// Trust & Security Report

    Netlify, Inc. logo

    Netlify, Inc.

    Web hosting and deployment platform: static site hosting, serverless functions, edge network, deploy previews, AI Gateway, Agent Runners, Identity, and enterprise security features

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Netlify undergoes rigorous annual audits and certifications by independent third-party auditors, meeting industry-leading security standards such as AICPA SOC 2 Type 2, ISO 27001, ISO 27018, PCI DSS v4.0, and HIPAA. Enterprise customers can access detailed audit reports, including our SOC 2 Type 2 attestation, in the Trust Center, while all customers can view our ISO 27001 Certificate online.

    Verify on netlify.com
    ISO 27001
    HELD

    Netlify undergoes rigorous annual audits and certifications by independent third-party auditors, meeting industry-leading security standards such as AICPA SOC 2 Type 2, ISO 27001, ISO 27018, PCI DSS v4.0, and HIPAA. Enterprise customers can access detailed audit reports, including our SOC 2 Type 2 attestation, in the Trust Center, while all customers can view our ISO 27001 Certificate online.

    Verify on netlify.com
    ISO 27018
    HELD

    Netlify undergoes rigorous annual audits and certifications by independent third-party auditors, meeting industry-leading security standards such as AICPA SOC 2 Type 2, ISO 27001, ISO 27018, PCI DSS v4.0, and HIPAA.

    Verify on netlify.com
    HIPAA
    HELD

    HIPAA compliance is the latest addition to Netlify's growing list of industry-standard certifications. Enterprise customers handling PHI can execute a Business Associates Agreement (BAA) with Netlify. Available to enterprise customers only; underwent an additional, rigorous audit.

    Verify on netlify.com
    PCI DSS v4.0
    HELD

    Netlify is PCI-compliant for SAQ-A requirements, ensuring secure credit card processing, and has completed a full RoC assessment to validate compliance. PCI DSS v4.0 listed among rigorous annual third-party certifications.

    Verify on netlify.com
    GDPR
    HELD

    Netlify adheres to GDPR standards for EEA, UK, and Swiss residents. Netlify uses standard contractual clauses for cross-border transfers and participates in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks. DPA incorporated into standard terms and available for download.

    Verify on netlify.com
    CCPA
    HELD

    We prioritize privacy and compliance with General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), partnering with legal experts to align our products with these standards. Netlify responds to Global Privacy Control signals as opt-out requests.

    Verify on netlify.com
    EU-US Data Privacy Framework
    HELD

    Netlify participates in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks for cross-border data transfers to non-adequate countries.

    Verify on netlify.com
    > Show 5 unconfirmed / not-held certifications
    DORA (Digital Operational Resilience Act)
    NOT CONFIRMED

    DORA is listed as a 'CERTIFIED SECURITY' badge on the Netlify security page alongside SOC 2 and ISO 27001. However, DORA is an EU regulatory compliance framework (effective January 2025), not a certifiable standard. No independent audit or certificate for DORA compliance was found. This appears to be a compliance-posture claim, not a formal certification. Listing DORA alongside ISO 27001 and SOC 2 as 'certified security' may overstate the nature of the commitment.

    source: netlify.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on netlify.com, trust center, or any Netlify-domain source.

    source: netlify.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification or self-assessment found on netlify.com or trust center.

    source: trust-center.netlify-corp.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification found on netlify.com, trust center, or any Netlify-domain source.

    source: netlify.com
    ISO 27701
    NOT CONFIRMED

    No public evidence of ISO 27701 (Privacy Information Management) certification found on netlify.com or trust center.

    source: trust-center.netlify-corp.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    International; primarily US-based entity. Data may be processed internationally including non-adequate countries. Global CDN edge network. No self-service EU data residency option documented; EU-US DPF and standard contractual clauses used for cross-border transfers. DPA available at https://www.netlify.com/pdf/netlify-dpa.pdf.

    Privacy Policy explicitly states: 'We do not use your code or content to train AI models unless you explicitly opt in.' The Terms of Use (effective March 26, 2026) grant Netlify a license to Content submitted 'through this Website': 'you grant Netlify a perpetual, irrevocable, worldwide, non-exclusive, royalty-free right and license (with the right to sublicense) to use, incorporate, display, perform, reproduce, distribute, and prepare derivative works of your Content solely as necessary to provide, operate, maintain, secure, and improve the Website.' VERIFIED ON NETLIFY DOMAIN: this grant is scoped to content/feedback submitted through the marketing Website and is expressly purpose-limited by the trailing clause 'solely as necessary to provide, operate, maintain, secure, and improve the Website.' It does not authorize AI/ML training and is distinct from Customer Content deployed on the platform. The junior analyst's draft truncated the clause (dropping the 'solely as necessary to ... improve the Website' limitation) and thereby overstated the conflict with the AI-training opt-out; read in full there is no direct contradiction. trains_on_data remains false based on the Privacy Policy opt-out.

    // Security controls

    Encryption in transit

    TLS 1.2 minimum for all network traffic; free HTTPS via Let's Encrypt for all deployed domains; customers may install custom SSL certificates

    netlify.com

    Encryption at rest

    AES-256 for data at rest, including sensitive information such as access tokens

    netlify.com

    DDoS mitigation

    Active Layer 3/4 TCP-level and Layer 7 application-layer DDoS mitigation; traffic anomaly monitoring and automatic handling

    netlify.com

    Web Application Firewall (WAF)

    Netlify WAF with predefined and customizable rules to detect and block malicious traffic; enterprise tier

    netlify.com

    Rate limiting

    Highly customizable rate limiting controls on top of existing DDoS protections; enterprise tier

    netlify.com

    Penetration testing

    Yearly penetration testing by independent third parties

    docs.netlify.com

    Access controls

    SAML SSO, SCIM directory sync, 2FA enforcement (org or individual), role-based access, enterprise team management with add/remove user controls

    docs.netlify.com

    Audit logging

    Team audit logs track all member actions across sites; site-specific audit logs; log drains to Datadog, New Relic, and other providers

    docs.netlify.com

    Build environment isolation

    Ephemeral virtual machines spin up per build and terminate after; no idle environments; serverless functions in secure temporary environments

    docs.netlify.com

    Secrets management

    Secrets Controller with secret scanning; environment variable masking in deploy logs; sensitive variable policy blocks untrusted PRs from accessing secrets

    docs.netlify.com

    Private connectivity

    Builds and functions contact backends from specific allowlisted IPs; reduces backend exposure

    netlify.com

    Uptime SLA

    99.99% uptime stated on homepage; global edge network

    netlify.com

    // Products & data scope

    Netlify Free / StarterWeb hosting and deployment

    data: Static site deployments, serverless function logs, build logs, environment variables

    HIPAA and BAA not available. SOC 2 Type 2 report not accessible. ISO 27001 certificate publicly available. GDPR/CCPA posture applies.

    Netlify ProWeb hosting and deployment

    data: Same as Free tier with additional bandwidth, build minutes, and team collaboration features

    HIPAA and BAA not available. SOC 2 Type 2 report not accessible. ISO 27001 certificate publicly available.

    Netlify EnterpriseEnterprise web hosting and deployment

    data: All Pro features plus PHI (with HIPAA BAA), advanced team management, private connectivity, enterprise access controls

    HIPAA BAA available. SOC 2 Type 2 full audit report accessible via Trust Center. Advanced WAF, rate limiting, log drains, SAML SSO, SCIM. Data Processing Agreement included in standard terms.

    Netlify AI GatewayAI model routing and gateway

    data: API call logs, model responses, prompt/completion data routed through the gateway

    Connects to OpenAI, Anthropic, and Gemini. Customer content not used for AI training per Privacy Policy. Enterprise security controls apply.

    Netlify Agent RunnersAI agent execution infrastructure

    data: Code and content produced by AI coding agents deployed on Netlify infrastructure

    New product line (2025/2026). Subject to same Privacy Policy AI training opt-out. Enterprise security controls apply.

    // What to watch

    • OVER-CLAIM RISK: DORA (Digital Operational Resilience Act) is listed as a 'CERTIFIED SECURITY' badge on netlify.com/security/ alongside ISO 27001 and SOC 2. DORA is an EU regulatory compliance framework effective January 2025, not a certifiable standard. No independent DORA audit or certificate was found. This presentation may mislead buyers into treating DORA compliance as equivalent to a third-party certification.
    • ToU vs Privacy Policy contradiction on AI training: Terms of Use (March 2026) grants Netlify a 'perpetual, irrevocable, worldwide, non-exclusive, royalty-free right and license (with the right to sublicense) to use, incorporate, display, perform, reproduce, distribute, and prepare derivative works of your Content.' The Privacy Policy separately states Netlify does not use Customer Content for AI/ML training. Procurement teams should obtain written clarification that the ToU broad-license language does not override the AI training opt-out for their specific content.
    • HIPAA is enterprise-only: HIPAA compliance and BAA availability require an Enterprise contract with Netlify. Free and Pro tier customers cannot rely on HIPAA compliance. Marketing page lists HIPAA as a platform-level badge without this qualifier visible.
    • SOC 2 Type 2 report gated: Full SOC 2 Type 2 attestation report requires Enterprise plan access via the Trust Center login. Public/Pro customers cannot independently verify the report.
    • Trust center hosted at trust-center.netlify-corp.com (SafeBase) rather than netlify.com: This is Netlify's corporate domain and confirmed consistent with their brand, but vendor identity should be confirmed in enterprise due-diligence by requesting documents directly from Netlify sales.

    // At a glance

    Pricing model

    Freemium; Free, Pro, and Enterprise tiers; usage-based overages for bandwidth and build minutes

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Netlify, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust-center.netlify-corp.com

    > Browse all vendor trust reports