// Trust & Security Report

    SEOMoz, Inc. (d/b/a Moz), a Ziff Davis company logo

    SEOMoz, Inc. (d/b/a Moz), a Ziff Davis company

    SEO and digital-marketing software suite: Moz Pro (all-in-one SEO toolkit incl. keyword research, rank tracking, site crawl, AI-visibility tracking), Moz Local (local business listings management), STAT (enterprise SERP tracking/analytics), Moz API and Moz Data (licensed access to Moz's link/keyword index), plus free tools (MozBar, Domain Authority Checker, Link Explorer) and Moz Academy (SEO training courses - not a security certification).

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 9 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence found on the moz.com domain. A third-party vendor-risk aggregator (Nudge Security) lists Moz as 'SOC 2 Compliant' but cites no vendor source or audit report, and an independent scan (UpGuard) shows no certifications at all for moz.com - the claim is unverified and not used as proof.

    ISO 27001
    NOT CONFIRMED

    No public evidence found on the moz.com domain; no trust center, security page, or press release could be located confirming ISO 27001 certification.

    GDPR (posture)
    NOT CONFIRMED

    moz.com's own homepage displays an EU cookie/consent banner ('We and our 835 partners store and access personal data...') referencing 'our Privacy Policy', indicating GDPR-aware data practices, but automated access to the actual privacy policy page was blocked on every attempt, so specific GDPR compliance commitments (lawful basis, SCCs, DPO, data subject rights process) could not be verified with a direct quote.

    source: moz.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or Business Associate Agreement (BAA) offering found. Moz is a general SEO/marketing analytics tool, not built to process Protected Health Information (PHI); healthcare-SEO guidance sites note customers would need to confirm a BAA directly with Moz before using it on PHI-adjacent pages.

    PCI DSS
    NOT CONFIRMED

    No public evidence found on the moz.com domain of a PCI DSS attestation.

    FedRAMP
    NOT CONFIRMED

    No public evidence found on the moz.com domain. Third-party aggregator Nudge Security lists 'FedRamp Compliant' with no source; this is implausible for a consumer/agency SEO SaaS product with no public trust center and is treated as an unverified over-claim, not graded true.

    CSA STAR
    NOT CONFIRMED

    No public evidence found on the moz.com domain. Same unverified third-party aggregator listing as FedRAMP above; not corroborated by any vendor-domain source.

    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of an AI-governance certification, despite Moz actively marketing 'AI Visibility' / brand-tracking-in-AI-search features.

    CSA STAR AI
    NOT CONFIRMED

    No public evidence found on the moz.com domain.

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    not verified - could not access moz.com privacy/legal pages to confirm hosting or data-residency regions

    Moz markets an 'AI Visibility' feature that tracks a customer's brand presence in third-party AI answer engines (Google AI Mode, ChatGPT, Gemini) - this is monitoring of external AI outputs, not evidence about whether Moz itself trains models on customer account data. No vendor-domain statement on this could be retrieved (privacy policy page was inaccessible to automated verification). Note: a 'mozr.com/dpa' page surfaced in search results but mozr.com is a separate, unrelated company - do not attribute it to Moz/moz.com.

    // Security controls

    Trust center / public security documentation

    None found. No dedicated /security or /trust page could be located on moz.com via search or direct fetch.

    moz.com

    Encryption in transit

    not verified - moz.com serves over HTTPS but no vendor statement on TLS policy could be retrieved

    moz.com

    Independent security scan rating

    UpGuard's automated external-attack-surface scan rates moz.com 'A' (802/950), based on SSL/TLS and email-security configuration checks, not on any certified compliance framework

    upguard.com

    Corporate ownership / parent-company privacy program

    Parent company Ziff Davis, LLC participates in the TRUSTe/TrustArc Data Privacy Framework verification program - this is an umbrella privacy-seal for Ziff Davis properties generally, not a Moz-specific SOC2/ISO27001 security attestation, and should not be presented as a Moz-held certification

    privacy.truste.com

    // Products & data scope

    Moz ProSEO suite (SMB / agency / enterprise)

    data: Customer website/domain data, keyword and rank-tracking data, crawl data, account/billing info

    Core subscription product; tiered plans (Standard through Premium)

    Moz LocalLocal SEO / listings management

    data: Business listing details (name, address, phone, hours) pushed to Google, Facebook, and other directories; review data

    Manages PII-adjacent business location data across third-party directories

    STATEnterprise SERP tracking and analytics

    data: Large-scale keyword/rank data, SERP feature tracking

    Positioned for enterprise SEO teams; likely higher data volume/scale than Moz Pro

    Moz API / Moz DataData licensing / API access

    data: Link index, keyword index, Domain/Page/Brand Authority metrics

    Usage governed by API terms; redistribution of proprietary data is restricted per terms found in search results

    MozBar and free toolsFree browser extension / free SEO tools

    data: Pages the user browses (for MozBar), domains queried in free tools

    Consumer-facing free tier; likely lightest data footprint

    // What to watch

    • Evidence-capture gap: moz.com blocked automated fetch on every path attempted (homepage, /privacy, /security, /terms-privacy, /blog, help.moz.com) across this session. This is a tooling limitation, not proof that pages/certs don't exist - recommend a manual or browser-rendered re-check before finalizing any cert as held=false with high confidence.
    • Third-party over-claim risk: vendor-risk aggregator Nudge Security lists Moz as SOC2 + PCI + HIPAA + GDPR + ISO27001 + FedRAMP + CSA-STAR compliant with zero sourcing, which directly conflicts with an independent UpGuard scan showing no certifications and with the absence of any public trust center. Treated as unverified and NOT used to grade any cert true - flagging for human review before this vendor is shown with any compliance badges.
    • Identity-conflation risk (resolved, noting for audit trail): multiple unrelated 'Moz'-branded entities exist in search results - Mozverse (Web3/blockchain startup), MOZR (unrelated SaaS with its own public DPA at mozr.com), and Mozzaz (digital-health company that genuinely holds SOC 2). None were used as evidence for this assessment; identity for this assessment was anchored to the legal entity name captured directly from moz.com's own footer text: 'SEOMoz, Inc., a Ziff Davis company.'
    • Parent-vs-product cert ambiguity: Ziff Davis, LLC (Moz's corporate parent) holds a TRUSTe privacy-framework verification, but this is a corporate-umbrella privacy seal, not a Moz-product SOC2/ISO27001 attestation - excluded from certifications[] to avoid misrepresenting it as a Moz-held technical security certification.
    • No HIPAA BAA evidence found; Moz should not be marketed to customers needing PHI-safe tooling without direct vendor confirmation.

    // At a glance

    Pricing model

    Tiered SaaS subscription (Moz Pro: Standard/Medium/Large/Premium) plus a free trial and free limited-use tools; STAT and Moz API/Data appear to be separately priced/enterprise-quoted

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on SEOMoz, Inc. (d/b/a Moz), a Ziff Davis company's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    moz.com

    > Browse all vendor trust reports