// Trust & Security Report
Instapage, Inc.
AI-powered landing page builder and conversion optimization platform
Certifications held
5
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on instapage.com“Instapage has undergone two types of SOC 2 audits and received certification showing that Instapage has the right security systems that ensure the security, availability, processing integrity, confidentiality, and privacy of customer data.”
Verify on instapage.com“Instapage has undergone two types of SOC 2 audits and received certification showing that Instapage has the right security systems that ensure the security, availability, processing integrity, confidentiality, and privacy of customer data.”
Verify on instapage.com“Instapage complies with GDPR data privacy and security standards giving EU customers more control over their shared data.”
Verify on instapage.com“Instapage follows the California Consumer Privacy Act (CCPA), now updated by the California Privacy Rights Act (CPRA), to enhance the protection of personal data and privacy for California residents.”
Verify on legal.instapage.com“self-certified under the EU-US Data Protection Framework (DPF), the Swiss-U.S. DPF, and the UK extension to the EU-US DPF”
> Show 6 unconfirmed / not-held certifications
source: instapage.comNo public evidence of a formal ISO 27001 certification. The security page states: 'All our policies align with ISO 27001/2 and NIST 800-53 frameworks, reviewed yearly or after significant changes.' Policy alignment is not equivalent to ISO 27001 certification.
source: legal.instapage.comA Business Associate Agreement (BAA) template exists at legal.instapage.com/baa (updated December 2025), but third-party analysis as of 2025 reports 'Instapage will not sign a business associate agreement and, therefore, is not HIPAA compliant.' Instapage's own BAA page describes obligations but it is unclear whether Instapage actively executes BAAs for customers. Treat as unverified; verify directly with Instapage before any healthcare use.
source: instapage.comNo public evidence of PCI DSS compliance or certification found on vendor domain.
source: instapage.comNo public evidence of FedRAMP authorization found on vendor domain.
source: instapage.comNo public evidence of ISO/IEC 42001 certification or CSA STAR AI certification found on vendor domain.
source: instapage.comNo public evidence of CSA STAR certification found on vendor domain.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
United States (primary). Data processing and storage occur in the US. EU/EEA customers are subject to cross-border data transfers governed by EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework. The privacy notice states: 'your personal information will be transferred to us, our affiliates, and our subprocessors in the United States.'
Instapage's Privacy Notice explicitly discloses use of customer data for AI model training: 'analyzing how our Services are used...including training our artificial intelligence (AI) models; assessing certain content you send or display through our Services.' No public opt-out mechanism for AI training was identified in the privacy policy or terms of service.
// Security controls
Encryption in transit
TLS/SSL encryption for all user interactions. SSL certificates verify website authenticity and encrypted connections.
instapage.comInfrastructure
Dual cloud redundancy across Amazon Web Services (AWS) and Google Cloud Platform (GCP). 99.99% server uptime guarantee. Global data centers in North America, Europe, and Asia.
instapage.comSingle Sign-On (SSO)
SAML 2.0 enterprise SSO supported (Okta, PingOne, OneLogin, Microsoft Azure, Google GSuite). Available on Convert (enterprise) plan only.
instapage.comVulnerability management
Quarterly vulnerability assessments, annual internal and external penetration testing, monthly network scans.
instapage.comIntrusion detection
Network safeguards including intrusion detection and host-based anti-virus.
instapage.comDPA / SCCs
Data Processing Agreement (DPA) available with EU SCCs (Module Two for Controller-Processor), UK IDTA, and Swiss SCCs incorporated.
legal.instapage.comBug Bounty Program
Bug Bounty Program listed in site footer and linked from the home page.
instapage.com// Products & data scope
data: $99/month, 15,000 monthly visitors. Unlimited pages and conversions. Basic SSL, GDPR compliance features, Google SSO.
Entry plan; no enterprise SSO or audit logs. SAML SSO not included.
data: $199/month, 30,000 monthly visitors. Includes A/B testing, AI experiments, analytics, heatmaps.
Recommended plan. Adds experimentation features; no enterprise SSO or audit logs.
data: Custom pricing. Unlimited visitors. Includes all Optimize features plus enterprise SSO (SAML 2.0), audit logs, guaranteed uptime SLA, direct lead bypass to CRM.
Only tier with enterprise security controls (SSO, audit logs, SLA). Best fit for regulated or compliance-conscious organizations.
// What to watch
- AI TRAINING: Instapage explicitly discloses training AI models on customer data including content customers send or display through the service. No public opt-out mechanism identified. Review carefully for sensitive use cases.
- ISO 27001 OVER-CLAIM RISK: The security page claims policy alignment with ISO 27001/2 but no formal certification evidence was found. This is a framework alignment, not a certification. Do not treat as certified.
- HIPAA AMBIGUITY: A BAA template exists in the Legal Hub (updated December 2025) but third-party healthcare compliance research (2025) states Instapage does not sign BAAs. HIPAA status is unresolved; verify directly with Instapage before any PHI/healthcare use.
- NO DATA RESIDENCY CHOICE: All data is processed and stored in the United States. EU customers relying on data residency in Europe cannot use Instapage for that requirement.
- TRUST CENTER CONTENT: The trust center (security.instapage.com) is JavaScript-heavy and could not be fully read by automated scraping. Manual review recommended for due diligence.
- SOC 2 REPORT AGE: SOC 2 Type I was obtained November 2019, Type II as of May 2020. Public pages do not specify the most recent audit renewal date. Request an up-to-date report from the vendor.
// At a glance
Pricing model
Subscription (monthly/annual), tiered by visitor volume. Create $99/mo, Optimize $199/mo, Convert custom.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Instapage, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.instapage.com