// Trust & Security Report

    Hugging Face, Inc. (Delaware corporation) logo

    Hugging Face, Inc. (Delaware corporation)

    HuggingChat is a free, open-source AI chat application powered by open source large language models (Llama 2 and other models available via Hugging Face Inference Endpoints). Omni feature automatically selects the best model for each request. Available via web interface at huggingface.co/chat.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Hugging Face is also SOC2 Type 2 certified, meaning we provide security certification to our customers and actively monitor and patch any security weaknesses.

    Verify on huggingface.co
    GDPR Compliance
    HELD

    Hugging Face is GDPR compliant. If a contract or specific data storage is something you'll need, we recommend taking a look at our Team & Enterprise Support. Hugging Face can also offer Business Associate Addendums or GDPR data processing agreements through an Enterprise Plan.

    Verify on huggingface.co
    > Show 8 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found in Hugging Face's official documentation or security pages.

    source: huggingface.co
    HIPAA (BAA)
    NOT CONFIRMED

    HIPAA Business Associate Addendum available through Enterprise Hub subscription, but HuggingChat free tier does not include HIPAA compliance. Not marketed as HIPAA-compliant product out of the box.

    source: huggingface.co
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found.

    source: huggingface.co
    ISO 27017 (Cloud data security)
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found.

    source: huggingface.co
    ISO 27018 (Cloud PII protection)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found.

    source: huggingface.co
    ISO 27701 (Privacy management)
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found.

    source: huggingface.co
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 or AI-specific governance certifications found.

    source: huggingface.co
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP certification found.

    source: huggingface.co

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (primary); EU entity based in France (Hugging Face SAS, 9 rue des Colonnes, 75002 Paris). Data processing occurs in US and other countries where Hugging Face maintains facilities.

    By default, conversations may be shared with the respective models' authors to improve their training data and model over time. However, users can disable data sharing in settings. When disabled, conversations will NOT be used for any downstream usage (including research or model training) and are only stored to allow users to access past conversations. Hugging Face explicitly states: 'Hugging Face does not store any user data for training purposes.'

    // Security controls

    Encryption in Transit

    TLS/SSL encryption for all endpoints

    huggingface.co

    Data Storage

    No customer payloads stored; logs retained for 30 days only for debugging purposes. User conversations stored only for user access to past chats.

    huggingface.co

    Private Connectivity

    AWS PrivateLink available for organizations to access endpoints through private connections without internet exposure (Enterprise feature)

    huggingface.co

    Malware Scanning

    Malware and pickle scans provided for all model repository contents

    huggingface.co

    Access Control

    Role-Based Access Control (RBAC), access tokens, Two-Factor Authentication (2FA), Git over SSH, GPG commit signing supported

    huggingface.co

    General Security Practices

    Follows generally accepted industry standards including appropriate administrative, physical and technical safeguards

    huggingface.co

    // Products & data scope

    HuggingChat (Free)AI Chat Interface

    data: Conversations stored on Hugging Face servers. By default may be shared with model authors unless user disables data sharing.

    Free, web-based chat application. No advanced compliance features (no ISO 27001, no HIPAA, no custom DPA, no custom data residency)

    HuggingChat (Enterprise/Team Plan)AI Chat Interface with Enterprise Features

    data: GDPR DPA available. Business Associate Addendum (BAA) available for HIPAA.

    Enterprise customers can negotiate custom data handling, DPA, and BAA terms. Advanced features like SSO, resource groups, and custom access controls available.

    Hugging Face Inference EndpointsModel Hosting API

    data: Supports public, protected, and private (PrivateLink) endpoint configurations. SOC 2 Type 2 certified.

    Infrastructure service; no payloads stored by default. GDPR DPA available for Enterprise. Used as backend for HuggingChat's model access.

    // What to watch

    • Data sharing default: By default, conversations may be shared with model authors unless users explicitly disable in settings. Users must take action to opt-out of data sharing.
    • Limited advanced certifications: ISO 27001 not publicly advertised. Advanced certifications (ISO 27017/27018/27701, HIPAA-certified product, FedRAMP) not available for free tier or public documentation.
    • HIPAA not native: HIPAA compliance available only through Enterprise BAA negotiation, not as standard feature.
    • No dedicated trust center: No public trust center or security dashboard. Security information scattered across /docs/hub/security and /docs/inference-endpoints/security.
    • Maturity assessment: Hugging Face is a well-funded growth-stage company (Series D funding, institutional backing), not an enterprise-stage vendor with mature compliance infrastructure comparable to Salesforce, Microsoft, or AWS.
    • EU data residency: While Hugging Face SAS is registered in France, default data processing is US-based. Custom EU residency would require Enterprise negotiation.

    // At a glance

    Pricing model

    Freemium (HuggingChat free tier; paid Enterprise/Team plans for compliance features)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Hugging Face, Inc. (Delaware corporation)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    huggingface.co

    > Browse all vendor trust reports