// Trust & Security Report

    Mintlify, Inc. logo

    Mintlify, Inc.

    Documentation-as-a-platform for developer docs and AI agent knowledge bases: core docs hosting (Starter/Pro/Enterprise tiers), an AI Assistant/agent chat layer over docs, MCP server generation, API playground, and enterprise add-ons (SSO/SCIM/RBAC, audit logs, BYOK).

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2 Type 2 Report (listed under 'Security' documents on the Mintlify Trust Center, Powered by Drata)

    Verify on security.mintlify.com
    GDPR (compliance posture, not a certification)
    HELD

    Trust Center lists a 'GDPR - July 10, 2025' document and a 'Data Processing Agreement (DPA 11.26.2025)'; privacy policy states 'your information may be transferred to, stored in, and processed in the United States' with Standard Contractual Clauses and UK IDTA safeguards for EEA/UK/Swiss transfers.

    Verify on security.mintlify.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Trust Center lists only an 'ISO 27001 Letter of Intent', not a certificate or Statement of Applicability. A letter of intent signals a commitment to pursue certification, not an achieved certification.

    source: security.mintlify.com
    HIPAA
    NOT CONFIRMED

    No public evidence. Not listed on the Trust Center document library and not mentioned in the privacy policy or terms.

    source: security.mintlify.com
    PCI DSS
    NOT CONFIRMED

    No public evidence; not listed on the Trust Center and no indication Mintlify directly processes cardholder data (billing is handled by a payment subprocessor).

    source: security.mintlify.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification on the Trust Center or elsewhere on the vendor domain.

    source: security.mintlify.com
    CSA STAR (incl. AI addendum)
    NOT CONFIRMED

    No public evidence of a CSA STAR listing or self-assessment for Mintlify.

    source: security.mintlify.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (primary hosting/processing); Standard Contractual Clauses and UK IDTA used for EEA/UK/Swiss data transfers per privacy policy.

    Privacy policy states 'we do not use customer content or user data to train large language models.' Terms of Service state Mintlify will not use Customer Data to train, fine-tune, improve, or develop any LLMs/generative AI/ML models, proprietary or third-party, and that third-party AI/LLM providers (e.g. Anthropic, OpenAI, OpenRouter) are contractually prohibited from training on it; such data is processed only transiently for inference to deliver features like search and content generation. Exception carved out for 'Aggregated De-Identified Data.' No tier-based difference found (no-training commitment applies platform-wide in current ToS/policy); no legacy-vs-current contradiction found in the pages reviewed.

    // Security controls

    Independent penetration testing

    Trust Center lists an 'External Cloud Network Penetration Test' report and an 'Application Penetration Test' report as available documents.

    security.mintlify.com

    Written security policy suite

    Trust Center publishes Network Security Policy, Vulnerability Management Policy, Responsible Disclosure Policy, Information Security Policy, Encryption Policy, Data Protection Policy, Data Retention Policy, and Data Classification Policy.

    security.mintlify.com

    Cybersecurity insurance

    Trust Center lists a 'Cybersecurity Insurance' document alongside an architecture diagram and system description.

    security.mintlify.com

    Subprocessor transparency

    Trust Center and privacy policy publish a subprocessor list (e.g. OpenRouter, HubSpot, Render, AWS) with data locations, mostly US/AWS-US; policy commits to advance notice of subprocessor changes.

    security.mintlify.com

    Enterprise access controls

    Pricing page advertises SSO, SCIM, RBAC, OAuth/JWT/SSO, audit logs, session IP allowlisting, and BYOK (bring your own key) as Enterprise-tier features.

    mintlify.com

    // Products & data scope

    Mintlify StarterFree tier docs hosting

    data: Public-facing documentation content; custom domain, web editor, authentication, MCP server, API playground included

    10,000 credits/month included, overage billed per credit.

    Mintlify ProPaid docs + AI agent layer

    data: Adds Agent, Assistant (AI chat over docs), Automations, preview deployments, admin APIs

    Same credit-based usage model as Starter with committed volume discounts available.

    Mintlify EnterpriseEnterprise docs + governance

    data: Everything in Pro plus SSO/SCIM/RBAC, audit logs, session IP allowlist, BYOK, dedicated security/legal review, custom SLAs

    Contact-sales tier; self-hosting is referenced on the pricing page but tier eligibility is not fully detailed on the vendor's public pricing page.

    // What to watch

    • ISO 27001 is not yet held: the Trust Center only lists a 'Letter of Intent', which some marketing or third-party listings may loosely describe as 'ISO 27001 compliant' or 'in progress' -- do not upgrade this to held=true.
    • Self-hosting capability is referenced only as a pricing-table row label; exact terms, which tier, and security implications are not documented on the public pricing page and would need direct vendor confirmation before AIFOXX advertises it as a feature.

    // At a glance

    Pricing model

    Freemium/usage-credit model (Starter free, Pro paid, Enterprise custom) with per-credit overage billing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Mintlify, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.mintlify.com

    > Browse all vendor trust reports