// Trust & Security Report

    Paddle.com Market Ltd. logo

    Paddle.com Market Ltd.

    Merchant of Record platform for digital product companies. Key sub-products: Paddle Billing (MoR payments, subscriptions, localized checkout, tax compliance), ProfitWell Metrics (subscription/revenue analytics), Retain (failed payment recovery and churn reduction), Paddle Classic (legacy platform).

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Current Documents: 2025 - SOC 2 Type II. Archived Documents: 2024 - SOC 2 Type II; 2023 - SOC 2 Type II. Scope: Security, Availability and Confidentiality trust services criteria.

    Verify on trust.paddle.com
    PCI DSS 4.0.1
    HELD

    Current Documents: 2026 - PCI DSS Attestation of Compliance. Archived Documents: 2025 - PCI DSS Attestation of Compliance. PCI DSS 4.0.1 listed as compliant on trust center.

    Verify on trust.paddle.com
    GDPR
    HELD

    GDPR listed as compliant on trust center. GDPR readiness page describes lawful processing, data subject rights, SCCs for international transfers, and DPA available.

    Verify on trust.paddle.com
    CCPA
    HELD

    CCPA listed as COMPLIANT on the Paddle Trust Center overview page.

    Verify on trust.paddle.com
    > Show 8 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No mention of ISO 27001 certification on trust.paddle.com or any paddle.com domain page. A Paddle compliance blog post describes ISO 27001 as something SaaS companies 'might also need' - indicating Paddle does not hold it. A third-party aggregator (Nudge Security) claims this cert but provides no vendor-domain evidence. Unknown / no public evidence on Paddle's own domain.

    source: trust.paddle.com
    ISO 27017
    NOT CONFIRMED

    No public evidence on Paddle's own domain.

    source: trust.paddle.com
    ISO 27018
    NOT CONFIRMED

    No public evidence on Paddle's own domain.

    source: trust.paddle.com
    ISO 27701
    NOT CONFIRMED

    No public evidence on Paddle's own domain.

    source: trust.paddle.com
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA on trust.paddle.com or paddle.com domain. Paddle is a payment/billing platform not serving healthcare use cases. A third-party aggregator (Nudge Security) claims HIPAA compliance but no vendor-domain evidence supports this. Unknown / no public evidence on Paddle's own domain.

    source: trust.paddle.com
    FedRAMP
    NOT CONFIRMED

    No mention of FedRAMP on trust.paddle.com or paddle.com domain. Paddle is a UK-incorporated commercial payment company. A third-party aggregator (Nudge Security) claims FedRAMP compliance but no vendor-domain evidence supports this. Unknown / no public evidence on Paddle's own domain.

    source: trust.paddle.com
    CSA STAR
    NOT CONFIRMED

    No mention of CSA STAR on trust.paddle.com or paddle.com domain. A third-party aggregator (Nudge Security) claims CSA STAR Level 1 but no vendor-domain evidence supports this. Unknown / no public evidence on Paddle's own domain.

    source: trust.paddle.com
    ISO 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence on Paddle's own domain. Paddle is primarily a payments platform, not an AI product.

    source: trust.paddle.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Primarily United States (AWS cloud hosting for Paddle SaaS platform). EU/Ireland (Snowflake for business intelligence/analytics). Personal data may be transferred internationally among Paddle entities in UK, US, Ireland, and Canada per privacy policy. Standard Contractual Clauses used for EU-to-non-adequate-country transfers.

    Paddle is a Merchant of Record payments platform, not an AI product. The privacy policy, Master Services Agreement, and Data Processing Addendum contain no provisions regarding AI model training on customer data. The 'Lovable Payments, powered by Paddle' feature listed on the homepage appears to be a partner integration, not an Paddle-owned AI product. No AI training concerns identified.

    // Security controls

    Encryption in transit

    Yes - industry best practices including TLS encryption in transit confirmed

    paddle.com

    Encryption at rest

    Yes - encryption at rest confirmed

    paddle.com

    Multi-factor authentication

    Yes - MFA supported for platform access (referenced in trust center FAQ)

    trust.paddle.com

    Penetration testing

    Annual third-party penetration testing. 2025 pentest report available in trust center documents.

    trust.paddle.com

    Access controls

    Access control policies in place per DPA Exhibit B security measures

    paddle.com

    Vulnerability disclosure / bug bounty

    Responsible disclosure policy referenced in trust center FAQ

    trust.paddle.com

    Status page

    Public platform status reporting confirmed (referenced in trust center FAQ)

    trust.paddle.com

    Cloud infrastructure

    Amazon Web Services (US) as primary cloud hosting provider for Paddle SaaS platform

    trust.paddle.com

    Trust center platform

    Vanta-powered trust center. Migrated from legacy SafeBase trust center (security.paddle.com) in January 2026.

    trust.paddle.com

    // Products & data scope

    Paddle BillingMerchant of Record / Payments / Billing

    data: Payment card data (PCI DSS in scope), buyer PII, transaction records, subscription data, tax compliance data

    Full MoR model - Paddle assumes merchant liability and handles payments, taxes, and regulatory compliance across 300+ markets. PCI DSS 4.0.1 certified.

    ProfitWell MetricsSubscription Analytics

    data: Subscription and revenue metrics, aggregated billing data

    Real-time subscription, retention, and growth metrics. Analytics data processed through Snowflake in EU (Ireland).

    RetainRevenue Recovery / Dunning

    data: Payment method data, customer billing records

    Automated failed payment recovery and cancellation reduction. Operates on payment and subscription data within the Paddle platform.

    Paddle ClassicLegacy Merchant of Record platform

    data: Same as Paddle Billing - payment, PII, subscription data

    Legacy platform. SOC 2 2023 audit covered Paddle Platform Services including Classic. Customers migrating to Paddle Billing.

    // What to watch

    • THIRD-PARTY CERT OVER-CLAIM RISK: Nudge Security (third-party aggregator, not Paddle's domain) lists ISO 27001, HIPAA, FedRAMP, and CSA STAR Level 1 as held by Paddle. None of these appear on trust.paddle.com or any paddle.com page. These must NOT be reported as held. Treat as third-party data error.
    • ISO 27001 NOT CONFIRMED: trust.paddle.com lists only SOC 2, PCI DSS 4.0.1, GDPR, and CCPA. ISO 27001 is absent. Paddle's own compliance blog post describes ISO 27001 as a cert SaaS companies 'might also need', implying Paddle does not hold it.
    • HIPAA / FedRAMP NOT APPLICABLE: Paddle is a UK-registered commercial payments platform, not a healthcare or federal government contractor. No basis for HIPAA or FedRAMP claims on the vendor's own domain.
    • TRUST CENTER JS-HEAVY: trust.paddle.com is a Vanta-powered JS application that may render additional cert details beyond what the initial scrape captured. The known certs (SOC 2, PCI DSS, GDPR, CCPA) are well-confirmed; additional certs could exist but were not found through multiple verification passes.
    • NOT AN AI PRODUCT: Paddle is a Merchant of Record payment platform. Its AI-tools directory listing should clearly categorize it as payments/billing infrastructure rather than an AI tool. The 'Lovable Payments, powered by Paddle' homepage callout is a partner integration, not a Paddle AI feature.
    • DPA DUAL-DOCUMENT: Paddle has both a 'Data Processing Addendum' (paddle.com/legal/data-processing-addendum, where Paddle acts as processor) and a 'Data Sharing Addendum' (paddle.com/legal/data-sharing-addendum, controller-to-controller). Both should be reviewed for enterprise procurement.

    // At a glance

    Pricing model

    Percentage-based transaction fee on processed revenue (standard rate published on pricing page). Custom enterprise quotes available. No separate per-product tier pricing for compliance features - all handled at platform level.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Paddle.com Market Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.paddle.com

    > Browse all vendor trust reports