// Trust & Security Report
Pentera Security Ltd.
AI-driven exposure validation platform for automated penetration testing and vulnerability remediation. Sub-products: Pentera Core (internal network testing), Pentera Cloud (cloud/hybrid environment testing), Pentera Surface (external attack surface validation, SaaS), Pentera Resolve (automated remediation, SaaS).
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.pentera.io“Pentera is proud to announce the successful completion of our SOC 2 and SOC 3 reports for Surface and Resolve for 2025-2026. Featured Documents: Pentera Surface SOC 2 Type II Report, Pentera Resolve SOC 2 Type II Report.”
Verify on trust.pentera.io“Pentera is proud to announce the successful completion of our SOC 2 and SOC 3 reports for Surface and Resolve for 2025-2026. Featured Documents: Pentera Surface SOC 3 Report.”
Verify on trust.pentera.io“Featured Documents: Pentera ISO 27001:2022 Certificate. Badges: ISO 27001:2022 listed in trust center badge set.”
Verify on trust.pentera.io“Update: 2026 Reports Available - ISO42001 and ISO9001. Our latest 2026 ISO/IEC 42001 and ISO 9001 certificates are now available in the Trust Center. Featured Documents: Pentera ISO/IEC 42001 Certificate.”
Verify on trust.pentera.io“Update: 2026 Reports Available - ISO42001 and ISO9001. Our latest 2026 ISO/IEC 42001 and ISO 9001 certificates are now available in the Trust Center. Featured Documents: Pentera ISO 9001 Certificate.”
Verify on trust.pentera.io“Badges: GDPR listed in trust center badge set. Privacy policy references Regulation (EU) 2016/679 (GDPR) and Standard Contractual Clauses for international transfers.”
Verify on trust.pentera.io“Badges: CCPA listed in trust center badge set.”
> Show 5 unconfirmed / not-held certifications
source: trust.pentera.ioNo HIPAA certification or BAA publicly documented. Pentera supports customers in meeting HIPAA-related security testing requirements but does not hold HIPAA certification as a vendor. Not listed among trust center badges or documents.
source: trust.pentera.ioNo FedRAMP authorization claimed or evidenced on pentera.io or trust.pentera.io. Not listed in trust center.
source: trust.pentera.ioPentera publishes content on helping customers achieve PCI DSS compliance but holds no PCI DSS certification itself. Not listed in trust center badges or documents.
source: trust.pentera.ioNo CSA STAR badge or registration evidenced on trust.pentera.io or pentera.io.
source: trust.pentera.ioNo ISO 27017 or ISO 27018 badges or certificates listed in the trust center.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
EU primary for SaaS subprocessors (AWS EU for Surface platform hosting, MongoDB EU for DB, Snowflake EU for data warehousing, Salesforce EU for customer support). SpyCloud (US) is used as an intelligence source, creating a data-residency exception for threat intelligence data.
Pentera's Resolve Software Subscription Agreement (Section 3.1, AI Feature) states verbatim: 'Company will not use Customer Data to train AI or machine learning models.' (https://pentera.io/legal-hub/resolve-software-subscription-agreement/). Pentera's ISO/IEC 42001 AI governance certification supports this posture. Amazon Bedrock is listed as a subprocessor for generative AI features, hosted in EU. Note: the publicly posted Data Processing Agreement does not itself contain an AI-training restriction clause, and the public privacy policy (last updated 15 Apr 2026) does not include one either; the restriction lives in the product subscription agreement(s).
// Security controls
Encryption in transit
Not explicitly stated in public-facing pages; SOC 2 Type II and ISO 27001:2022 certifications require TLS/HTTPS as a baseline. Trust center does not publish a dedicated encryption standards page.
trust.pentera.ioAnnual third-party audits
Yes. SOC 2 Type II, ISO 27001:2022, ISO 42001, and ISO 9001 all require periodic third-party audits. Trust center quick summary confirms 'One or more annual third-party audit(s)'.
trust.pentera.ioAnnual penetration testing
Yes. Trust center quick summary states 'Annual third-party penetration testing'. Separate application pen test reports are listed for Core, Surface, and Resolve.
trust.pentera.ioSubprocessors disclosure
Yes. Six subprocessors listed: Amazon Bedrock (EU, AI features), AWS (EU, Surface hosting), MongoDB (EU, DB), Salesforce (EU, support), Snowflake (EU, analytics), SpyCloud (US, threat intelligence). Last updated May 3, 2026.
trust.pentera.ioIAM / SSO for employee access
Yes. Trust center quick summary states 'Uses a centralized IAM solution (SSO) to manage employee access'.
trust.pentera.ioDPA availability
Yes. DPA is publicly available at https://pentera.io/legal-hub/data-processing-agreement/. Trust center confirms 'Will enter into a DPA'.
trust.pentera.io// Products & data scope
data: Internal network credentials, host data, vulnerability scan results. Typically deployed on-premises within customer environment.
Application penetration test report available on trust center. Not explicitly named in the 2025-2026 SOC 2 Type II announcement (Surface and Resolve are named); scope for Core should be confirmed with vendor.
data: Cloud identity credentials, cloud resource configurations, hybrid environment exposure data.
AI-driven cloud penetration testing. Not explicitly named in the 2025-2026 SOC 2 Type II announcement; scope should be confirmed with vendor.
data: External-facing asset data, leaked credentials, external exposure findings. Hosted on AWS EU.
SOC 2 Type II and SOC 3 certified for 2025-2026. Application pen test report available. EU data residency for platform hosting.
data: Vulnerability findings, remediation actions, security control configurations.
SOC 2 Type II and SOC 3 certified for 2025-2026. Separate application pen test report available.
// What to watch
- SOC 2 Type II scope for 2025-2026 is explicitly stated for Surface and Resolve only. Core and Cloud are not named in the latest SOC 2 announcement; buyers requiring SOC 2 coverage for Core or Cloud should confirm scope with Pentera.
- The publicly posted Data Processing Agreement does not contain an explicit AI-training restriction clause; the restriction ('Company will not use Customer Data to train AI or machine learning models') is found in the product subscription agreement(s), e.g. the Resolve Software Subscription Agreement (Section 3.1). The privacy policy (last updated 15 Apr 2026) likewise does not state the AI-training restriction directly, so buyers wanting this commitment should rely on the applicable subscription agreement.
- SpyCloud (US-based) is listed as a subprocessor for threat intelligence, creating a minor EU data-residency exception for intelligence data flows.
// At a glance
Pricing model
Enterprise subscription; contact sales for pricing. Product-specific licensing: Core Plus EULA, Surface Software Subscription Agreement, Resolve Software Subscription Agreement.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Pentera Security Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.pentera.io