// Trust & Security Report

    Make (part of Celonis, Inc.) logo

    Make (part of Celonis, Inc.)

    Visual AI automation platform with 3000+ pre-built app integrations, AI agents, MCP Server, and enterprise orchestration (Make Grid); supports drag-and-drop, code, or prompt-based automation.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    We have completed SOC 2 Type II and SOC 3 audits.

    Verify on make.com
    SOC 3
    HELD

    We have completed SOC 2 Type II and SOC 3 audits. A public summary report [is] available.

    Verify on make.com
    ISO 27001
    HELD

    We operate under an information security program that is ISO 27001 certified.

    Verify on make.com
    GDPR
    HELD

    Along with GDPR adherence, we have completed SOC 2 Type II and SOC 3 audits.

    Verify on make.com
    > Show 9 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or BAA availability; community forum discussions confirm Make does not offer HIPAA compliance.

    source: community.make.com
    PCI DSS
    NOT CONFIRMED

    No public evidence found on vendor domain.

    ISO 27017
    NOT CONFIRMED

    No public evidence found on vendor domain.

    ISO 27018
    NOT CONFIRMED

    No public evidence found on vendor domain.

    ISO 27701
    NOT CONFIRMED

    No public evidence found on vendor domain.

    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence found on vendor domain.

    CSA STAR
    NOT CONFIRMED

    Mentioned in market research but no direct vendor-domain proof found on make.com security pages.

    source: make.com
    TISAX
    NOT CONFIRMED

    Mentioned in market research but no direct vendor-domain proof found on make.com security pages.

    source: make.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found on vendor domain.

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    AWS (US and EU options available for GDPR compliance)

    Make explicitly does not train on customer data. Privacy notice states: 'Google Workspace APIs are not used to develop, improve, or train generalized AI and/or ML models.' Customer data used only for service delivery, aggregated/anonymized analytics, security, and compliance.

    // Security controls

    Encryption in transit

    TLS 1.2 and TLS 1.3 with AES 256 encryption

    make.com

    Encryption at rest

    Full-disk encryption using AES-256 algorithm; AWS Key Management Service (KMS) for key management

    make.com

    Authentication

    SSO via Google, Facebook, GitHub; Enterprise SSO option available

    make.com

    Access Control

    VPN-required hosting environment; no direct public internet access to infrastructure

    make.com

    Infrastructure

    Amazon AWS EC2 private instances in VPC; multi-zone deployment

    make.com

    Penetration Testing

    Regular independent third-party penetration testing

    make.com

    Static Application Security Testing

    SAST integrated in development lifecycle

    make.com

    Code Standards

    OWASP (Open Web Application Security Project) coding standards adherence

    make.com

    Uptime SLA

    99.5% Cloud Service Uptime for Enterprise customers

    make.com

    Data Retention

    Personal information retained only as long as necessary for stated purposes; customer deletion requests honored

    make.com

    Employee Data Training

    Mandatory annual data privacy training for all employees

    make.com

    // Products & data scope

    Make PlatformWorkflow Automation & Integration

    data: Customer automation data, integration configurations, execution logs

    Core product; 3000+ pre-built app integrations; free plan available with no credit card required

    Make AI AgentsAI Automation

    data: Agent configurations, execution logs, orchestration data

    AI-powered agents that orchestrate workflows across 3000+ apps; 400+ pre-built AI app integrations

    Make GridAutomation Governance

    data: Automation landscape metadata, visibility data

    Visual orchestration and management of entire automation landscape

    Make MCP ServerIntegration/Protocol

    data: MCP protocol traffic, connected application data

    Model Context Protocol server for AI integration; allows AI to connect to real business actions securely

    Make EnterpriseEnterprise SaaS

    data: Same as Platform but in isolated AWS environment

    Separate managed AWS environment isolated from self-service cloud; includes SSO, audit logs, domain claim

    // What to watch

    • SOC 3 is not a standard certification; no official SOC 3 standard exists. Vendor claims 'SOC 3' but this may be marketing confusion or internal terminology. Standard is SOC 2 Type I or Type II. Recommend clarification with vendor.
    • TISAX and CSA STAR mentioned in market research but not on vendor's official security pages - credibility unclear without direct vendor documentation.
    • HIPAA not supported; community requests for BAA are common but not available. Vendor markets security-first but healthcare use cases require alternatives.
    • No ISO 42001 (AI Governance) certification found despite vendor offering AI-native products (AI Agents, MCP Server). Industry trend toward AI governance standards not yet adopted.

    // At a glance

    Pricing model

    Freemium: free plan available; paid tiers based on operations/integrations; Enterprise custom pricing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Make (part of Celonis, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    make.com

    > Browse all vendor trust reports