// Trust & Security Report
SEOMoz, Inc. (d/b/a Moz), a Ziff Davis company
SEO and digital-marketing software suite: Moz Pro (all-in-one SEO toolkit incl. keyword research, rank tracking, site crawl, AI-visibility tracking), Moz Local (local business listings management), STAT (enterprise SERP tracking/analytics), Moz API and Moz Data (licensed access to Moz's link/keyword index), plus free tools (MozBar, Domain Authority Checker, Link Explorer) and Moz Academy (SEO training courses - not a security certification).
Certifications held
0
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 9 unconfirmed / not-held certifications
No public evidence found on the moz.com domain. A third-party vendor-risk aggregator (Nudge Security) lists Moz as 'SOC 2 Compliant' but cites no vendor source or audit report, and an independent scan (UpGuard) shows no certifications at all for moz.com - the claim is unverified and not used as proof.
No public evidence found on the moz.com domain; no trust center, security page, or press release could be located confirming ISO 27001 certification.
source: moz.commoz.com's own homepage displays an EU cookie/consent banner ('We and our 835 partners store and access personal data...') referencing 'our Privacy Policy', indicating GDPR-aware data practices, but automated access to the actual privacy policy page was blocked on every attempt, so specific GDPR compliance commitments (lawful basis, SCCs, DPO, data subject rights process) could not be verified with a direct quote.
No public evidence of HIPAA compliance or Business Associate Agreement (BAA) offering found. Moz is a general SEO/marketing analytics tool, not built to process Protected Health Information (PHI); healthcare-SEO guidance sites note customers would need to confirm a BAA directly with Moz before using it on PHI-adjacent pages.
No public evidence found on the moz.com domain of a PCI DSS attestation.
No public evidence found on the moz.com domain. Third-party aggregator Nudge Security lists 'FedRamp Compliant' with no source; this is implausible for a consumer/agency SEO SaaS product with no public trust center and is treated as an unverified over-claim, not graded true.
No public evidence found on the moz.com domain. Same unverified third-party aggregator listing as FedRAMP above; not corroborated by any vendor-domain source.
No public evidence of an AI-governance certification, despite Moz actively marketing 'AI Visibility' / brand-tracking-in-AI-search features.
No public evidence found on the moz.com domain.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
not verified - could not access moz.com privacy/legal pages to confirm hosting or data-residency regions
Moz markets an 'AI Visibility' feature that tracks a customer's brand presence in third-party AI answer engines (Google AI Mode, ChatGPT, Gemini) - this is monitoring of external AI outputs, not evidence about whether Moz itself trains models on customer account data. No vendor-domain statement on this could be retrieved (privacy policy page was inaccessible to automated verification). Note: a 'mozr.com/dpa' page surfaced in search results but mozr.com is a separate, unrelated company - do not attribute it to Moz/moz.com.
// Security controls
Trust center / public security documentation
None found. No dedicated /security or /trust page could be located on moz.com via search or direct fetch.
moz.comEncryption in transit
not verified - moz.com serves over HTTPS but no vendor statement on TLS policy could be retrieved
moz.comIndependent security scan rating
UpGuard's automated external-attack-surface scan rates moz.com 'A' (802/950), based on SSL/TLS and email-security configuration checks, not on any certified compliance framework
upguard.comCorporate ownership / parent-company privacy program
Parent company Ziff Davis, LLC participates in the TRUSTe/TrustArc Data Privacy Framework verification program - this is an umbrella privacy-seal for Ziff Davis properties generally, not a Moz-specific SOC2/ISO27001 security attestation, and should not be presented as a Moz-held certification
privacy.truste.com// Products & data scope
data: Customer website/domain data, keyword and rank-tracking data, crawl data, account/billing info
Core subscription product; tiered plans (Standard through Premium)
data: Business listing details (name, address, phone, hours) pushed to Google, Facebook, and other directories; review data
Manages PII-adjacent business location data across third-party directories
data: Large-scale keyword/rank data, SERP feature tracking
Positioned for enterprise SEO teams; likely higher data volume/scale than Moz Pro
data: Link index, keyword index, Domain/Page/Brand Authority metrics
Usage governed by API terms; redistribution of proprietary data is restricted per terms found in search results
data: Pages the user browses (for MozBar), domains queried in free tools
Consumer-facing free tier; likely lightest data footprint
// What to watch
- Evidence-capture gap: moz.com blocked automated fetch on every path attempted (homepage, /privacy, /security, /terms-privacy, /blog, help.moz.com) across this session. This is a tooling limitation, not proof that pages/certs don't exist - recommend a manual or browser-rendered re-check before finalizing any cert as held=false with high confidence.
- Third-party over-claim risk: vendor-risk aggregator Nudge Security lists Moz as SOC2 + PCI + HIPAA + GDPR + ISO27001 + FedRAMP + CSA-STAR compliant with zero sourcing, which directly conflicts with an independent UpGuard scan showing no certifications and with the absence of any public trust center. Treated as unverified and NOT used to grade any cert true - flagging for human review before this vendor is shown with any compliance badges.
- Identity-conflation risk (resolved, noting for audit trail): multiple unrelated 'Moz'-branded entities exist in search results - Mozverse (Web3/blockchain startup), MOZR (unrelated SaaS with its own public DPA at mozr.com), and Mozzaz (digital-health company that genuinely holds SOC 2). None were used as evidence for this assessment; identity for this assessment was anchored to the legal entity name captured directly from moz.com's own footer text: 'SEOMoz, Inc., a Ziff Davis company.'
- Parent-vs-product cert ambiguity: Ziff Davis, LLC (Moz's corporate parent) holds a TRUSTe privacy-framework verification, but this is a corporate-umbrella privacy seal, not a Moz-product SOC2/ISO27001 attestation - excluded from certifications[] to avoid misrepresenting it as a Moz-held technical security certification.
- No HIPAA BAA evidence found; Moz should not be marketed to customers needing PHI-safe tooling without direct vendor confirmation.
// At a glance
Pricing model
Tiered SaaS subscription (Moz Pro: Standard/Medium/Large/Premium) plus a free trial and free limited-use tools; STAT and Moz API/Data appear to be separately priced/enterprise-quoted
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on SEOMoz, Inc. (d/b/a Moz), a Ziff Davis company's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
moz.com