// Trust & Security Report
Mastercard International Incorporated (Dynamic Yield subsidiary)
Experience OS — personalization and experimentation platform for content recommendations, A/B testing, and customer journey optimization across e-commerce, financial services, travel, and media verticals. Gartner Leader 8x consecutive.
Certifications held
9
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on dynamicyield.com“Successfully completed an audited Service Organization Controls (SOC 2) Type II certification, which demonstrates that the company maintains the highest standard of compliance, ensuring the security, availability, processing integrity, confidentiality, and privacy of customer data.”
Verify on dynamicyield.com“Implemented a security program using ISO/IEC 27000-series control standards. ISO 27001 ensures information assets such as financial info, intellectual property, and employee details, are safe and secure.”
Verify on dynamicyield.com“Met additional cloud-specific security standards and guidance through ISO 27017 certification.”
Verify on dynamicyield.com“ISO 27018 ensures personally identifiable information protection in cloud computing services.”
Verify on dynamicyield.com“ISO 27701 improves the implementation and maintenance of its Privacy Information Management System (PIMS) as an extension of its ISO 27001 certificate.”
Verify on dynamicyield.com“Compliant with applicable laws and regulations and committed to ongoing compliance with the EU General Data Protection Regulation. Compliance endorsed by Taylor Wessing LLP (global law firm specializing in data privacy).”
Verify on dynamicyield.com“Refined internal procedures to ensure compliance under the California Consumer Privacy Act (CCPA).”
Verify on cloudsecurityalliance.org“Listed in CSA STAR registry (Level 1, self-assessment). Listing date: September 30, 2021. Assessment based on CAIQ (Consensus Assessments Initiative Questionnaire) v3.1 and Cloud Controls Matrix.”
Verify on dynamicyield.com“Accredited under Singapore's Infocomm Media Development Authority's Accreditation@SG Digital programme.”
> Show 1 unconfirmed / not-held certifications
source: dynamicyield.comNo public evidence of HIPAA certification or compliance. HIPAA is not mentioned on compliance pages or security documentation. Platform appears to be designed for commercial (e-commerce, financial services, media) verticals rather than healthcare.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Dual region: US (AWS Virginia, us-east-1) and EU (AWS Frankfurt, eu-central-1). Customers can choose region for data storage to meet GDPR and data residency requirements.
Privacy notice indicates data is processed for 'deidentifying and aggregating' data and 'training our AI' under legal basis of 'legitimate interest' and 'statistical and/or research purposes.' No explicit separate opt-out mechanism for AI training mentioned; privacy rights (deletion, withdrawal of consent) can be exercised via privacy@dynamicyield.com.
// Security controls
Encryption at Rest
Personal data stored in encrypted RDS with RSA 4096 key encryption algorithm
dynamicyield.comData Segregation
Customer data stored separately with unique Personal Data encryption keys
dynamicyield.comAccess Controls
Multi-factor authentication, password hashing with salting, account lockout after failed login attempts, role-based access controls with regular auditing
dynamicyield.comSecurity Leadership
Chief Information Security Officer (CISO) leading dedicated security team including DevSecOps experts, infrastructure specialists, and Data Privacy Officer
dynamicyield.comTesting & Assessment
Regular penetration testing, vulnerability management, and third-party vendor certification with annual reviews
dynamicyield.comNetwork Defense
Firewall, VPN, network segregation, threat and traffic detection systems. Anti-malware/antivirus protection on all workstations
dynamicyield.comCloud Infrastructure
Hosted on AWS with geographic redundancy across US and EU regions
dynamicyield.comData Subject Rights Support
DPA includes features for assisting customers with data subject requests (erasure, rectification, export). Reasonable assistance for compliance obligations provided.
dynamicyield.com// Products & data scope
data: End-user behavioral data (page interactions, IP addresses, device attributes, online identifiers, email, CRM data, transaction histories for applicable verticals)
Core product offering: segmentation, targeting, product recommendations, journey orchestration, experimentation/A/B testing. Used across e-commerce, financial services, restaurants, grocery, travel, iGaming, media, B2B.
// What to watch
- CSA STAR registry entry was last listed September 30, 2021 and has not been updated in over 4 years; Level 1 self-assessment status suggests the organization should consider submitting a newer assessment if compliance posture has evolved.
- AI training practices: Privacy notice mentions 'training our AI' under legitimate interest and statistical purposes, but does not provide a granular opt-out mechanism separate from general data processing choices. Customers exercising privacy rights can contact privacy@dynamicyield.com but the AI training opt-out path could be more explicit.
- Mastercard ownership: Dynamic Yield is now a Mastercard subsidiary (acquired 2022 from McDonald's). While this is accurate in vendor naming, some customers may not realize it's part of Mastercard's suite. No identity confusion risk but noteworthy for procurement.
- HIPAA not in scope: No HIPAA certification or BAA mentioned; this is appropriate for a commercial personalization platform (not health/medical), but healthcare prospects should not assume HIPAA support without direct inquiry.
// At a glance
Pricing model
Enterprise SaaS (contact sales; usage-based and/or fixed agreements typical)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Mastercard International Incorporated (Dynamic Yield subsidiary)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
dynamicyield.com