// Trust & Security Report

    Instapage, Inc. logo

    Instapage, Inc.

    AI-powered landing page builder and conversion optimization platform

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    Instapage has undergone two types of SOC 2 audits and received certification showing that Instapage has the right security systems that ensure the security, availability, processing integrity, confidentiality, and privacy of customer data.

    Verify on instapage.com
    SOC 2 Type II
    HELD

    Instapage has undergone two types of SOC 2 audits and received certification showing that Instapage has the right security systems that ensure the security, availability, processing integrity, confidentiality, and privacy of customer data.

    Verify on instapage.com
    GDPR
    HELD

    Instapage complies with GDPR data privacy and security standards giving EU customers more control over their shared data.

    Verify on instapage.com
    CCPA/CPRA
    HELD

    Instapage follows the California Consumer Privacy Act (CCPA), now updated by the California Privacy Rights Act (CPRA), to enhance the protection of personal data and privacy for California residents.

    Verify on instapage.com
    EU-US Data Privacy Framework (DPF)
    HELD

    self-certified under the EU-US Data Protection Framework (DPF), the Swiss-U.S. DPF, and the UK extension to the EU-US DPF

    Verify on legal.instapage.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of a formal ISO 27001 certification. The security page states: 'All our policies align with ISO 27001/2 and NIST 800-53 frameworks, reviewed yearly or after significant changes.' Policy alignment is not equivalent to ISO 27001 certification.

    source: instapage.com
    HIPAA
    NOT CONFIRMED

    A Business Associate Agreement (BAA) template exists at legal.instapage.com/baa (updated December 2025), but third-party analysis as of 2025 reports 'Instapage will not sign a business associate agreement and, therefore, is not HIPAA compliant.' Instapage's own BAA page describes obligations but it is unclear whether Instapage actively executes BAAs for customers. Treat as unverified; verify directly with Instapage before any healthcare use.

    source: legal.instapage.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS compliance or certification found on vendor domain.

    source: instapage.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on vendor domain.

    source: instapage.com
    ISO 42001 (AI Management)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification or CSA STAR AI certification found on vendor domain.

    source: instapage.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification found on vendor domain.

    source: instapage.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United States (primary). Data processing and storage occur in the US. EU/EEA customers are subject to cross-border data transfers governed by EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework. The privacy notice states: 'your personal information will be transferred to us, our affiliates, and our subprocessors in the United States.'

    Instapage's Privacy Notice explicitly discloses use of customer data for AI model training: 'analyzing how our Services are used...including training our artificial intelligence (AI) models; assessing certain content you send or display through our Services.' No public opt-out mechanism for AI training was identified in the privacy policy or terms of service.

    // Security controls

    Encryption in transit

    TLS/SSL encryption for all user interactions. SSL certificates verify website authenticity and encrypted connections.

    instapage.com

    Encryption at rest

    Full disk encryption and browser session encryption confirmed.

    instapage.com

    Infrastructure

    Dual cloud redundancy across Amazon Web Services (AWS) and Google Cloud Platform (GCP). 99.99% server uptime guarantee. Global data centers in North America, Europe, and Asia.

    instapage.com

    Single Sign-On (SSO)

    SAML 2.0 enterprise SSO supported (Okta, PingOne, OneLogin, Microsoft Azure, Google GSuite). Available on Convert (enterprise) plan only.

    instapage.com

    Vulnerability management

    Quarterly vulnerability assessments, annual internal and external penetration testing, monthly network scans.

    instapage.com

    Intrusion detection

    Network safeguards including intrusion detection and host-based anti-virus.

    instapage.com

    DPA / SCCs

    Data Processing Agreement (DPA) available with EU SCCs (Module Two for Controller-Processor), UK IDTA, and Swiss SCCs incorporated.

    legal.instapage.com

    Audit logs

    Audit logs available on enterprise (Convert) plan.

    instapage.com

    Bug Bounty Program

    Bug Bounty Program listed in site footer and linked from the home page.

    instapage.com

    // Products & data scope

    CreateLanding page builder (entry tier)

    data: $99/month, 15,000 monthly visitors. Unlimited pages and conversions. Basic SSL, GDPR compliance features, Google SSO.

    Entry plan; no enterprise SSO or audit logs. SAML SSO not included.

    OptimizeLanding page builder with CRO (mid tier)

    data: $199/month, 30,000 monthly visitors. Includes A/B testing, AI experiments, analytics, heatmaps.

    Recommended plan. Adds experimentation features; no enterprise SSO or audit logs.

    ConvertEnterprise landing page platform

    data: Custom pricing. Unlimited visitors. Includes all Optimize features plus enterprise SSO (SAML 2.0), audit logs, guaranteed uptime SLA, direct lead bypass to CRM.

    Only tier with enterprise security controls (SSO, audit logs, SLA). Best fit for regulated or compliance-conscious organizations.

    // What to watch

    • AI TRAINING: Instapage explicitly discloses training AI models on customer data including content customers send or display through the service. No public opt-out mechanism identified. Review carefully for sensitive use cases.
    • ISO 27001 OVER-CLAIM RISK: The security page claims policy alignment with ISO 27001/2 but no formal certification evidence was found. This is a framework alignment, not a certification. Do not treat as certified.
    • HIPAA AMBIGUITY: A BAA template exists in the Legal Hub (updated December 2025) but third-party healthcare compliance research (2025) states Instapage does not sign BAAs. HIPAA status is unresolved; verify directly with Instapage before any PHI/healthcare use.
    • NO DATA RESIDENCY CHOICE: All data is processed and stored in the United States. EU customers relying on data residency in Europe cannot use Instapage for that requirement.
    • TRUST CENTER CONTENT: The trust center (security.instapage.com) is JavaScript-heavy and could not be fully read by automated scraping. Manual review recommended for due diligence.
    • SOC 2 REPORT AGE: SOC 2 Type I was obtained November 2019, Type II as of May 2020. Public pages do not specify the most recent audit renewal date. Request an up-to-date report from the vendor.

    // At a glance

    Pricing model

    Subscription (monthly/annual), tiered by visitor volume. Create $99/mo, Optimize $199/mo, Convert custom.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Instapage, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.instapage.com

    > Browse all vendor trust reports