// Trust & Security Report

    Rocket Science Group LLC (Intuit subsidiary) logo

    Rocket Science Group LLC (Intuit subsidiary)

    Cloud-based email marketing, SMS marketing, automation, and AI-powered analytics platform. Core products: Email campaigns, SMS marketing, marketing automation, AI content generation, predictive analytics, and eCommerce integrations.

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 (Type 1 & 2)
    HELD

    Unsere SOC-2-Berichte umfassen Kontrollen in Bezug auf Sicherheit, Verfügbarkeit und Prozessintegrität von Kundendaten.

    Verify on mailchimp.com
    ISO 27001
    HELD

    Norm 27001 der Internationalen Organisation für Normung (ISO 27001) ist eine Norm für die Informationssicherheit. Zertifizierungen sind drei Jahre lang gültig mit jährlichen Überwachungsprüfungen (Surveillance Audits).

    Verify on mailchimp.com
    PCI DSS (Payment Card Industry Data Security Standard)
    HELD

    Mailchimp's credit card processing vendor is certified compliant with Visa Cardholder Information Security and Compliance (CISP), MasterCard® Site Data Protection Program (SDP), and Discovery Information Security and Compliance (DISC).

    Verify on mailchimp.com
    EU-US Data Privacy Framework (DPF)
    HELD

    Mailchimp is certified under the EU-US Data Privacy Framework, the UK Extension, and the Swiss-US Data Privacy Framework, enabling lawful data transfers from Europe to the US servers with annual re-certification.

    Verify on mailchimp.com
    GDPR Compliance
    HELD

    Mailchimp is DSGVO-konform (GDPR compliant). Data Processing Addendum automatically becomes part of standard service terms for customers handling EU-protected data, incorporating Standard Contractual Clauses (SCCs).

    Verify on mailchimp.com
    VPAT (Voluntary Product Accessibility Template)
    HELD

    Mailchimp addresses IT accessibility standards through VPAT certification.

    Verify on mailchimp.com
    > Show 2 unconfirmed / not-held certifications
    HIPAA Business Associate Agreement (BAA)
    NOT CONFIRMED

    Mailchimp states that users are responsible for determining whether the Service is suitable for their use in light of obligations under regulations like HIPAA. Mailchimp does not offer a standard Business Associate Agreement; users must contact Mailchimp directly to discuss whether a BAA can be arranged for specific use cases.

    source: mailchimp.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found on vendor domain regarding FedRAMP certification. FedRAMP is not listed in Intuit or Mailchimp's published compliance certifications.

    source: intuit.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Primary data processing in US; GDPR-compliant transfers via EU-US DPF and SCCs; customers can export data.

    Mailchimp's terms permit reviewing content from campaigns and websites for algorithm improvement; they can aggregate and anonymize data and retain ownership of aggregated datasets. Chatbot training can include content from customer transcripts or uploaded documents. No explicit opt-out policy found for general AI model training. Customer data is protected under DPA restrictions, which prohibit uploads of sensitive data (SSN, credit cards, health records, biometric data).

    // Security controls

    Encryption in Transit

    TLS 1.2+ encryption for all communications

    mailchimp.com

    Encryption at Rest

    Password encryption (non-recoverable by staff)

    mailchimp.com

    Multi-Factor Authentication

    Two-factor authentication (2FA) capability available

    mailchimp.com

    Account Security

    Brute-force attack protection, account activity monitoring, automatic lockdowns

    mailchimp.com

    Penetration Testing

    Annual external and internal security penetration tests by multiple vendors; high-level server tests, in-depth application vulnerability testing, and social engineering drills

    mailchimp.com

    Data Protection

    Appropriate technical and organizational security measures; audit reports from independent third-party assessments; annual security documentation reviews

    mailchimp.com

    Data Subject Rights

    Self-service functions for data access, correction, deletion, restriction; direct requests handled by Mailchimp with notification to customer

    mailchimp.com

    Breach Notification

    Immediate notification to customers upon discovery of data breaches

    mailchimp.com

    // Products & data scope

    Email MarketingCore email campaign delivery and design

    data: Email contacts, campaign content, engagement metrics

    Free tier limited to 250 contacts; Essentials (€11.44/mo), Standard (€17.60/mo), Premium (€308.05/mo) with increasing automation and user limits

    SMS MarketingSMS campaign delivery

    data: Phone numbers, SMS message content, delivery/engagement data

    Add-on to paid email tiers; country-specific with compliance (e.g., HIPAA guidelines in healthcare)

    Marketing AutomationWorkflow automation and customer journey

    data: Contact behavior, automation triggers, journey data

    Available on Standard and Premium tiers; up to 200 automation points on Standard

    AI Content GenerationGenerative AI for email and content creation

    data: Campaign content, user input to AI models

    Intuit Assist (Beta) AI feature; customers report 9.8B+ emails sent with AI-generated content; training data policy unclear

    Analytics AIConversational analytics and reporting

    data: Campaign performance, eCommerce data (Shopify, WooCommerce, Wix), revenue data

    May 2026 launch; analyzes customer's own connected eCommerce data alongside campaign history

    Transactional EmailAutomated transactional messaging

    data: Order confirmations, receipts, account notifications

    99.99% reported delivery rate; not subject to email limits

    // What to watch

    • HIPAA BAA not offered: Mailchimp does not provide a standard Business Associate Agreement; use in HIPAA-regulated environments requires direct negotiation and customer responsibility for compliance.
    • AI training data policy unclear: Terms permit content review and data aggregation; chatbot training may use customer transcripts. No explicit opt-out for general AI model improvement found.
    • No FedRAMP certification: Not expected for commercial cloud product; only relevant for federal government cloud requirements.
    • Identity confirmed: Mailchimp is a Rocket Science Group LLC product, acquired by Intuit. Legal entity and trust center are on mailchimp.com domain (vendor domain proof available).
    • Privacy policy hosted on Intuit domain: Primary privacy statement is at intuit.com/privacy/ rather than mailchimp.com, but DPA and GDPR pages are on mailchimp.com.
    • Data restrictions in place: DPA explicitly prohibits uploading sensitive data (SSN, credit cards, health records, biometric, genetic data, race/religion/criminal history).

    // At a glance

    Pricing model

    Freemium with tiered subscriptions (€0-€308.05/month) or pay-as-you-go email credits

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Rocket Science Group LLC (Intuit subsidiary)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    mailchimp.com

    > Browse all vendor trust reports