// Trust & Security Report
Klaviyo, Inc.
B2C CRM and marketing automation platform (email, SMS, RCS, WhatsApp, push), customer data platform (KDP/CDP), analytics, service/helpdesk, and AI agents
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.klaviyo.com“Badges: SOC 2 Type II ... Featured Documents: Klaviyo Letter of Attestation 2025, Klaviyo Information Security Policy, Klaviyo 2025 Type 2 SOC 2”
Verify on trust.klaviyo.com“Badges: SOC 2 Type II / ISO 27001 / ISO 27017 / PCI:DSS / GDPR / CCPA”
Verify on klaviyo.com“As a data processor, Klaviyo offers tools and functionality that enable our customers to meet their key data privacy compliance requirements for GDPR, CCPA, and beyond.”
Verify on klaviyo.com“Klaviyo does not sell OR share with third parties Customer Personal Data / Personally Identifiable Information (PII) from our Customers' end-consumer lists provided to the Klaviyo platform in accordance with California's CCPA/CPRA.”
Verify on privacy.klaviyo.com“12. EU-US DATA PRIVACY FRAMEWORK, BRITISCHE ERWEITERUNG ZUM EU-US DATA PRIVACY FRAMEWORK UND SCHWEIZ-US DATA PRIVACY FRAMEWORK”
> Show 1 unconfirmed / not-held certifications
source: trust.klaviyo.comNo HIPAA badge or attestation is listed among the Trust Center badges (SOC 2 Type II, ISO 27001, ISO 27017, PCI:DSS, GDPR, CCPA); Klaviyo is a B2C marketing/CRM platform not positioned for PHI.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primarily United States (Amazon/AWS cloud hosting). Most subprocessors process in the US; some communications/support subprocessors (Cloudflare, Infobip, Meta/WhatsApp, Zendesk, Concentrix, Microsoft) process in the EEA/UK and other global locations.
Klaviyo states it 'solely uses Customer Personal Data to provide the services to those Customers and not for the benefit of its other Customers,' and 'may use aggregated and de-identified data, which does not identify specific Customers or individuals to improve the services, generally.' It does not sell or share end-consumer PII. AI features (Composer, Marketing Agent, Customer Agent, K:AI) are powered partly by third-party subprocessors Anthropic and OpenAI (listed for 'AI Features and Functionality; Customer Support'). The privacy FAQ does not explicitly state customer end-consumer data is excluded from model training beyond the 'not for the benefit of other customers' and 'aggregated/de-identified only' commitments, so customers handling sensitive data should review the DPA and AI terms for product-specific scope.
// Security controls
Annual third-party penetration testing
Yes. Annual third-party pen testing plus an internal Offensive Security team performing ongoing targeted testing.
klaviyo.comBug bounty / vulnerability disclosure
Yes. Runs a bug bounty program with external security researchers; vulnerability reporting at klaviyo.com/security/bug-reporting. Trust Center confirms 'Has a bug bounty or vulnerability disclosure program.' (Platform not publicly named as HackerOne/Bugcrowd in evidence.)
klaviyo.comEncryption / endpoint security
Secure-by-default endpoint configurations including disk encryption, MDM, anti-malware, software updates, and removable-media restrictions.
klaviyo.comIdentity & access (workforce)
Centralized SSO for internal systems with least-privilege access reviews; centralized IAM (SSO) per Trust Center.
klaviyo.comCustomer-facing account security
MFA, SSO, just-in-time provisioning, role-based permissions; API security via API keys and OAuth with feature-specific permission scopes.
klaviyo.comDisaster recovery / resilience
Has a disaster recovery plan, cyber insurance, status page, and MDM program (per Trust Center quick summary).
trust.klaviyo.comSubprocessor transparency
Public subprocessor list of 25 (Conveyor-hosted), last updated May 15, 2026, including AWS, Cloudflare, Twilio, Anthropic, OpenAI, Zendesk, Snowflake.
trust.klaviyo.comData deletion
Deletes customer data on request; provides consent management and access/deletion rights-request tooling for GDPR/CCPA.
trust.klaviyo.com// Products & data scope
data: Processes end-consumer PII (emails, phone numbers, behavioral/event data) on behalf of customers; Klaviyo acts as data processor. WhatsApp routed via Meta and Twilio/Infobip subprocessors.
Core product. GDPR/CCPA tooling for consent and rights requests.
data: Unifies behavioral, transactional, and engagement data in real time; large-scale event/profile store (billions of profiles/events).
Central data layer feeding all channels and AI.
data: Generates campaigns and autonomous customer support using customer data; powered in part by third-party LLM subprocessors Anthropic and OpenAI (listed for AI Features and Functionality).
Newer/beta capabilities (Composer beta). Customers with sensitive data should review AI-specific terms and the subprocessor list; aggregated/de-identified data may be used to improve services.
data: Support interactions and customer profiles; uses support subprocessors (Zendesk, Concentrix, Ada, Glean, Loom optional call recording).
Unified with marketing data.
data: Aggregated campaign and revenue analytics over the customer's own data set.
No separate compliance scope beyond core platform.
// What to watch
- Mature, publicly traded (NYSE: KVYO) enterprise vendor with a full Conveyor-backed Trust Center and current SOC 2 Type II + ISO 27001/27017 + PCI DSS.
- AI agent features (Composer/Marketing Agent/Customer Agent) rely on third-party LLM subprocessors Anthropic and OpenAI; reviewers handling sensitive end-consumer data should confirm AI data-use scope in the DPA and AI terms.
- Klaviyo acts as data PROCESSOR for end-consumer data and CONTROLLER for account-holder data; not HIPAA-positioned, so not suitable for PHI workloads.
- No customer-selectable EU data residency surfaced in evidence; data is primarily US-hosted with global messaging/support subprocessors.
// At a glance
Pricing model
Freemium plus usage-based: free tier with paid plans scaling by number of contacts/profiles and channels (email/SMS); custom enterprise contracts.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Klaviyo, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.klaviyo.com