// Trust & Security Report
Modal Labs, Inc.
Serverless AI infrastructure/cloud platform (Modal) for running Python-defined inference, training, batch processing, and Sandboxes (isolated code execution) on GPUs, with Starter, Team, and Enterprise plan tiers that differ in security controls (audit logs, SSO, HIPAA BAA availability).
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on modal.com“we have successfully completed our SOC 2 Type I audit... a third-party auditor reviewed our internal controls including but not limited to data security, network configuration, change management, access control, backup and disaster recovery and security incident response plans.”
Verify on modal.com“We have successfully completed a System and Organization Controls (SOC) 2 Type 2 audit. Go to our Security Portal to request access to the report.”
Verify on modal.com“Modal's services can be used in a HIPAA compliant manner... To use Modal services for HIPAA-compliant workloads, a Business Associate Agreement (BAA) should be established with us prior to submission of any PHI. This is available on our Enterprise plan... At the moment, Volumes v1, Images (excluding Filesystem and Directory Snapshots), Memory Snapshots, and user code are out of scope of the commitments within our BAA, so PHI should not be used in those areas of the product. Volumes v2 are HIPAA compliant.”
> Show 5 unconfirmed / not-held certifications
source: modal.comNo public evidence: Modal's own detailed security and privacy page (https://modal.com/docs/guide/security) enumerates AppSec/CorpSec/InfraSec practices and explicitly names SOC 2, HIPAA, and PCI as its compliance program but does not mention ISO 27001 anywhere; no ISO 27001 certificate or auditor statement was found on any modal.com or trust.modal.com page, nor via web search.
source: modal.comNo public evidence: not mentioned on Modal's security page, trust center, or blog; no independent source confirms this certification.
source: modal.comModal uses Stripe to securely process transactions and trusts their commitment to best-in-class security. We do not store personal credit card information for any of our customers. Stripe is certified as "PCI Service Provider Level 1"... (this is Stripe's, i.e. Modal's payment processor's, certification, not Modal's own PCI certification; Modal itself is out of PCI scope because it does not store card data).
source: modal.comNo public evidence: not referenced on Modal's security page, trust center, or blog.
source: modal.comNo public evidence: not referenced anywhere on modal.com or trust.modal.com.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Customer can select execution region; Modal Inference endpoints are stated to be zero data retention (request/response payloads never written to disk). Function inputs/outputs are encrypted at rest with a max 7-day TTL. No single fixed global data region; DPA references EEA-to-third-country transfer safeguards.
Modal is an infrastructure/compute provider, not a model provider, so 'training on customer data' in the LLM-vendor sense does not directly apply. Modal's own security page states plainly: 'Modal will never access or use: your source code; the inputs (function arguments) or outputs (function return values) to your Modal Functions; any data you store in Modal, such as in Images or Volumes.' This is a strong no-access commitment, though it is a contractual/policy statement rather than a certified control.
// Security controls
Encryption in transit
HTTPS/TLS forced for all services (site, dashboard, client library, public APIs); all public Modal APIs use TLS 1.3.
modal.comEncryption at rest
All user data is encrypted in transit and at rest; function inputs/outputs encrypted at rest with max 7-day TTL.
modal.comWorkload isolation
Compute jobs are containerized and virtualized using gVisor (Google's sandboxing technology); automated synthetic monitoring continuously checks network and application isolation.
modal.comAccess control / SSO
Access to internal services gated on an SSO Identity Provider with mandatory phishing-resistant MFA; customer-facing Okta SSO and Custom SAML SSO available (Enterprise plan).
modal.comPenetration testing
Engages external penetration testing firms to assess software security, alongside PR-based internal code review.
modal.comBug bounty
Runs a private bug bounty program through HackerOne (invite via security@modal.com).
modal.comVulnerability remediation SLAs
Critical: 24 hours, High: 1 week, Medium: 1 month, Low: 3 months, Informational: 3+ months.
modal.comData retention
Function inputs/outputs up to 7 days; Inference endpoint payloads not stored (zero retention); app/container logs 1 day (Starter), 30 days (Team), configurable (Enterprise); Volumes/Images persistent until deleted.
modal.comEmployee device security
Laptops protected by FileVault2 full-disk encryption, managed via Secureframe MDM.
modal.com// Products & data scope
data: Function inputs/outputs, container images, volumes; 1-day log retention
Free tier with monthly credits; SOC 2 controls apply but no audit logs, SSO, or HIPAA BAA.
data: Same as Starter with higher limits; 30-day log retention
Unlimited seats; still lacks Enterprise-only audit logs, Okta/SAML SSO, and HIPAA BAA.
data: Same platform with configurable log retention and BAA-covered scope
Adds audit logs, Okta SSO, Custom SAML SSO, and HIPAA BAA eligibility (PHI still excluded from Volumes v1, most Images, and Memory Snapshots per the BAA).
data: Ephemeral filesystem/directory snapshots (30-day retention), memory snapshots (7-day retention)
Used for agent/untrusted code execution; isolation via gVisor virtualization.
// What to watch
- PCI DSS on the vendor's own security page refers to Stripe's (the payment processor's) PCI Service Provider Level 1 certification, not a Modal-held PCI certification; listed here as held=false to avoid implying Modal itself is PCI certified.
- No ISO 27001 or ISO/IEC 42001 certification found despite Modal's otherwise detailed and current security documentation (last updated with SOC 2 Type II info from Jan 2025); this is a plausible gap for a company of this stage, not necessarily an over-claim, but should be re-checked periodically since Modal is fast-growing.
- Full trust.modal.com trust center content (e.g. subprocessor list, additional certs) could not be rendered by the fetch tool (JS-rendered SafeBase-style portal); direct assessment relied on modal.com/docs/guide/security and modal.com/blog posts instead, which are lower-friction but equally vendor-authored sources.
- HIPAA coverage is BAA-based and Enterprise-plan-only with explicit exclusions (Volumes v1, most Images, Memory Snapshots); listings should not imply blanket HIPAA compliance across all plans or all product surfaces.
// At a glance
Pricing model
Usage-based compute pricing with tiered plans (Starter/Team/Enterprise); Enterprise adds volume discounts and custom contracts.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Modal Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.modal.com