// Trust & Security Report

    Iterable, Inc. logo

    Iterable, Inc.

    AI-powered cross-channel customer engagement platform (email, SMS, push, in-app, WhatsApp) with a Nova AI layer (Nova Insights, Nova Decisioning, Nova Agents / branded elsewhere as Next Best Action, Iterable Agent, Copy Assist) and a reverse-ETL Data Sync product.

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Built on a foundation of enterprise-grade trust, Iterable maintains the highest global standards for data security, including SOC 2, ISO 27001, and HIPAA compliance. ... Certifications: SOC 2 Type 2

    Verify on trust.iterable.com
    ISO 27001
    HELD

    Iterable's updated ISO 27001:2022 Certification is now available for review upon request. ... This certification is valid until August 23, 2028. (Trust Center also lists 'ISO-27001' as a held certification and offers 'ISO 27001 Certification' and 'ISO 27001 Controls and Statement of Applicability' as requestable documents.)

    Verify on trust.iterable.com
    HIPAA (core platform only)
    HELD

    Iterable maintains the highest global standards for data security, including SOC 2, ISO 27001, and HIPAA compliance... Our current SOC 2 Type II and HIPAA Audit reports are now available. Document available: 'Iterable HIPAA Type 1 Report'. IMPORTANT CAVEAT: the separate 'Additional AI Terms of Use' explicitly states 'Iterable AI is not HIPAA compliant' and prohibits submitting health information to the AI features (Next Best Action, Iterable Agent, Copy Assist).

    Verify on trust.iterable.com
    GDPR (compliance posture, not a certification)
    HELD

    Customers of the Iterable services are the Data Controller and Iterable is the Data Processor. ... Iterable addresses international data transfers by offering European Union Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements.

    Verify on iterable.com
    EU-US Data Privacy Framework (DPF)
    HELD

    EU – US Data Privacy Framework (DPF) - self-certified. (Trust Center lists 'Data Privacy Framework' as a held certification with a downloadable 'Data Privacy Framework Certification' document.)

    Verify on trust.iterable.com
    Global Cross-Border Privacy Rules (CBPR) / Privacy Recognition for Processors (PRP)
    HELD

    Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) certifications across 8 countries. Trust Center lists 'Global Cross-Border Privacy Rules' and 'Global Privacy Rules for Processors' as held, with 'APEC_Processor_Global_PRP certification' and 'APEC_Controller_Global_CBPR certification' documents available.

    Verify on trust.iterable.com
    > Show 5 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    No public evidence. PCI DSS is not listed in the Trust Center's certifications list (SOC 2 Type 2, ISO-27001, HIPAA, Data Privacy Framework, Global Cross-Border Privacy Rules, Global Privacy Rules for Processors) and Iterable does not process cardholder payment data as part of its core marketing/CDP product.

    source: trust.iterable.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification. The Trust Center's 'AI at Iterable' control category references internal documents ('Responsible AI at Iterable', 'AI Internal Use Policy') rather than a third-party ISO 42001 certificate, and no ISO 42001 cert is listed among the Trust Center's named certifications.

    source: trust.iterable.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. Not listed among Trust Center certifications.

    source: trust.iterable.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not listed among Trust Center certifications; no FedRAMP marketplace listing found.

    source: trust.iterable.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence. Only 'ISO-27001' is listed in the Trust Center; no ISO 27017 (cloud security), 27018 (cloud PII), or 27701 (privacy information management) certificate is named or offered as a document.

    source: trust.iterable.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    US-hosted primary infrastructure (subprocessor list includes an 'Infrastructure as a service' provider, not named in public trust center text); EU-US Data Privacy Framework and Standard Contractual Clauses used for cross-border transfers; CBPR/PRP certifications cover 8 countries. No explicit EU-only or in-region hosting option disclosed in the material reviewed.

    No explicit public statement confirms or denies training foundation models on customer data. Iterable's general security page states 'Customers own their data, not Iterable' with 'no scanning, selling, or sharing' (https://iterable.com/legal/iterable-security-compliance/), which argues against training use. However, the core Terms of Service separately grant Iterable 'a non-exclusive, worldwide, royalty-free, transferable right to use, modify, reproduce, and display' Customer Data 'to provide the selected services and improve the services' (https://iterable.com/legal/terms/) - a broad clause common in SaaS ToS that is not explicitly scoped to exclude AI/model training. For the AI features specifically (Next Best Action, Iterable Agent, Copy Assist - powered by OpenAI per https://iterable.com/legal/additional-ai-terms-of-use/), customers are contractually prohibited from submitting personal data, information about minors, financial information, sensitive/regulated information, or health information, and the terms state 'Iterable AI is not HIPAA compliant.' No public opt-out toggle for AI training was found; the practical mitigation is the input restriction itself. Net: no evidence of training on customer data, but no explicit 'we do not train on your data' guarantee either - flagged for follow-up.

    // Security controls

    Encryption in transit

    TLS 1.2

    iterable.com

    Encryption at rest

    AES-256 for customer PII

    iterable.com

    Authentication

    Two-factor authentication (2FA) required for system access; SSO supported per Trust Center 'User Authentication' / 'Roles and permissions' controls

    iterable.com

    Access model

    Least-privilege / need-to-know authorization, quarterly user access reviews for critical systems

    iterable.com

    Independent audits

    Annual SOC 2 Type II, ISO 27001, HIPAA, and CBPR/PRP audits; 2025 and 2026 third-party application penetration test reports available on request

    trust.iterable.com

    Data retention/erasure

    Backups enabled; documented data retention and erasure controls; data deleted on relationship termination; customers can export their own data without additional fees

    trust.iterable.com

    // Products & data scope

    Iterable Core Engagement PlatformCross-channel customer engagement / CDP (email, SMS, push, in-app, WhatsApp, journeys)

    data: Customer/marketing PII, behavioral and product-usage event data

    In scope for SOC 2 Type II, ISO 27001, and HIPAA (with signed BAA) per the Trust Center.

    Nova AI / Next Best Action / Iterable Agent / Copy Assist (AI features)Generative AI and decisioning layer (beta for some sub-features), powered by OpenAI as a third-party LLM subprocessor

    data: Marketing copy, campaign/journey configuration signals; customers are contractually barred from submitting personal data, minors' data, financial data, sensitive/regulated data, or health information

    Explicitly out of HIPAA scope: 'Iterable AI is not HIPAA compliant' per the Additional AI Terms of Use. No SLA; content accuracy not guaranteed; usage must also comply with OpenAI's usage policies.

    Data Sync (reverse ETL)Data pipeline / integration

    data: Transfers Iterable-held customer data to a customer-chosen destination

    Listed as a distinct subprocessor category in the Trust Center; same core compliance scope as the main platform.

    // What to watch

    • HIPAA scope caveat: the Trust Center and marketing copy present HIPAA compliance as a blanket platform attribute, but Iterable's own 'Additional AI Terms of Use' states 'Iterable AI is not HIPAA compliant' and bars submission of health information to the AI features - a listing that shows only 'HIPAA: Yes' without this caveat would overstate the AI product's compliance.
    • Possible ToS/security-page tension on data use: the general security page states customer data is not scanned, sold, or shared, while the core Terms of Service grant Iterable a broad worldwide license to 'use, modify, reproduce, and display' Customer Data to 'improve the services' - the two statements are not flatly contradictory but are in tension and neither explicitly addresses AI/model training, so trains_on_customer_data is graded null rather than false.
    • OpenAI is used as the LLM subprocessor for Iterable's AI features (Next Best Action, Iterable Agent, Copy Assist) per the Additional AI Terms of Use; this was not surfaced in the Trust Center's public certification summary and is only visible in a separate legal document.
    • Several Trust Center documents (SOC 2 report, ISO 27001 certificate and SoA, HIPAA report, DPF certification, pentest reports, policy TOCs) are gated behind a 'Request access' flow and could not be independently opened to verify contents beyond the listing titles and the accompanying blog-style update posts on trust.iterable.com.

    // At a glance

    Pricing model

    Custom/enterprise quote (demo-gated, no public self-serve pricing found)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Iterable, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.iterable.com

    > Browse all vendor trust reports