// Trust & Security Report
Rocket Science Group LLC (Intuit subsidiary)
Cloud-based email marketing, SMS marketing, automation, and AI-powered analytics platform. Core products: Email campaigns, SMS marketing, marketing automation, AI content generation, predictive analytics, and eCommerce integrations.
Certifications held
6
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on mailchimp.com“Unsere SOC-2-Berichte umfassen Kontrollen in Bezug auf Sicherheit, Verfügbarkeit und Prozessintegrität von Kundendaten.”
Verify on mailchimp.com“Norm 27001 der Internationalen Organisation für Normung (ISO 27001) ist eine Norm für die Informationssicherheit. Zertifizierungen sind drei Jahre lang gültig mit jährlichen Überwachungsprüfungen (Surveillance Audits).”
Verify on mailchimp.com“Mailchimp's credit card processing vendor is certified compliant with Visa Cardholder Information Security and Compliance (CISP), MasterCard® Site Data Protection Program (SDP), and Discovery Information Security and Compliance (DISC).”
Verify on mailchimp.com“Mailchimp is certified under the EU-US Data Privacy Framework, the UK Extension, and the Swiss-US Data Privacy Framework, enabling lawful data transfers from Europe to the US servers with annual re-certification.”
Verify on mailchimp.com“Mailchimp is DSGVO-konform (GDPR compliant). Data Processing Addendum automatically becomes part of standard service terms for customers handling EU-protected data, incorporating Standard Contractual Clauses (SCCs).”
Verify on mailchimp.com“Mailchimp addresses IT accessibility standards through VPAT certification.”
> Show 2 unconfirmed / not-held certifications
source: mailchimp.comMailchimp states that users are responsible for determining whether the Service is suitable for their use in light of obligations under regulations like HIPAA. Mailchimp does not offer a standard Business Associate Agreement; users must contact Mailchimp directly to discuss whether a BAA can be arranged for specific use cases.
source: intuit.comNo public evidence found on vendor domain regarding FedRAMP certification. FedRAMP is not listed in Intuit or Mailchimp's published compliance certifications.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Primary data processing in US; GDPR-compliant transfers via EU-US DPF and SCCs; customers can export data.
Mailchimp's terms permit reviewing content from campaigns and websites for algorithm improvement; they can aggregate and anonymize data and retain ownership of aggregated datasets. Chatbot training can include content from customer transcripts or uploaded documents. No explicit opt-out policy found for general AI model training. Customer data is protected under DPA restrictions, which prohibit uploads of sensitive data (SSN, credit cards, health records, biometric data).
// Security controls
Account Security
Brute-force attack protection, account activity monitoring, automatic lockdowns
mailchimp.comPenetration Testing
Annual external and internal security penetration tests by multiple vendors; high-level server tests, in-depth application vulnerability testing, and social engineering drills
mailchimp.comData Protection
Appropriate technical and organizational security measures; audit reports from independent third-party assessments; annual security documentation reviews
mailchimp.comData Subject Rights
Self-service functions for data access, correction, deletion, restriction; direct requests handled by Mailchimp with notification to customer
mailchimp.comBreach Notification
Immediate notification to customers upon discovery of data breaches
mailchimp.com// Products & data scope
data: Email contacts, campaign content, engagement metrics
Free tier limited to 250 contacts; Essentials (€11.44/mo), Standard (€17.60/mo), Premium (€308.05/mo) with increasing automation and user limits
data: Phone numbers, SMS message content, delivery/engagement data
Add-on to paid email tiers; country-specific with compliance (e.g., HIPAA guidelines in healthcare)
data: Contact behavior, automation triggers, journey data
Available on Standard and Premium tiers; up to 200 automation points on Standard
data: Campaign content, user input to AI models
Intuit Assist (Beta) AI feature; customers report 9.8B+ emails sent with AI-generated content; training data policy unclear
data: Campaign performance, eCommerce data (Shopify, WooCommerce, Wix), revenue data
May 2026 launch; analyzes customer's own connected eCommerce data alongside campaign history
data: Order confirmations, receipts, account notifications
99.99% reported delivery rate; not subject to email limits
// What to watch
- HIPAA BAA not offered: Mailchimp does not provide a standard Business Associate Agreement; use in HIPAA-regulated environments requires direct negotiation and customer responsibility for compliance.
- AI training data policy unclear: Terms permit content review and data aggregation; chatbot training may use customer transcripts. No explicit opt-out for general AI model improvement found.
- No FedRAMP certification: Not expected for commercial cloud product; only relevant for federal government cloud requirements.
- Identity confirmed: Mailchimp is a Rocket Science Group LLC product, acquired by Intuit. Legal entity and trust center are on mailchimp.com domain (vendor domain proof available).
- Privacy policy hosted on Intuit domain: Primary privacy statement is at intuit.com/privacy/ rather than mailchimp.com, but DPA and GDPR pages are on mailchimp.com.
- Data restrictions in place: DPA explicitly prohibits uploading sensitive data (SSN, credit cards, health records, biometric, genetic data, race/religion/criminal history).
// At a glance
Pricing model
Freemium with tiered subscriptions (€0-€308.05/month) or pay-as-you-go email credits
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Rocket Science Group LLC (Intuit subsidiary)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
mailchimp.com