// Trust & Security Report

    Plaid Inc. logo

    Plaid Inc.

    Open banking / financial data API platform: core data products (Auth, Link, Transactions, Income, Balance, Assets, Identity), Payments (Pay by Bank, Recurring, Payouts), Identity Verification (IDV), Consumer Report (Plaid CRA), and regulated EU/UK entities (Plaid B.V., Plaid Financial Limited) for account information and payment initiation services.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type 2 (listed as an available report on Plaid's Trust Center); confirmed separately as "annual SOC 2 Type II report" in Plaid's security/privacy blog post

    Verify on security.plaid.com
    ISO/IEC 27001
    HELD

    "Plaid is ISO27001 and ISO27701 certified" (announced December 9, 2021)

    Verify on plaid.com
    ISO/IEC 27701 (privacy)
    HELD

    "Plaid is ISO27001 and ISO27701 certified"

    Verify on plaid.com
    GDPR (compliance posture, not a certification)
    HELD

    Plaid B.V. is registered in the Netherlands... authorised and supervised by De Nederlandsche Bank (DNB)... Plaid Financial Limited... authorised and regulated by the Financial Conduct Authority (FCA)... Each entity provides regulated open banking services... under the EU Payment Services Directive (PSD2).

    Verify on plaid.com
    > Show 5 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    Plaid's own Developer Policy places PCI-DSS compliance obligations on the customer, not on Plaid itself: developers must "ensure that your... use of the Services and End User Data is in compliance with all laws applicable to you, including... any security requirements, including under the Payment Card Industry Data Security Standards (PCI-DSS), as may be applicable to you." No PCI DSS certificate is listed on Plaid's own Trust Center.

    source: plaid.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or a BAA program on Plaid's own domain (Trust Center, legal, or blog pages). Plaid is a financial-data platform, not a healthcare processor, so HIPAA is out of scope for its core product.

    source: security.plaid.com
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    Not listed on Plaid's Trust Center or in any vendor-domain page found; no public evidence.

    source: security.plaid.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration on Plaid's own domain.

    source: security.plaid.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization; Plaid's public materials describe a Cloud Security Alliance-style questionnaire and AWS Foundational Technical Review, not a FedRAMP ATO.

    source: security.plaid.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Global platform with region-specific regulated entities: Plaid Inc. (US), Plaid B.V. (Netherlands, DNB-supervised), Plaid Financial Limited (UK, FCA-regulated). Cross-border EEA/UK transfers rely on adequacy decisions and standard contractual clauses (SCCs).

    Plaid's End User Privacy Policy states Plaid uses data to "develop, train, test, and deploy artificial intelligence ('AI') systems" as part of building new products/features. Plaid's CTO has stated third-party AI partners (e.g. OpenAI) only receive data with explicit end-user consent, and Plaid's transaction foundation model is described as trained on de-identified data across the Plaid Network. However, no dedicated, general-purpose AI-training opt-out toggle was found on Plaid's own site; users can withdraw consent, submit data-deletion requests, or disconnect apps via Plaid Portal, but there is no explicit "do not use my data for AI training" control distinct from general data deletion. This is a gap worth flagging to buyers who care about AI-training opt-out specifically.

    // Security controls

    Encryption

    Plaid states it "keeps your data safe with advanced security features like encryption and 24/7 monitoring" (specific in-transit/at-rest cipher details are not published on the public trust-safety page; full technical detail is gated behind the Trust Center's NDA'd documents).

    plaid.com

    Independent penetration testing

    Trust Center lists a third-party penetration test performed by Doyensec, with reports available to vetted customers.

    security.plaid.com

    Cloud infrastructure review

    AWS Foundational Technical Review completed, per Plaid's Trust Center.

    security.plaid.com

    Third-party risk assessment

    Plaid participates in TruSight, a standardized third-party vendor risk assessment consortium used by financial institutions.

    security.plaid.com

    Data minimization / retention

    Plaid states it retains user data "only as long as it is needed" and systems are "designed to automatically delete your personal data" once a developer connection ends, subject to fraud-prevention, legal, and aggregated/anonymized-data exceptions.

    plaid.com

    // Products & data scope

    Core Data API (Auth, Transactions, Income, Balance, Assets, Identity)Financial data aggregation API

    data: Bank account, transaction, income, balance, and identity data pulled from 12,000+ financial institutions via user-permissioned links.

    Primary developer-facing API product; underlies most fintech integrations.

    Payments (Pay by Bank, Recurring, Payouts)Bank-to-bank payment initiation

    data: Payment initiation and account data; operates under PSD2 Account Information/Payment Initiation Service licenses in the EU/UK.

    Regulated by FCA (Plaid Financial Limited) and DNB (Plaid B.V.) for EEA/UK payment services; funds are not held by Plaid and are not FSCS/Dutch Deposit Guarantee Scheme covered.

    Identity Verification (IDV)KYC / identity verification

    data: Government ID, biometric/facial-recognition data governed by a separate Biometric Policy and Release and IDV Privacy Statement.

    Higher-sensitivity data category (biometrics) with its own dedicated policy; buyers handling biometric data should review this policy specifically.

    Plaid Consumer Reporting Agency (CRA)Consumer reporting

    data: Data used for lending/underwriting decisions, governed by its own CRA Privacy Policy (implying FCRA-adjacent obligations in the US).

    Distinct compliance surface from the core API product; relevant to credit/lending use cases.

    // What to watch

    • Third-party sites (e.g. payment-processor blogs) claim Plaid holds PCI DSS certification, but Plaid's own Developer Policy frames PCI-DSS compliance as the customer/developer's responsibility, not Plaid's own certification -- graded held=false to avoid an over-claim. Do not list PCI DSS as a Plaid credential.
    • Do not confuse 'Plaid Inc.' (this vendor, financial data API) with 'PlaidCloud' (an unrelated data-analytics company) or 'Plaud' (an unrelated AI voice-recorder company) -- both surfaced in search results under similar names and carry their own separate SOC 2/ISO/HIPAA claims that do NOT apply to Plaid Inc.
    • Plaid's privacy policy confirms it uses customer/user data to train AI systems, but there is no dedicated AI-training opt-out separate from general data-deletion/consent-withdrawal mechanisms -- flag for AI-governance-sensitive buyers.
    • Full technical detail behind certain security claims (e.g. exact encryption standards, SOC 2 report itself) sits behind Plaid's gated Trust Center portal (NDA/access request), so only summary-level claims could be verified directly from public vendor pages.

    // At a glance

    Pricing model

    Usage/API-call-based enterprise contracts; not self-serve public pricing ("Contact sales" / "Talk with our team").

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Plaid Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.plaid.com

    > Browse all vendor trust reports