// Trust & Security Report

    GitBook INC logo

    GitBook INC

    AI-native documentation platform; sub-products include GitBook AI (writing assistance), GitBook Agent (stale content detection), GitBook Assistant (ask-your-docs chatbot), and Git Sync (repo-linked doc updates)

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    GitBook completed a SOC 2 Type II audit, which certifies the effectiveness of our security processes at every level of the company - from server architecture down to employee access. (Trust Center at security.gitbook.com lists SOC 2 Type II under Compliance.)

    Verify on security.gitbook.com
    ISO 27001:2022
    HELD

    Trust Center at security.gitbook.com lists ISO 27001:2022 under Compliance. Blog announcement (Sept 2023) confirmed initial ISO/IEC 27001 certification; trust center now shows the 2022 revision, consistent with the October 2025 transition deadline having passed.

    Verify on security.gitbook.com
    GDPR
    HELD

    We are SOC 2, ISO 27001 and GDPR compliant. Privacy Statement: If you're visiting us from the EU, we are compliant with the General Data Protection Regulation (GDPR). GitBook has adopted a data processing addendum with Standard Contractual Clauses.

    Verify on gitbook.com
    > Show 7 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA compliance on the trust center, security FAQ, privacy statement, enterprise page, or pricing page. No BAA offering found. GitBook's security FAQ does not list HIPAA among supported compliance frameworks.

    source: security.gitbook.com
    PCI DSS
    NOT CONFIRMED

    No PCI DSS certification or attestation found on any GitBook-domain page. GitBook explicitly delegates payment card processing to Stripe; card data never reaches GitBook servers.

    source: gitbook.com
    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 certification on any GitBook-domain page.

    source: security.gitbook.com
    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 certification on any GitBook-domain page.

    source: security.gitbook.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification or self-assessment on any GitBook-domain page.

    source: security.gitbook.com
    FedRAMP
    NOT CONFIRMED

    No mention of FedRAMP authorization on any GitBook-domain page.

    source: security.gitbook.com
    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No public evidence of ISO 42001 AI management certification on any GitBook-domain page.

    source: security.gitbook.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (Google Cloud). CDN caching may occur globally via Cloudflare; application-layer data access is validated through US-based servers. No EU or other regional data residency option is offered.

    GitBook AI Policy explicitly states: 'Customer data is never shared with OpenAI or used to train any AI models.' GitBook uses OpenAI as its AI provider for features like the AI Assistant and GitBook Agent. No opt-out mechanism is described because training is stated to be off by default for all tiers. No tier-level differences in this policy are documented publicly.

    // Security controls

    Encryption in transit

    HTTPS/TLS for all traffic including custom domains (via Let's Encrypt and Cloudflare)

    gitbook.com

    Encryption at rest

    Multiple layers of AES-256 and AES-128 encryption on Google Cloud Platform

    gitbook.com

    Cloud infrastructure

    Google Cloud Platform (primary); Cloudflare (CDN/DDoS); Vercel (hosting layer); PlanetScale (database)

    gitbook.com

    Tenant isolation

    Each organization's data is logically isolated from other tenants; access automatically revoked on user removal

    gitbook.com

    Access control

    Role-based permissions (reader, editor, admin) enforced at API level; SAML SSO on Enterprise tier

    gitbook.com

    Penetration testing

    Penetration testing performed (listed as a security control in trust center); test report available on request via trust center

    security.gitbook.com

    Business continuity

    Continuity and Disaster Recovery plans established and tested (listed in trust center controls)

    security.gitbook.com

    Cyber insurance

    Cybersecurity insurance maintained (listed in trust center controls)

    security.gitbook.com

    Vulnerability management

    Responsible disclosure program active; security bugs reported to security@gitbook.com

    gitbook.com

    Data deletion on offboarding

    Customer data deleted upon leaving (listed in trust center Data and privacy controls)

    security.gitbook.com

    Payment data

    Credit card data processed by Stripe only; GitBook stores only partial card details and optional billing address

    gitbook.com

    // Products & data scope

    GitBook FreeDocumentation platform

    data: Public and private documentation content, user account data (email, username); SOC 2 + ISO 27001 protections apply

    1 user, basic SSO (Google/email domain). No SAML SSO.

    GitBook PremiumDocumentation platform

    data: Public branded docs sites; same data protections as Free

    $65/site/month + $12/user/month. No SAML SSO or legal/security reviews.

    GitBook UltimateAI documentation platform

    data: Documentation content + AI-processed queries via OpenAI; customer data explicitly not used for AI training

    $249/site/month + $12/user/month. Includes AI Assistant and GitBook Agent. No SAML SSO.

    GitBook EnterpriseEnterprise documentation platform

    data: Full documentation corpus + AI features; legal and security reviews included; SAML SSO for access control

    Custom pricing. Adds SAML SSO, white-glove migration, 1:1 support, custom integrations, legal and security reviews.

    // What to watch

    • HIPAA: no compliance claim and no BAA offering found - not suitable for healthcare PHI workloads
    • Data residency: US-only storage on Google Cloud; no EU or regional residency option, which may affect GDPR-sensitive enterprise buyers in Europe
    • ISO 27001 version: original 2023 certification was likely ISO 27001:2013; trust center now shows ISO 27001:2022, implying a successful transition before the October 2025 deadline - this is positive but the exact transition date is not publicly confirmed
    • AI provider dependency: GitBook uses OpenAI as its AI provider; customers whose data flows through AI features should note OpenAI is a subprocessor, though GitBook states no customer data is used for training
    • SaaS-only: no self-hosting or on-premises option available, meaning all data resides on GitBook-controlled infrastructure

    // At a glance

    Pricing model

    Per-site + per-user subscription (Free / Premium at $65/site/mo / Ultimate at $249/site/mo / Enterprise at custom pricing)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on GitBook INC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.gitbook.com

    > Browse all vendor trust reports