// Trust & Security Report
Iterable, Inc.
AI-powered cross-channel customer engagement platform (email, SMS, push, in-app, WhatsApp) with a Nova AI layer (Nova Insights, Nova Decisioning, Nova Agents / branded elsewhere as Next Best Action, Iterable Agent, Copy Assist) and a reverse-ETL Data Sync product.
Certifications held
6
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.iterable.com“Built on a foundation of enterprise-grade trust, Iterable maintains the highest global standards for data security, including SOC 2, ISO 27001, and HIPAA compliance. ... Certifications: SOC 2 Type 2”
Verify on trust.iterable.com“Iterable's updated ISO 27001:2022 Certification is now available for review upon request. ... This certification is valid until August 23, 2028. (Trust Center also lists 'ISO-27001' as a held certification and offers 'ISO 27001 Certification' and 'ISO 27001 Controls and Statement of Applicability' as requestable documents.)”
Verify on trust.iterable.com“Iterable maintains the highest global standards for data security, including SOC 2, ISO 27001, and HIPAA compliance... Our current SOC 2 Type II and HIPAA Audit reports are now available. Document available: 'Iterable HIPAA Type 1 Report'. IMPORTANT CAVEAT: the separate 'Additional AI Terms of Use' explicitly states 'Iterable AI is not HIPAA compliant' and prohibits submitting health information to the AI features (Next Best Action, Iterable Agent, Copy Assist).”
Verify on iterable.com“Customers of the Iterable services are the Data Controller and Iterable is the Data Processor. ... Iterable addresses international data transfers by offering European Union Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements.”
Verify on trust.iterable.com“EU – US Data Privacy Framework (DPF) - self-certified. (Trust Center lists 'Data Privacy Framework' as a held certification with a downloadable 'Data Privacy Framework Certification' document.)”
Verify on trust.iterable.com“Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) certifications across 8 countries. Trust Center lists 'Global Cross-Border Privacy Rules' and 'Global Privacy Rules for Processors' as held, with 'APEC_Processor_Global_PRP certification' and 'APEC_Controller_Global_CBPR certification' documents available.”
> Show 5 unconfirmed / not-held certifications
source: trust.iterable.comNo public evidence. PCI DSS is not listed in the Trust Center's certifications list (SOC 2 Type 2, ISO-27001, HIPAA, Data Privacy Framework, Global Cross-Border Privacy Rules, Global Privacy Rules for Processors) and Iterable does not process cardholder payment data as part of its core marketing/CDP product.
source: trust.iterable.comNo public evidence of ISO 42001 certification. The Trust Center's 'AI at Iterable' control category references internal documents ('Responsible AI at Iterable', 'AI Internal Use Policy') rather than a third-party ISO 42001 certificate, and no ISO 42001 cert is listed among the Trust Center's named certifications.
source: trust.iterable.comNo public evidence. Not listed among Trust Center certifications.
source: trust.iterable.comNo public evidence. Not listed among Trust Center certifications; no FedRAMP marketplace listing found.
source: trust.iterable.comNo public evidence. Only 'ISO-27001' is listed in the Trust Center; no ISO 27017 (cloud security), 27018 (cloud PII), or 27701 (privacy information management) certificate is named or offered as a document.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
US-hosted primary infrastructure (subprocessor list includes an 'Infrastructure as a service' provider, not named in public trust center text); EU-US Data Privacy Framework and Standard Contractual Clauses used for cross-border transfers; CBPR/PRP certifications cover 8 countries. No explicit EU-only or in-region hosting option disclosed in the material reviewed.
No explicit public statement confirms or denies training foundation models on customer data. Iterable's general security page states 'Customers own their data, not Iterable' with 'no scanning, selling, or sharing' (https://iterable.com/legal/iterable-security-compliance/), which argues against training use. However, the core Terms of Service separately grant Iterable 'a non-exclusive, worldwide, royalty-free, transferable right to use, modify, reproduce, and display' Customer Data 'to provide the selected services and improve the services' (https://iterable.com/legal/terms/) - a broad clause common in SaaS ToS that is not explicitly scoped to exclude AI/model training. For the AI features specifically (Next Best Action, Iterable Agent, Copy Assist - powered by OpenAI per https://iterable.com/legal/additional-ai-terms-of-use/), customers are contractually prohibited from submitting personal data, information about minors, financial information, sensitive/regulated information, or health information, and the terms state 'Iterable AI is not HIPAA compliant.' No public opt-out toggle for AI training was found; the practical mitigation is the input restriction itself. Net: no evidence of training on customer data, but no explicit 'we do not train on your data' guarantee either - flagged for follow-up.
// Security controls
Authentication
Two-factor authentication (2FA) required for system access; SSO supported per Trust Center 'User Authentication' / 'Roles and permissions' controls
iterable.comAccess model
Least-privilege / need-to-know authorization, quarterly user access reviews for critical systems
iterable.comIndependent audits
Annual SOC 2 Type II, ISO 27001, HIPAA, and CBPR/PRP audits; 2025 and 2026 third-party application penetration test reports available on request
trust.iterable.comData retention/erasure
Backups enabled; documented data retention and erasure controls; data deleted on relationship termination; customers can export their own data without additional fees
trust.iterable.com// Products & data scope
data: Customer/marketing PII, behavioral and product-usage event data
In scope for SOC 2 Type II, ISO 27001, and HIPAA (with signed BAA) per the Trust Center.
data: Marketing copy, campaign/journey configuration signals; customers are contractually barred from submitting personal data, minors' data, financial data, sensitive/regulated data, or health information
Explicitly out of HIPAA scope: 'Iterable AI is not HIPAA compliant' per the Additional AI Terms of Use. No SLA; content accuracy not guaranteed; usage must also comply with OpenAI's usage policies.
data: Transfers Iterable-held customer data to a customer-chosen destination
Listed as a distinct subprocessor category in the Trust Center; same core compliance scope as the main platform.
// What to watch
- HIPAA scope caveat: the Trust Center and marketing copy present HIPAA compliance as a blanket platform attribute, but Iterable's own 'Additional AI Terms of Use' states 'Iterable AI is not HIPAA compliant' and bars submission of health information to the AI features - a listing that shows only 'HIPAA: Yes' without this caveat would overstate the AI product's compliance.
- Possible ToS/security-page tension on data use: the general security page states customer data is not scanned, sold, or shared, while the core Terms of Service grant Iterable a broad worldwide license to 'use, modify, reproduce, and display' Customer Data to 'improve the services' - the two statements are not flatly contradictory but are in tension and neither explicitly addresses AI/model training, so trains_on_customer_data is graded null rather than false.
- OpenAI is used as the LLM subprocessor for Iterable's AI features (Next Best Action, Iterable Agent, Copy Assist) per the Additional AI Terms of Use; this was not surfaced in the Trust Center's public certification summary and is only visible in a separate legal document.
- Several Trust Center documents (SOC 2 report, ISO 27001 certificate and SoA, HIPAA report, DPF certification, pentest reports, policy TOCs) are gated behind a 'Request access' flow and could not be independently opened to verify contents beyond the listing titles and the accompanying blog-style update posts on trust.iterable.com.
// At a glance
Pricing model
Custom/enterprise quote (demo-gated, no public self-serve pricing found)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Iterable, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.iterable.com