// Trust & Security Report

    Mastercard International Incorporated (Dynamic Yield subsidiary) logo

    Mastercard International Incorporated (Dynamic Yield subsidiary)

    Experience OS — personalization and experimentation platform for content recommendations, A/B testing, and customer journey optimization across e-commerce, financial services, travel, and media verticals. Gartner Leader 8x consecutive.

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Successfully completed an audited Service Organization Controls (SOC 2) Type II certification, which demonstrates that the company maintains the highest standard of compliance, ensuring the security, availability, processing integrity, confidentiality, and privacy of customer data.

    Verify on dynamicyield.com
    ISO 27001
    HELD

    Implemented a security program using ISO/IEC 27000-series control standards. ISO 27001 ensures information assets such as financial info, intellectual property, and employee details, are safe and secure.

    Verify on dynamicyield.com
    ISO 27017
    HELD

    Met additional cloud-specific security standards and guidance through ISO 27017 certification.

    Verify on dynamicyield.com
    ISO 27018
    HELD

    ISO 27018 ensures personally identifiable information protection in cloud computing services.

    Verify on dynamicyield.com
    ISO 27701
    HELD

    ISO 27701 improves the implementation and maintenance of its Privacy Information Management System (PIMS) as an extension of its ISO 27001 certificate.

    Verify on dynamicyield.com
    GDPR
    HELD

    Compliant with applicable laws and regulations and committed to ongoing compliance with the EU General Data Protection Regulation. Compliance endorsed by Taylor Wessing LLP (global law firm specializing in data privacy).

    Verify on dynamicyield.com
    CCPA
    HELD

    Refined internal procedures to ensure compliance under the California Consumer Privacy Act (CCPA).

    Verify on dynamicyield.com
    Cloud Security Alliance (CSA) STAR Registry
    HELD

    Listed in CSA STAR registry (Level 1, self-assessment). Listing date: September 30, 2021. Assessment based on CAIQ (Consensus Assessments Initiative Questionnaire) v3.1 and Cloud Controls Matrix.

    Verify on cloudsecurityalliance.org
    SGD Accreditation
    HELD

    Accredited under Singapore's Infocomm Media Development Authority's Accreditation@SG Digital programme.

    Verify on dynamicyield.com
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification or compliance. HIPAA is not mentioned on compliance pages or security documentation. Platform appears to be designed for commercial (e-commerce, financial services, media) verticals rather than healthcare.

    source: dynamicyield.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Dual region: US (AWS Virginia, us-east-1) and EU (AWS Frankfurt, eu-central-1). Customers can choose region for data storage to meet GDPR and data residency requirements.

    Privacy notice indicates data is processed for 'deidentifying and aggregating' data and 'training our AI' under legal basis of 'legitimate interest' and 'statistical and/or research purposes.' No explicit separate opt-out mechanism for AI training mentioned; privacy rights (deletion, withdrawal of consent) can be exercised via privacy@dynamicyield.com.

    // Security controls

    Encryption in Transit

    TLS 1.2 for web servers and API connections

    dynamicyield.com

    Encryption at Rest

    Personal data stored in encrypted RDS with RSA 4096 key encryption algorithm

    dynamicyield.com

    Data Segregation

    Customer data stored separately with unique Personal Data encryption keys

    dynamicyield.com

    Access Controls

    Multi-factor authentication, password hashing with salting, account lockout after failed login attempts, role-based access controls with regular auditing

    dynamicyield.com

    Security Leadership

    Chief Information Security Officer (CISO) leading dedicated security team including DevSecOps experts, infrastructure specialists, and Data Privacy Officer

    dynamicyield.com

    Testing & Assessment

    Regular penetration testing, vulnerability management, and third-party vendor certification with annual reviews

    dynamicyield.com

    Network Defense

    Firewall, VPN, network segregation, threat and traffic detection systems. Anti-malware/antivirus protection on all workstations

    dynamicyield.com

    Cloud Infrastructure

    Hosted on AWS with geographic redundancy across US and EU regions

    dynamicyield.com

    Data Subject Rights Support

    DPA includes features for assisting customers with data subject requests (erasure, rectification, export). Reasonable assistance for compliance obligations provided.

    dynamicyield.com

    // Products & data scope

    Experience OS (Platform)Personalization & Experimentation

    data: End-user behavioral data (page interactions, IP addresses, device attributes, online identifiers, email, CRM data, transaction histories for applicable verticals)

    Core product offering: segmentation, targeting, product recommendations, journey orchestration, experimentation/A/B testing. Used across e-commerce, financial services, restaurants, grocery, travel, iGaming, media, B2B.

    // What to watch

    • CSA STAR registry entry was last listed September 30, 2021 and has not been updated in over 4 years; Level 1 self-assessment status suggests the organization should consider submitting a newer assessment if compliance posture has evolved.
    • AI training practices: Privacy notice mentions 'training our AI' under legitimate interest and statistical purposes, but does not provide a granular opt-out mechanism separate from general data processing choices. Customers exercising privacy rights can contact privacy@dynamicyield.com but the AI training opt-out path could be more explicit.
    • Mastercard ownership: Dynamic Yield is now a Mastercard subsidiary (acquired 2022 from McDonald's). While this is accurate in vendor naming, some customers may not realize it's part of Mastercard's suite. No identity confusion risk but noteworthy for procurement.
    • HIPAA not in scope: No HIPAA certification or BAA mentioned; this is appropriate for a commercial personalization platform (not health/medical), but healthcare prospects should not assume HIPAA support without direct inquiry.

    // At a glance

    Pricing model

    Enterprise SaaS (contact sales; usage-based and/or fixed agreements typical)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Mastercard International Incorporated (Dynamic Yield subsidiary)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    dynamicyield.com

    > Browse all vendor trust reports