// Trust & Security Report
Meta Platforms, Inc.
Docusaurus is an open-source static site generator and documentation framework (MIT-licensed) maintained by Meta. It enables developers to build, version, and deploy documentation websites using Markdown/MDX, React components, and built-in features like i18n, search, and versioning. Not a SaaS platform—users self-host on their chosen infrastructure (GitHub Pages, Vercel, Netlify, etc.).
Certifications held
0
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 6 unconfirmed / not-held certifications
source: github.comNo public evidence of SOC 2 certification for Docusaurus itself. Note: Meta (parent company) holds SOC 2 Type II for certain SaaS products (Messenger Platform, Cloud API, Horizon Managed Services), but those certifications do NOT apply to the Docusaurus open-source framework, which is a build tool, not a data processor. Docusaurus users control their own hosting and security posture.
source: github.comNo public evidence of ISO 27001 certification for Docusaurus. Meta (parent company) holds ISO 27001 for Workplace and Meta Horizon managed services, but these are Meta's SaaS products. Docusaurus is a self-hosted open-source tool where users are responsible for their own information security management system on their hosting platform.
source: github.comNo public evidence. Docusaurus is not a healthcare data processor. It is a static site generator and documentation framework. Compliance responsibility rests with deploying users and their hosting infrastructure.
source: docusaurus.ioDocusaurus does not have a dedicated privacy policy or data processing agreement. It is a build tool, not a data processor. Users who deploy Docusaurus sites and add analytics are responsible for GDPR compliance with respect to their visitors.
source: github.comNo public evidence. Docusaurus does not process payment information. It is a static site generator.
source: github.comNo public evidence. While Meta holds ISO 27018 (personal data protection in cloud) for Workplace, Docusaurus is an open-source build tool where users control data handling on their own infrastructure.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
N/A—Docusaurus is self-hosted. Data residency is determined by the deploying organization and their hosting provider (GitHub, Vercel, Netlify, etc.).
Docusaurus is not an AI model or training system. It is a build tool. No customer data is collected or used for training purposes. Responsibility for any analytics or data collection falls on deploying users and their chosen hosting provider.
// Security controls
Vulnerability Reporting
Managed through Meta's whitehat bug bounty program (https://www.facebook.com/whitehat). Reporters are instructed not to open public GitHub issues for security vulnerabilities. Meta's security team triages reports and determines bounty eligibility.
github.comOpen Source License
Code licensed under MIT; documentation under CC-BY-4.0. Both are permissive licenses that allow commercial and private use with minimal restrictions.
github.comSource Code Transparency
All source code publicly available on GitHub (facebook/docusaurus). 65.5k stars, active maintenance, 156+ releases. Community can audit code and report issues.
github.comBuild Security
Docusaurus generates static HTML. No server-side code execution. Static output can be served from any CDN or web host. Security posture depends on user's hosting and deployment practices.
docusaurus.ioDependency Management
Project actively maintains dependencies and addresses known CVEs in upstream packages. Regular releases push security updates to users.
github.com// Products & data scope
data: N/A—Does not handle user data. Users deploy generated static sites to their own infrastructure.
Open-source framework for building documentation websites. Supports MDX, React components, versioning, i18n, algolia search. Self-hosted only.
// What to watch
- CATEGORIZATION MISMATCH: Docusaurus is a static site generator / build tool, not an AI tool. It should not be listed in an 'AI tools directory' unless the directory is explicitly for dev tools / documentation frameworks used by AI teams.
- NOT A DATA PROCESSOR: Docusaurus does not collect, store, or process user data. It is self-hosted. Traditional compliance certs (SOC 2, ISO 27001, HIPAA, GDPR) are not applicable to a build tool. Compliance responsibility falls on deploying users and their hosting providers.
- NO TRUST CENTER: Docusaurus has no dedicated privacy policy, data processing agreement, or trust center page. This is normal for open-source tools and does not indicate a security deficiency.
- META SOC 2 / ISO CERTS DO NOT APPLY: While Meta (maintainer) holds SOC 2 Type II and ISO 27001 certifications, these apply to Meta's SaaS products (Messenger, Workplace, Cloud API, Horizon), NOT to the Docusaurus open-source framework. The parent company's certs should not be attributed to the open-source project.
- MATURE OPEN-SOURCE PROJECT: With 65.5k GitHub stars, active maintenance, and adoption by major projects (React, Redux, Supabase, Testing Library), Docusaurus is a stable, well-audited framework. Security is community-verified via public source code.
// At a glance
Pricing model
Free (open source, MIT licensed)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Meta Platforms, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
github.com