// Trust & Security Report

    Meta Platforms, Inc. logo

    Meta Platforms, Inc.

    Docusaurus is an open-source static site generator and documentation framework (MIT-licensed) maintained by Meta. It enables developers to build, version, and deploy documentation websites using Markdown/MDX, React components, and built-in features like i18n, search, and versioning. Not a SaaS platform—users self-host on their chosen infrastructure (GitHub Pages, Vercel, Netlify, etc.).

    Certifications held

    0

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 6 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No public evidence of SOC 2 certification for Docusaurus itself. Note: Meta (parent company) holds SOC 2 Type II for certain SaaS products (Messenger Platform, Cloud API, Horizon Managed Services), but those certifications do NOT apply to the Docusaurus open-source framework, which is a build tool, not a data processor. Docusaurus users control their own hosting and security posture.

    source: github.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification for Docusaurus. Meta (parent company) holds ISO 27001 for Workplace and Meta Horizon managed services, but these are Meta's SaaS products. Docusaurus is a self-hosted open-source tool where users are responsible for their own information security management system on their hosting platform.

    source: github.com
    HIPAA
    NOT CONFIRMED

    No public evidence. Docusaurus is not a healthcare data processor. It is a static site generator and documentation framework. Compliance responsibility rests with deploying users and their hosting infrastructure.

    source: github.com
    GDPR
    NOT CONFIRMED

    Docusaurus does not have a dedicated privacy policy or data processing agreement. It is a build tool, not a data processor. Users who deploy Docusaurus sites and add analytics are responsible for GDPR compliance with respect to their visitors.

    source: docusaurus.io
    PCI DSS
    NOT CONFIRMED

    No public evidence. Docusaurus does not process payment information. It is a static site generator.

    source: github.com
    ISO 27018
    NOT CONFIRMED

    No public evidence. While Meta holds ISO 27018 (personal data protection in cloud) for Workplace, Docusaurus is an open-source build tool where users control data handling on their own infrastructure.

    source: github.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    N/A—Docusaurus is self-hosted. Data residency is determined by the deploying organization and their hosting provider (GitHub, Vercel, Netlify, etc.).

    Docusaurus is not an AI model or training system. It is a build tool. No customer data is collected or used for training purposes. Responsibility for any analytics or data collection falls on deploying users and their chosen hosting provider.

    // Security controls

    Vulnerability Reporting

    Managed through Meta's whitehat bug bounty program (https://www.facebook.com/whitehat). Reporters are instructed not to open public GitHub issues for security vulnerabilities. Meta's security team triages reports and determines bounty eligibility.

    github.com

    Open Source License

    Code licensed under MIT; documentation under CC-BY-4.0. Both are permissive licenses that allow commercial and private use with minimal restrictions.

    github.com

    Source Code Transparency

    All source code publicly available on GitHub (facebook/docusaurus). 65.5k stars, active maintenance, 156+ releases. Community can audit code and report issues.

    github.com

    Build Security

    Docusaurus generates static HTML. No server-side code execution. Static output can be served from any CDN or web host. Security posture depends on user's hosting and deployment practices.

    docusaurus.io

    Dependency Management

    Project actively maintains dependencies and addresses known CVEs in upstream packages. Regular releases push security updates to users.

    github.com

    // Products & data scope

    Docusaurus Framework (v3.10.1+)Documentation / Static Site Generator

    data: N/A—Does not handle user data. Users deploy generated static sites to their own infrastructure.

    Open-source framework for building documentation websites. Supports MDX, React components, versioning, i18n, algolia search. Self-hosted only.

    // What to watch

    • CATEGORIZATION MISMATCH: Docusaurus is a static site generator / build tool, not an AI tool. It should not be listed in an 'AI tools directory' unless the directory is explicitly for dev tools / documentation frameworks used by AI teams.
    • NOT A DATA PROCESSOR: Docusaurus does not collect, store, or process user data. It is self-hosted. Traditional compliance certs (SOC 2, ISO 27001, HIPAA, GDPR) are not applicable to a build tool. Compliance responsibility falls on deploying users and their hosting providers.
    • NO TRUST CENTER: Docusaurus has no dedicated privacy policy, data processing agreement, or trust center page. This is normal for open-source tools and does not indicate a security deficiency.
    • META SOC 2 / ISO CERTS DO NOT APPLY: While Meta (maintainer) holds SOC 2 Type II and ISO 27001 certifications, these apply to Meta's SaaS products (Messenger, Workplace, Cloud API, Horizon), NOT to the Docusaurus open-source framework. The parent company's certs should not be attributed to the open-source project.
    • MATURE OPEN-SOURCE PROJECT: With 65.5k GitHub stars, active maintenance, and adoption by major projects (React, Redux, Supabase, Testing Library), Docusaurus is a stable, well-audited framework. Security is community-verified via public source code.

    // At a glance

    Pricing model

    Free (open source, MIT licensed)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Meta Platforms, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    github.com

    > Browse all vendor trust reports