// Trust & Security Report

    Klaviyo, Inc. logo

    Klaviyo, Inc.

    B2C CRM and marketing automation platform (email, SMS, RCS, WhatsApp, push), customer data platform (KDP/CDP), analytics, service/helpdesk, and AI agents

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Badges: SOC 2 Type II ... Featured Documents: Klaviyo Letter of Attestation 2025, Klaviyo Information Security Policy, Klaviyo 2025 Type 2 SOC 2

    Verify on trust.klaviyo.com
    ISO 27001
    HELD

    Badges: SOC 2 Type II / ISO 27001 / ISO 27017 / PCI:DSS / GDPR / CCPA

    Verify on trust.klaviyo.com
    ISO 27017
    HELD

    Badges: ... ISO 27017 ...

    Verify on trust.klaviyo.com
    PCI DSS
    HELD

    Badges: ... PCI:DSS ...

    Verify on trust.klaviyo.com
    GDPR (compliance posture, not a certification)
    HELD

    As a data processor, Klaviyo offers tools and functionality that enable our customers to meet their key data privacy compliance requirements for GDPR, CCPA, and beyond.

    Verify on klaviyo.com
    CCPA/CPRA (compliance posture)
    HELD

    Klaviyo does not sell OR share with third parties Customer Personal Data / Personally Identifiable Information (PII) from our Customers' end-consumer lists provided to the Klaviyo platform in accordance with California's CCPA/CPRA.

    Verify on klaviyo.com
    EU-US / UK / Swiss Data Privacy Framework
    HELD

    12. EU-US DATA PRIVACY FRAMEWORK, BRITISCHE ERWEITERUNG ZUM EU-US DATA PRIVACY FRAMEWORK UND SCHWEIZ-US DATA PRIVACY FRAMEWORK

    Verify on privacy.klaviyo.com
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No HIPAA badge or attestation is listed among the Trust Center badges (SOC 2 Type II, ISO 27001, ISO 27017, PCI:DSS, GDPR, CCPA); Klaviyo is a B2C marketing/CRM platform not positioned for PHI.

    source: trust.klaviyo.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primarily United States (Amazon/AWS cloud hosting). Most subprocessors process in the US; some communications/support subprocessors (Cloudflare, Infobip, Meta/WhatsApp, Zendesk, Concentrix, Microsoft) process in the EEA/UK and other global locations.

    Klaviyo states it 'solely uses Customer Personal Data to provide the services to those Customers and not for the benefit of its other Customers,' and 'may use aggregated and de-identified data, which does not identify specific Customers or individuals to improve the services, generally.' It does not sell or share end-consumer PII. AI features (Composer, Marketing Agent, Customer Agent, K:AI) are powered partly by third-party subprocessors Anthropic and OpenAI (listed for 'AI Features and Functionality; Customer Support'). The privacy FAQ does not explicitly state customer end-consumer data is excluded from model training beyond the 'not for the benefit of other customers' and 'aggregated/de-identified only' commitments, so customers handling sensitive data should review the DPA and AI terms for product-specific scope.

    // Security controls

    Annual third-party penetration testing

    Yes. Annual third-party pen testing plus an internal Offensive Security team performing ongoing targeted testing.

    klaviyo.com

    Bug bounty / vulnerability disclosure

    Yes. Runs a bug bounty program with external security researchers; vulnerability reporting at klaviyo.com/security/bug-reporting. Trust Center confirms 'Has a bug bounty or vulnerability disclosure program.' (Platform not publicly named as HackerOne/Bugcrowd in evidence.)

    klaviyo.com

    Encryption / endpoint security

    Secure-by-default endpoint configurations including disk encryption, MDM, anti-malware, software updates, and removable-media restrictions.

    klaviyo.com

    Identity & access (workforce)

    Centralized SSO for internal systems with least-privilege access reviews; centralized IAM (SSO) per Trust Center.

    klaviyo.com

    Customer-facing account security

    MFA, SSO, just-in-time provisioning, role-based permissions; API security via API keys and OAuth with feature-specific permission scopes.

    klaviyo.com

    Disaster recovery / resilience

    Has a disaster recovery plan, cyber insurance, status page, and MDM program (per Trust Center quick summary).

    trust.klaviyo.com

    Subprocessor transparency

    Public subprocessor list of 25 (Conveyor-hosted), last updated May 15, 2026, including AWS, Cloudflare, Twilio, Anthropic, OpenAI, Zendesk, Snowflake.

    trust.klaviyo.com

    Data deletion

    Deletes customer data on request; provides consent management and access/deletion rights-request tooling for GDPR/CCPA.

    trust.klaviyo.com

    // Products & data scope

    Klaviyo Marketing / Omnichannel (Email, SMS, RCS, WhatsApp, Push)Marketing automation

    data: Processes end-consumer PII (emails, phone numbers, behavioral/event data) on behalf of customers; Klaviyo acts as data processor. WhatsApp routed via Meta and Twilio/Infobip subprocessors.

    Core product. GDPR/CCPA tooling for consent and rights requests.

    Klaviyo Data Platform (KDP/CDP)Customer data platform

    data: Unifies behavioral, transactional, and engagement data in real time; large-scale event/profile store (billions of profiles/events).

    Central data layer feeding all channels and AI.

    Klaviyo AI (K:AI) - Composer, Marketing Agent, Customer AgentGenerative AI agents

    data: Generates campaigns and autonomous customer support using customer data; powered in part by third-party LLM subprocessors Anthropic and OpenAI (listed for AI Features and Functionality).

    Newer/beta capabilities (Composer beta). Customers with sensitive data should review AI-specific terms and the subprocessor list; aggregated/de-identified data may be used to improve services.

    Klaviyo Service / Helpdesk + Customer HubCustomer service

    data: Support interactions and customer profiles; uses support subprocessors (Zendesk, Concentrix, Ada, Glean, Loom optional call recording).

    Unified with marketing data.

    Klaviyo AnalyticsAnalytics / reporting

    data: Aggregated campaign and revenue analytics over the customer's own data set.

    No separate compliance scope beyond core platform.

    // What to watch

    • Mature, publicly traded (NYSE: KVYO) enterprise vendor with a full Conveyor-backed Trust Center and current SOC 2 Type II + ISO 27001/27017 + PCI DSS.
    • AI agent features (Composer/Marketing Agent/Customer Agent) rely on third-party LLM subprocessors Anthropic and OpenAI; reviewers handling sensitive end-consumer data should confirm AI data-use scope in the DPA and AI terms.
    • Klaviyo acts as data PROCESSOR for end-consumer data and CONTROLLER for account-holder data; not HIPAA-positioned, so not suitable for PHI workloads.
    • No customer-selectable EU data residency surfaced in evidence; data is primarily US-hosted with global messaging/support subprocessors.

    // At a glance

    Pricing model

    Freemium plus usage-based: free tier with paid plans scaling by number of contacts/profiles and channels (email/SMS); custom enterprise contracts.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Klaviyo, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.klaviyo.com

    > Browse all vendor trust reports