation: 'Rather than teaching an AI system what an attack looks like, training it on large data lakes of thousands of organizations data, Darktrace AI learns from your unique business data.' Customer security data is not pooled across deployments for global model training. The privacy policy contains a separate reference to a third-party 'Paradox LLM' used internally by Darktrace for HR/candidate processing ('Some personal data processed through this platform is used to train, improve and refine Paradox LLM and AI models') — this pertains to Darktrace's own internal recruitment chatbot, not the core cybersecurity product. Darktrace also explicitly states: 'We do not sell any data captured as part of your use of Darktrace products or services.'

    // Security controls

    Encryption in transit

    Not publicly specified with exact standards on open pages; ISO 27001:2022 certification scope covers information security management including transmission controls

    darktrace.com

    Encryption at rest

    Not publicly specified with exact standards on open pages; covered under ISO 27001:2022 and ISO 27018:2019 certified controls

    darktrace.com

    Information Security Policy

    Publicly available as v5.4 via Darktrace legal portal

    darktrace.com

    Vulnerability Disclosure Policy

    Published at https://www.darktrace.com/legal/vulnerability-disclosure-policy

    darktrace.com

    Subprocessors

    Subprocessor list available as downloadable PDF via legal portal

    darktrace.com

    Standard Contractual Clauses

    EU Standard Contractual Clauses incorporated into the Data Processing Addendum for international data transfers

    darktrace.com

    Data Processing Addendum

    DPA v1.1.6 (2025-06-13) available from legal portal, with SCCs and BAA as separate attachments

    darktrace.com

    FedRAMP High Controls

    Over 400 security controls validated under FedRAMP High for Darktrace Federal products (Cyber AI Mission Defense and Cyber AI Email Protection)

    darktrace.com

    // Products & data scope

    Darktrace ActiveAI Security PlatformAI cybersecurity (network, email, cloud, OT, identity, endpoint)

    data: Network traffic metadata, email content, cloud logs, endpoint telemetry, identity events — all processed per-customer in an isolated model

    Deployed as on-premises appliance or cloud-native. AI learns each customer's unique environment in isolation; does not pool customer data for global model training. Commercial (non-federal) offering.

    Darktrace FederalAI cybersecurity for US federal government

    data: Cyber AI Mission Defense (network/IT/OT) and Cyber AI Email Protection for federal agencies; handles Controlled Unclassified Information (CUI)

    FedRAMP High ATO achieved March 2025. U.S. Eyes Only data residency option. Listed on FedRAMP Marketplace under product ID FR2402468053. Separate legal entity from commercial Darktrace.

    Proactive Exposure Management / Attack Surface ManagementProactive security / exposure management

    data: External attack surface data, vulnerability intelligence, asset discovery

    Part of the ActiveAI Security Platform suite. Separate product-specific terms apply.

    Forensic Acquisition and InvestigationDigital forensics / incident response

    data: Endpoint and network forensic artifacts collected during investigations

    Post-incident investigation service; data scope depends on engagement. Separate product terms.

    // What to watch

    • No SOC 2 (Type I or Type II) publicly evidenced on darktrace.com — notable gap for enterprise buyers who require a SOC 2 report for vendor risk management.
    • FedRAMP High ATO applies specifically to the Darktrace Federal entity and two named products (Cyber AI Mission Defense, Cyber AI Email Protection); the standard commercial platform does not carry FedRAMP.
    • Data residency is global by default for commercial customers ('anywhere in the world, including countries outside the EEA'); no contractual guarantee of EU-only or US-only data residency unless the U.S. Eyes Only option or specific DPA terms are negotiated.
    • Privacy policy contains a reference to a third-party 'Paradox LLM' training on personal data processed through Darktrace's own HR/recruitment platform — this is not the core cybersecurity product but should be disclosed to privacy-sensitive buyers.
    • No CSA STAR, ISO 27017, ISO 27701, or PCI DSS certifications evidenced publicly.
    • HIPAA compliance relies on a BAA document (available on request/download) rather than a formal HIPAA audit or attestation; healthcare buyers should evaluate adequacy.
    • Trust Centre URL (trust.darktrace.com) returns a 404; the actual Trust Centre lives at www.darktrace.com/trust — directory and crawler links may be stale.

    // At a glance

    Pricing model

    Enterprise subscription; contact-sales only; no self-serve pricing published

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Darktrace Holdings Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    darktrace.com

    > Browse all vendor trust reports