// Trust & Security Report

    Framer B.V. logo

    Framer B.V.

    AI website builder and design/hosting platform (Framer design canvas, AI design/CMS/code agents, CMS, hosting, analytics, A/B testing, localization). External-agent integrations with Claude Code, Codex, Cursor.

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001:2022
    HELD

    Framer has achieved ISO 27001 compliance. The ISO 27001 certificate and statement of applicability are available to Enterprise customers upon request.

    Verify on framer.com
    SOC 2 Type 2
    HELD

    The Framer 2025 SOC 2 Type 2 report is now available for your review. The audit, completed by Schellman & Company, LLC, covers the period from December 1, 2024 to November 30, 2025, and includes the trust services criteria for Security and Availability.

    Verify on app.eu.vanta.com
    SOC 2 Type 1
    HELD

    Framer has successfully completed the SOC 2 Type 1 audit and the SOC 2 Type 2 audit. Framer's SOC 2 report covers the trust services principles and criteria security and availability.

    Verify on framer.com
    GDPR
    HELD

    Framer is committed to ensuring that all our customer and employee personal data are treated in a way that complies with the EU's General Data Protection Regulation (GDPR).

    Verify on framer.com
    CCPA
    HELD

    Framer is committed to be compliant with the CCPA. As a provider of enterprise design tools, Framer is primarily a service provider under the CCPA.

    Verify on framer.com
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No HIPAA claim on Framer's security page or trust center. The Vanta trust center lists 'Personal health information' under data collected, but no HIPAA attestation or BAA is offered. Framer is a website builder, not a healthcare platform.

    source: app.eu.vanta.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United States (all services hosted in AWS US facilities, distributed across multiple AWS availability zones).

    TIER-DEPENDENT, and a notable flag. Non-Enterprise (free/Pro/team) customers grant Framer a license to use their AI Inputs and Outputs to train Framer AI models: 'All non-Enterprise Plan customers hereby grant Framer a worldwide, limited, irrevocable, non-exclusive right and license to use and reproduce Customer's Inputs and Outputs in a deidentified manner for the purposes of training Framer artificial intelligence models.' Enterprise customers are excluded: 'For Enterprise Plan customers, Customer's Inputs and Outputs will not be used for training Framer's artificial intelligence models.' Third-party model providers may not train on customer data: 'none of the providers of Third-Party Models have the right to use Customer's Inputs and Outputs to train their AI models.'

    // Security controls

    Penetration testing

    Regular third-party penetration tests of all application and cloud infrastructure; findings prioritized, triaged, and remediated by the security team. A 2025 Pentest Report is available via the trust center.

    framer.com

    Bug bounty / vulnerability disclosure

    No public HackerOne or Bugcrowd bug-bounty program. Framer runs a direct vulnerability disclosure channel: reports to vulnerability-disclosure@framer.com (and security@framer.com).

    framer.com

    Encryption at rest

    AES-256 encryption at rest across AWS data stores (Aurora, DynamoDB, ElastiCache, S3), including backups. AWS KMS for key management, AWS Parameter Store for secrets.

    framer.com

    Encryption in transit

    TLS 1.2+ required with strong cipher suites and Forward Secrecy; HSTS enforced with production domains on the HSTS Preload List.

    framer.com

    SSO and RBAC (Enterprise)

    SAML and OIDC SSO (Google, Azure AD, OneLogin, Okta) for Enterprise; role-based access control (viewer, collaborator, editor, administrator).

    framer.com

    Monitoring and incident response

    Centralized logging/SIEM, audit trails (G Suite, GitHub, AWS CloudTrail), 24/7 SOC monitoring; documented incident triage and escalation; cybersecurity insurance maintained.

    framer.com

    Backups and DR

    Redundant storage across multiple AWS availability zones; continuous off-site backups; restoration fully tested every 30 days; Continuity and DR plans established.

    framer.com

    Secure development

    Mandatory PR code review/approval, GitHub Enterprise + Dependabot, static analysis (Code Climate), Sentry error tracking, fully separated prod/staging/dev environments and AWS accounts.

    framer.com

    Uptime / availability

    Framer advertises 99.99% hosting uptime; status page maintained ('All services online').

    framer.com

    // Products & data scope

    Framer (Free / Pro / Team)AI website builder, design canvas, CMS, hosting

    data: Customer site content, design Inputs, and AI Outputs. AI Inputs/Outputs ARE used (deidentified) to train Framer AI models on these non-Enterprise tiers.

    Standard security controls (ISO 27001, SOC 2) apply. No SSO/RBAC at lower tiers. AI training opt-out effectively requires Enterprise.

    Framer EnterpriseEnterprise website platform

    data: Same hosting/data footprint, but Inputs/Outputs are NOT used to train Framer AI models. Adds SSO (SAML/OIDC), RBAC, custom security options, access to SOC 2 report, ISO 27001 certificate, and statement of applicability on request.

    Recommended tier for organizations with data-sensitivity or compliance requirements, primarily due to the AI-training carve-out and SSO/RBAC.

    External Agents / API integrationsProgrammatic site/CMS automation

    data: Allows external AI tools (Claude Code, Codex, Cursor, Terminal, Slack, GitHub PRs) to read and modify site content and CMS via Framer's agent/API surface.

    Expands the data-access surface to third-party AI clients; the same AI-training tier rules apply to Framer-side Inputs/Outputs. Third-party model providers are contractually barred from training on customer data.

    // What to watch

    • AI TRAINING ON CUSTOMER DATA BY DEFAULT for all non-Enterprise tiers: Framer uses customer AI Inputs and Outputs (deidentified) to train its own AI models unless the customer is on the Enterprise plan. This is a material consideration for any team putting proprietary/brand content into Framer's AI agents.
    • No public bug-bounty program (HackerOne/Bugcrowd); direct vulnerability disclosure email only. Pentesting is still performed by third-party firms.
    • US-only data residency; no self-hosting and no documented EU data region for the service itself.
    • Vanta trust center lists 'Personal health information' and 'Credit card information' among data collected, but no HIPAA/PCI attestation is offered. Enterprise certs (ISO/SOC 2 reports) are gated behind 'available to Enterprise customers upon request.'

    // At a glance

    Pricing model

    Freemium SaaS with paid Pro/Team tiers and custom-priced Enterprise.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Framer B.V.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    app.eu.vanta.com

    > Browse all vendor trust reports