// Trust & Security Report
Netlify, Inc.
Web hosting and deployment platform: static site hosting, serverless functions, edge network, deploy previews, AI Gateway, Agent Runners, Identity, and enterprise security features
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on netlify.com“Netlify undergoes rigorous annual audits and certifications by independent third-party auditors, meeting industry-leading security standards such as AICPA SOC 2 Type 2, ISO 27001, ISO 27018, PCI DSS v4.0, and HIPAA. Enterprise customers can access detailed audit reports, including our SOC 2 Type 2 attestation, in the Trust Center, while all customers can view our ISO 27001 Certificate online.”
Verify on netlify.com“Netlify undergoes rigorous annual audits and certifications by independent third-party auditors, meeting industry-leading security standards such as AICPA SOC 2 Type 2, ISO 27001, ISO 27018, PCI DSS v4.0, and HIPAA. Enterprise customers can access detailed audit reports, including our SOC 2 Type 2 attestation, in the Trust Center, while all customers can view our ISO 27001 Certificate online.”
Verify on netlify.com“Netlify undergoes rigorous annual audits and certifications by independent third-party auditors, meeting industry-leading security standards such as AICPA SOC 2 Type 2, ISO 27001, ISO 27018, PCI DSS v4.0, and HIPAA.”
Verify on netlify.com“HIPAA compliance is the latest addition to Netlify's growing list of industry-standard certifications. Enterprise customers handling PHI can execute a Business Associates Agreement (BAA) with Netlify. Available to enterprise customers only; underwent an additional, rigorous audit.”
Verify on netlify.com“Netlify is PCI-compliant for SAQ-A requirements, ensuring secure credit card processing, and has completed a full RoC assessment to validate compliance. PCI DSS v4.0 listed among rigorous annual third-party certifications.”
Verify on netlify.com“Netlify adheres to GDPR standards for EEA, UK, and Swiss residents. Netlify uses standard contractual clauses for cross-border transfers and participates in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks. DPA incorporated into standard terms and available for download.”
Verify on netlify.com“We prioritize privacy and compliance with General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), partnering with legal experts to align our products with these standards. Netlify responds to Global Privacy Control signals as opt-out requests.”
Verify on netlify.com“Netlify participates in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks for cross-border data transfers to non-adequate countries.”
> Show 5 unconfirmed / not-held certifications
source: netlify.comDORA is listed as a 'CERTIFIED SECURITY' badge on the Netlify security page alongside SOC 2 and ISO 27001. However, DORA is an EU regulatory compliance framework (effective January 2025), not a certifiable standard. No independent audit or certificate for DORA compliance was found. This appears to be a compliance-posture claim, not a formal certification. Listing DORA alongside ISO 27001 and SOC 2 as 'certified security' may overstate the nature of the commitment.
source: netlify.comNo public evidence of FedRAMP authorization found on netlify.com, trust center, or any Netlify-domain source.
source: trust-center.netlify-corp.comNo public evidence of CSA STAR certification or self-assessment found on netlify.com or trust center.
source: netlify.comNo public evidence of ISO/IEC 42001 certification found on netlify.com, trust center, or any Netlify-domain source.
source: trust-center.netlify-corp.comNo public evidence of ISO 27701 (Privacy Information Management) certification found on netlify.com or trust center.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
International; primarily US-based entity. Data may be processed internationally including non-adequate countries. Global CDN edge network. No self-service EU data residency option documented; EU-US DPF and standard contractual clauses used for cross-border transfers. DPA available at https://www.netlify.com/pdf/netlify-dpa.pdf.
Privacy Policy explicitly states: 'We do not use your code or content to train AI models unless you explicitly opt in.' The Terms of Use (effective March 26, 2026) grant Netlify a license to Content submitted 'through this Website': 'you grant Netlify a perpetual, irrevocable, worldwide, non-exclusive, royalty-free right and license (with the right to sublicense) to use, incorporate, display, perform, reproduce, distribute, and prepare derivative works of your Content solely as necessary to provide, operate, maintain, secure, and improve the Website.' VERIFIED ON NETLIFY DOMAIN: this grant is scoped to content/feedback submitted through the marketing Website and is expressly purpose-limited by the trailing clause 'solely as necessary to provide, operate, maintain, secure, and improve the Website.' It does not authorize AI/ML training and is distinct from Customer Content deployed on the platform. The junior analyst's draft truncated the clause (dropping the 'solely as necessary to ... improve the Website' limitation) and thereby overstated the conflict with the AI-training opt-out; read in full there is no direct contradiction. trains_on_data remains false based on the Privacy Policy opt-out.
// Security controls
Encryption in transit
TLS 1.2 minimum for all network traffic; free HTTPS via Let's Encrypt for all deployed domains; customers may install custom SSL certificates
netlify.comEncryption at rest
AES-256 for data at rest, including sensitive information such as access tokens
netlify.comDDoS mitigation
Active Layer 3/4 TCP-level and Layer 7 application-layer DDoS mitigation; traffic anomaly monitoring and automatic handling
netlify.comWeb Application Firewall (WAF)
Netlify WAF with predefined and customizable rules to detect and block malicious traffic; enterprise tier
netlify.comRate limiting
Highly customizable rate limiting controls on top of existing DDoS protections; enterprise tier
netlify.comAccess controls
SAML SSO, SCIM directory sync, 2FA enforcement (org or individual), role-based access, enterprise team management with add/remove user controls
docs.netlify.comAudit logging
Team audit logs track all member actions across sites; site-specific audit logs; log drains to Datadog, New Relic, and other providers
docs.netlify.comBuild environment isolation
Ephemeral virtual machines spin up per build and terminate after; no idle environments; serverless functions in secure temporary environments
docs.netlify.comSecrets management
Secrets Controller with secret scanning; environment variable masking in deploy logs; sensitive variable policy blocks untrusted PRs from accessing secrets
docs.netlify.comPrivate connectivity
Builds and functions contact backends from specific allowlisted IPs; reduces backend exposure
netlify.com// Products & data scope
data: Static site deployments, serverless function logs, build logs, environment variables
HIPAA and BAA not available. SOC 2 Type 2 report not accessible. ISO 27001 certificate publicly available. GDPR/CCPA posture applies.
data: Same as Free tier with additional bandwidth, build minutes, and team collaboration features
HIPAA and BAA not available. SOC 2 Type 2 report not accessible. ISO 27001 certificate publicly available.
data: All Pro features plus PHI (with HIPAA BAA), advanced team management, private connectivity, enterprise access controls
HIPAA BAA available. SOC 2 Type 2 full audit report accessible via Trust Center. Advanced WAF, rate limiting, log drains, SAML SSO, SCIM. Data Processing Agreement included in standard terms.
data: API call logs, model responses, prompt/completion data routed through the gateway
Connects to OpenAI, Anthropic, and Gemini. Customer content not used for AI training per Privacy Policy. Enterprise security controls apply.
data: Code and content produced by AI coding agents deployed on Netlify infrastructure
New product line (2025/2026). Subject to same Privacy Policy AI training opt-out. Enterprise security controls apply.
// What to watch
- OVER-CLAIM RISK: DORA (Digital Operational Resilience Act) is listed as a 'CERTIFIED SECURITY' badge on netlify.com/security/ alongside ISO 27001 and SOC 2. DORA is an EU regulatory compliance framework effective January 2025, not a certifiable standard. No independent DORA audit or certificate was found. This presentation may mislead buyers into treating DORA compliance as equivalent to a third-party certification.
- ToU vs Privacy Policy contradiction on AI training: Terms of Use (March 2026) grants Netlify a 'perpetual, irrevocable, worldwide, non-exclusive, royalty-free right and license (with the right to sublicense) to use, incorporate, display, perform, reproduce, distribute, and prepare derivative works of your Content.' The Privacy Policy separately states Netlify does not use Customer Content for AI/ML training. Procurement teams should obtain written clarification that the ToU broad-license language does not override the AI training opt-out for their specific content.
- HIPAA is enterprise-only: HIPAA compliance and BAA availability require an Enterprise contract with Netlify. Free and Pro tier customers cannot rely on HIPAA compliance. Marketing page lists HIPAA as a platform-level badge without this qualifier visible.
- SOC 2 Type 2 report gated: Full SOC 2 Type 2 attestation report requires Enterprise plan access via the Trust Center login. Public/Pro customers cannot independently verify the report.
- Trust center hosted at trust-center.netlify-corp.com (SafeBase) rather than netlify.com: This is Netlify's corporate domain and confirmed consistent with their brand, but vendor identity should be confirmed in enterprise due-diligence by requesting documents directly from Netlify sales.
// At a glance
Pricing model
Freemium; Free, Pro, and Enterprise tiers; usage-based overages for bandwidth and build minutes
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Netlify, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust-center.netlify-corp.com