// Trust & Security Report
Mintlify, Inc.
Documentation-as-a-platform for developer docs and AI agent knowledge bases: core docs hosting (Starter/Pro/Enterprise tiers), an AI Assistant/agent chat layer over docs, MCP server generation, API playground, and enterprise add-ons (SSO/SCIM/RBAC, audit logs, BYOK).
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on security.mintlify.com“SOC 2 Type 2 Report (listed under 'Security' documents on the Mintlify Trust Center, Powered by Drata)”
Verify on security.mintlify.com“Trust Center lists a 'GDPR - July 10, 2025' document and a 'Data Processing Agreement (DPA 11.26.2025)'; privacy policy states 'your information may be transferred to, stored in, and processed in the United States' with Standard Contractual Clauses and UK IDTA safeguards for EEA/UK/Swiss transfers.”
> Show 5 unconfirmed / not-held certifications
source: security.mintlify.comTrust Center lists only an 'ISO 27001 Letter of Intent', not a certificate or Statement of Applicability. A letter of intent signals a commitment to pursue certification, not an achieved certification.
source: security.mintlify.comNo public evidence. Not listed on the Trust Center document library and not mentioned in the privacy policy or terms.
source: security.mintlify.comNo public evidence; not listed on the Trust Center and no indication Mintlify directly processes cardholder data (billing is handled by a payment subprocessor).
source: security.mintlify.comNo public evidence of ISO 42001 certification on the Trust Center or elsewhere on the vendor domain.
source: security.mintlify.comNo public evidence of a CSA STAR listing or self-assessment for Mintlify.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (primary hosting/processing); Standard Contractual Clauses and UK IDTA used for EEA/UK/Swiss data transfers per privacy policy.
Privacy policy states 'we do not use customer content or user data to train large language models.' Terms of Service state Mintlify will not use Customer Data to train, fine-tune, improve, or develop any LLMs/generative AI/ML models, proprietary or third-party, and that third-party AI/LLM providers (e.g. Anthropic, OpenAI, OpenRouter) are contractually prohibited from training on it; such data is processed only transiently for inference to deliver features like search and content generation. Exception carved out for 'Aggregated De-Identified Data.' No tier-based difference found (no-training commitment applies platform-wide in current ToS/policy); no legacy-vs-current contradiction found in the pages reviewed.
// Security controls
Independent penetration testing
Trust Center lists an 'External Cloud Network Penetration Test' report and an 'Application Penetration Test' report as available documents.
security.mintlify.comWritten security policy suite
Trust Center publishes Network Security Policy, Vulnerability Management Policy, Responsible Disclosure Policy, Information Security Policy, Encryption Policy, Data Protection Policy, Data Retention Policy, and Data Classification Policy.
security.mintlify.comCybersecurity insurance
Trust Center lists a 'Cybersecurity Insurance' document alongside an architecture diagram and system description.
security.mintlify.comSubprocessor transparency
Trust Center and privacy policy publish a subprocessor list (e.g. OpenRouter, HubSpot, Render, AWS) with data locations, mostly US/AWS-US; policy commits to advance notice of subprocessor changes.
security.mintlify.comEnterprise access controls
Pricing page advertises SSO, SCIM, RBAC, OAuth/JWT/SSO, audit logs, session IP allowlisting, and BYOK (bring your own key) as Enterprise-tier features.
mintlify.com// Products & data scope
data: Public-facing documentation content; custom domain, web editor, authentication, MCP server, API playground included
10,000 credits/month included, overage billed per credit.
data: Adds Agent, Assistant (AI chat over docs), Automations, preview deployments, admin APIs
Same credit-based usage model as Starter with committed volume discounts available.
data: Everything in Pro plus SSO/SCIM/RBAC, audit logs, session IP allowlist, BYOK, dedicated security/legal review, custom SLAs
Contact-sales tier; self-hosting is referenced on the pricing page but tier eligibility is not fully detailed on the vendor's public pricing page.
// What to watch
- ISO 27001 is not yet held: the Trust Center only lists a 'Letter of Intent', which some marketing or third-party listings may loosely describe as 'ISO 27001 compliant' or 'in progress' -- do not upgrade this to held=true.
- Self-hosting capability is referenced only as a pricing-table row label; exact terms, which tier, and security implications are not documented on the public pricing page and would need direct vendor confirmation before AIFOXX advertises it as a feature.
// At a glance
Pricing model
Freemium/usage-credit model (Starter free, Pro paid, Enterprise custom) with per-credit overage billing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Mintlify, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.mintlify.com