// Trust & Security Report
LlamaIndex, Inc.
LlamaIndex (open-source RAG/agent orchestration framework for Python and TypeScript) plus LlamaCloud, the commercial managed platform built on it: LlamaParse (agentic document OCR/parsing), LlamaExtract (structured extraction), and Index/Workflows for building document agents. LiteParse is a separate fully open-source, local-only parsing library with no cloud component.
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on security.llamaindex.ai“LlamaIndex SOC 2 Type II 2025 (listed report on the LlamaIndex Trust Center); corroborated by: "the platform is GDPR-compliant, SOC 2 Type 2 certified"”
Verify on security.llamaindex.ai“LlamaIndex SOC 2 Type I 2024 (listed report on the LlamaIndex Trust Center resources list, superseded by the 2025 Type II report)”
Verify on llamaindex.ai“Privacy Notice names "Prighter Group with its local partners as our privacy representative" for the EU and provides a data-subject-rights portal; LlamaCloud EU region keeps "all data provided...within the EU region for storage and processing"; Trust Center lists GDPR under Compliance”
Verify on security.llamaindex.ai“Trust Center lists HIPAA under Compliance and the Trust Center's own "Data collected" control flags "Personal health information"; however "Business Associate Agreements (BAAs) are only available for customers on the Enterprise plan" - HIPAA readiness exists but full BAA-backed HIPAA compliance is gated to the Enterprise tier, not available out-of-the-box on lower tiers despite homepage marketing claiming "HIPAA...compliant out-of-the-box"”
> Show 5 unconfirmed / not-held certifications
source: security.llamaindex.aino public evidence: the Trust Center's Compliance section lists only SOC 2, GDPR, and HIPAA as tracked frameworks ("Compliance\nSOC 2\nGDPR\nHIPAA"); ISO 27001 does not appear anywhere on the trust center, docs, or marketing pages
source: llamaindex.aino public evidence; LlamaIndex does not process cardholder data itself - Terms of Service state "We do not view or store your full credit card or other Payment Method information" and route billing through a third-party Payment Processor
source: security.llamaindex.aino public evidence found on the trust center, docs, or marketing pages
source: security.llamaindex.aino public evidence found on the trust center, docs, or marketing pages
source: security.llamaindex.aino public evidence found; no government/public-sector authorization referenced anywhere on vendor site
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
LlamaCloud offers two selectable regions: North America (AWS us-east-1, cloud.llamaindex.ai) and Europe (AWS eu-central-1, cloud.eu.llamaindex.ai). "Data will be stored within the region it is uploaded to" and organizations cannot migrate or mix regions after creation.
Terms of Service (vendor PDF) state verbatim: "We do not train any models on User Content. LlamaIndex will encrypt the User Content both in transit and at rest. Further, LlamaIndex will only retain such User Content and other data provided by you in S3 for up to 48 hours after processing." A separate clause also bars users themselves from using content on the Service for ML/AI training. LlamaExtract's own privacy page repeats: "Your data is kept private and is used only to return your results, never for model training." No tier-based exception found; posture is consistent across ToS and product docs.
// Security controls
Encryption in transit and at rest
Confirmed for User Content processed via LlamaCloud/LlamaParse/LlamaExtract
llamaindex.aiData retention
Uploaded content retained in S3 for up to 48 hours after processing, then deleted; Trust Center control also states "Customer data deleted upon leaving"
llamaindex.aiPenetration testing
Independent penetration test performed with a published executive summary and a documented remediation report (2024)
security.llamaindex.aiSubprocessors
Disclosed subprocessors include AWS (cloud hosting, US/EU), Slack (support/collaboration, US), GitHub (version control, US), Zoom (collaboration, US)
security.llamaindex.aiDeployment flexibility
Enterprise customers can run in LlamaIndex's managed cloud or deploy fully within their own VPC
llamaindex.aiCybersecurity insurance
Trust Center control category confirms cybersecurity insurance is maintained
security.llamaindex.ai// Products & data scope
data: Self-hosted by the user; no data passes through LlamaIndex's own servers unless the developer explicitly wires in a LlamaCloud service
Free, open-source (MIT); the underlying LLM/embedding provider chosen by the developer governs data handling for that layer
data: Customer documents uploaded to LlamaIndex's cloud (region-selectable US or EU); retained up to 48 hours post-processing, not used for model training
SOC 2 Type II, GDPR posture, and HIPAA-track controls apply here; BAA requires Enterprise plan; free tier offers 10,000 credits/month
data: Runs entirely on the user's own machine; "no cloud, no LLM tokens, no limits" - no customer data ever reaches LlamaIndex
Distinct from LlamaParse; useful for privacy-sensitive offline parsing needs
// What to watch
- Homepage marketing states "HIPAA, GDPR, and SOC2 compliant out-of-the-box" without qualification, but vendor documentation clarifies that a signed BAA (required for actual HIPAA-covered use) is only available on the Enterprise plan - this is a marketing overclaim relative to the documented tier gating; listings should show HIPAA as Enterprise-tier only.
- ISO 27001 is not present anywhere on the Trust Center, despite the vendor operating a mature Vanta-style trust center with SOC 2 Type I and Type II reports - do not infer ISO 27001 from the presence of other certs.
- A third-party-looking domain (llamaparse.cloud) surfaced in search results with its own 'Privacy Policy' for a 'LlamaParse Integration' - this does NOT appear to be an official LlamaIndex Inc. domain and was excluded from this assessment as a possible name-alike/unofficial integration; do not attribute its claims to LlamaIndex, Inc.
// At a glance
Pricing model
Freemium/usage-based credits for LlamaParse (10,000 free credits/month) scaling to custom Enterprise pricing with VPC deployment and SLAs; LlamaIndex framework itself is free open-source
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on LlamaIndex, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.llamaindex.ai