// Trust & Security Report
Hugging Face, Inc. (Delaware corporation)
HuggingChat is a free, open-source AI chat application powered by open source large language models (Llama 2 and other models available via Hugging Face Inference Endpoints). Omni feature automatically selects the best model for each request. Available via web interface at huggingface.co/chat.
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on huggingface.co“Hugging Face is also SOC2 Type 2 certified, meaning we provide security certification to our customers and actively monitor and patch any security weaknesses.”
Verify on huggingface.co“Hugging Face is GDPR compliant. If a contract or specific data storage is something you'll need, we recommend taking a look at our Team & Enterprise Support. Hugging Face can also offer Business Associate Addendums or GDPR data processing agreements through an Enterprise Plan.”
> Show 8 unconfirmed / not-held certifications
source: huggingface.coNo public evidence of ISO 27001 certification found in Hugging Face's official documentation or security pages.
source: huggingface.coHIPAA Business Associate Addendum available through Enterprise Hub subscription, but HuggingChat free tier does not include HIPAA compliance. Not marketed as HIPAA-compliant product out of the box.
source: huggingface.coNo public evidence of ISO 27017 certification found.
source: huggingface.coNo public evidence of ISO 27018 certification found.
source: huggingface.coNo public evidence of ISO 27701 certification found.
source: huggingface.coNo public evidence of ISO/IEC 42001 or AI-specific governance certifications found.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (primary); EU entity based in France (Hugging Face SAS, 9 rue des Colonnes, 75002 Paris). Data processing occurs in US and other countries where Hugging Face maintains facilities.
By default, conversations may be shared with the respective models' authors to improve their training data and model over time. However, users can disable data sharing in settings. When disabled, conversations will NOT be used for any downstream usage (including research or model training) and are only stored to allow users to access past conversations. Hugging Face explicitly states: 'Hugging Face does not store any user data for training purposes.'
// Security controls
Data Storage
No customer payloads stored; logs retained for 30 days only for debugging purposes. User conversations stored only for user access to past chats.
huggingface.coPrivate Connectivity
AWS PrivateLink available for organizations to access endpoints through private connections without internet exposure (Enterprise feature)
huggingface.coAccess Control
Role-Based Access Control (RBAC), access tokens, Two-Factor Authentication (2FA), Git over SSH, GPG commit signing supported
huggingface.coGeneral Security Practices
Follows generally accepted industry standards including appropriate administrative, physical and technical safeguards
huggingface.co// Products & data scope
data: Conversations stored on Hugging Face servers. By default may be shared with model authors unless user disables data sharing.
Free, web-based chat application. No advanced compliance features (no ISO 27001, no HIPAA, no custom DPA, no custom data residency)
data: GDPR DPA available. Business Associate Addendum (BAA) available for HIPAA.
Enterprise customers can negotiate custom data handling, DPA, and BAA terms. Advanced features like SSO, resource groups, and custom access controls available.
data: Supports public, protected, and private (PrivateLink) endpoint configurations. SOC 2 Type 2 certified.
Infrastructure service; no payloads stored by default. GDPR DPA available for Enterprise. Used as backend for HuggingChat's model access.
// What to watch
- Data sharing default: By default, conversations may be shared with model authors unless users explicitly disable in settings. Users must take action to opt-out of data sharing.
- Limited advanced certifications: ISO 27001 not publicly advertised. Advanced certifications (ISO 27017/27018/27701, HIPAA-certified product, FedRAMP) not available for free tier or public documentation.
- HIPAA not native: HIPAA compliance available only through Enterprise BAA negotiation, not as standard feature.
- No dedicated trust center: No public trust center or security dashboard. Security information scattered across /docs/hub/security and /docs/inference-endpoints/security.
- Maturity assessment: Hugging Face is a well-funded growth-stage company (Series D funding, institutional backing), not an enterprise-stage vendor with mature compliance infrastructure comparable to Salesforce, Microsoft, or AWS.
- EU data residency: While Hugging Face SAS is registered in France, default data processing is US-based. Custom EU residency would require Enterprise negotiation.
// At a glance
Pricing model
Freemium (HuggingChat free tier; paid Enterprise/Team plans for compliance features)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Hugging Face, Inc. (Delaware corporation)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
huggingface.co