// Trust & Security Report

    Modal Labs, Inc. logo

    Modal Labs, Inc.

    Serverless AI infrastructure/cloud platform (Modal) for running Python-defined inference, training, batch processing, and Sandboxes (isolated code execution) on GPUs, with Starter, Team, and Enterprise plan tiers that differ in security controls (audit logs, SSO, HIPAA BAA availability).

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    we have successfully completed our SOC 2 Type I audit... a third-party auditor reviewed our internal controls including but not limited to data security, network configuration, change management, access control, backup and disaster recovery and security incident response plans.

    Verify on modal.com
    SOC 2 Type II
    HELD

    We have successfully completed a System and Organization Controls (SOC) 2 Type 2 audit. Go to our Security Portal to request access to the report.

    Verify on modal.com
    HIPAA
    HELD

    Modal's services can be used in a HIPAA compliant manner... To use Modal services for HIPAA-compliant workloads, a Business Associate Agreement (BAA) should be established with us prior to submission of any PHI. This is available on our Enterprise plan... At the moment, Volumes v1, Images (excluding Filesystem and Directory Snapshots), Memory Snapshots, and user code are out of scope of the commitments within our BAA, so PHI should not be used in those areas of the product. Volumes v2 are HIPAA compliant.

    Verify on modal.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence: Modal's own detailed security and privacy page (https://modal.com/docs/guide/security) enumerates AppSec/CorpSec/InfraSec practices and explicitly names SOC 2, HIPAA, and PCI as its compliance program but does not mention ISO 27001 anywhere; no ISO 27001 certificate or auditor statement was found on any modal.com or trust.modal.com page, nor via web search.

    source: modal.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence: not mentioned on Modal's security page, trust center, or blog; no independent source confirms this certification.

    source: modal.com
    PCI DSS
    NOT CONFIRMED

    Modal uses Stripe to securely process transactions and trusts their commitment to best-in-class security. We do not store personal credit card information for any of our customers. Stripe is certified as "PCI Service Provider Level 1"... (this is Stripe's, i.e. Modal's payment processor's, certification, not Modal's own PCI certification; Modal itself is out of PCI scope because it does not store card data).

    source: modal.com
    CSA STAR
    NOT CONFIRMED

    No public evidence: not referenced on Modal's security page, trust center, or blog.

    source: modal.com
    FedRAMP
    NOT CONFIRMED

    No public evidence: not referenced anywhere on modal.com or trust.modal.com.

    source: modal.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer can select execution region; Modal Inference endpoints are stated to be zero data retention (request/response payloads never written to disk). Function inputs/outputs are encrypted at rest with a max 7-day TTL. No single fixed global data region; DPA references EEA-to-third-country transfer safeguards.

    Modal is an infrastructure/compute provider, not a model provider, so 'training on customer data' in the LLM-vendor sense does not directly apply. Modal's own security page states plainly: 'Modal will never access or use: your source code; the inputs (function arguments) or outputs (function return values) to your Modal Functions; any data you store in Modal, such as in Images or Volumes.' This is a strong no-access commitment, though it is a contractual/policy statement rather than a certified control.

    // Security controls

    Encryption in transit

    HTTPS/TLS forced for all services (site, dashboard, client library, public APIs); all public Modal APIs use TLS 1.3.

    modal.com

    Encryption at rest

    All user data is encrypted in transit and at rest; function inputs/outputs encrypted at rest with max 7-day TTL.

    modal.com

    Workload isolation

    Compute jobs are containerized and virtualized using gVisor (Google's sandboxing technology); automated synthetic monitoring continuously checks network and application isolation.

    modal.com

    Access control / SSO

    Access to internal services gated on an SSO Identity Provider with mandatory phishing-resistant MFA; customer-facing Okta SSO and Custom SAML SSO available (Enterprise plan).

    modal.com

    Penetration testing

    Engages external penetration testing firms to assess software security, alongside PR-based internal code review.

    modal.com

    Bug bounty

    Runs a private bug bounty program through HackerOne (invite via security@modal.com).

    modal.com

    Vulnerability remediation SLAs

    Critical: 24 hours, High: 1 week, Medium: 1 month, Low: 3 months, Informational: 3+ months.

    modal.com

    Audit logs

    Available on Enterprise plan per contract.

    modal.com

    Data retention

    Function inputs/outputs up to 7 days; Inference endpoint payloads not stored (zero retention); app/container logs 1 day (Starter), 30 days (Team), configurable (Enterprise); Volumes/Images persistent until deleted.

    modal.com

    Employee device security

    Laptops protected by FileVault2 full-disk encryption, managed via Secureframe MDM.

    modal.com

    // Products & data scope

    Modal StarterServerless GPU/AI compute (self-serve)

    data: Function inputs/outputs, container images, volumes; 1-day log retention

    Free tier with monthly credits; SOC 2 controls apply but no audit logs, SSO, or HIPAA BAA.

    Modal TeamServerless GPU/AI compute (team plan)

    data: Same as Starter with higher limits; 30-day log retention

    Unlimited seats; still lacks Enterprise-only audit logs, Okta/SAML SSO, and HIPAA BAA.

    Modal EnterpriseServerless GPU/AI compute (enterprise plan)

    data: Same platform with configurable log retention and BAA-covered scope

    Adds audit logs, Okta SSO, Custom SAML SSO, and HIPAA BAA eligibility (PHI still excluded from Volumes v1, most Images, and Memory Snapshots per the BAA).

    Modal SandboxesIsolated code execution environment

    data: Ephemeral filesystem/directory snapshots (30-day retention), memory snapshots (7-day retention)

    Used for agent/untrusted code execution; isolation via gVisor virtualization.

    // What to watch

    • PCI DSS on the vendor's own security page refers to Stripe's (the payment processor's) PCI Service Provider Level 1 certification, not a Modal-held PCI certification; listed here as held=false to avoid implying Modal itself is PCI certified.
    • No ISO 27001 or ISO/IEC 42001 certification found despite Modal's otherwise detailed and current security documentation (last updated with SOC 2 Type II info from Jan 2025); this is a plausible gap for a company of this stage, not necessarily an over-claim, but should be re-checked periodically since Modal is fast-growing.
    • Full trust.modal.com trust center content (e.g. subprocessor list, additional certs) could not be rendered by the fetch tool (JS-rendered SafeBase-style portal); direct assessment relied on modal.com/docs/guide/security and modal.com/blog posts instead, which are lower-friction but equally vendor-authored sources.
    • HIPAA coverage is BAA-based and Enterprise-plan-only with explicit exclusions (Volumes v1, most Images, Memory Snapshots); listings should not imply blanket HIPAA compliance across all plans or all product surfaces.

    // At a glance

    Pricing model

    Usage-based compute pricing with tiered plans (Starter/Team/Enterprise); Enterprise adds volume discounts and custom contracts.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Modal Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.modal.com

    > Browse all vendor trust reports