// Trust & Security Report
Plaid Inc.
Open banking / financial data API platform: core data products (Auth, Link, Transactions, Income, Balance, Assets, Identity), Payments (Pay by Bank, Recurring, Payouts), Identity Verification (IDV), Consumer Report (Plaid CRA), and regulated EU/UK entities (Plaid B.V., Plaid Financial Limited) for account information and payment initiation services.
Certifications held
4
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on security.plaid.com“SOC 2 Type 2 (listed as an available report on Plaid's Trust Center); confirmed separately as "annual SOC 2 Type II report" in Plaid's security/privacy blog post”
Verify on plaid.com“"Plaid is ISO27001 and ISO27701 certified" (announced December 9, 2021)”
Verify on plaid.com“Plaid B.V. is registered in the Netherlands... authorised and supervised by De Nederlandsche Bank (DNB)... Plaid Financial Limited... authorised and regulated by the Financial Conduct Authority (FCA)... Each entity provides regulated open banking services... under the EU Payment Services Directive (PSD2).”
> Show 5 unconfirmed / not-held certifications
source: plaid.comPlaid's own Developer Policy places PCI-DSS compliance obligations on the customer, not on Plaid itself: developers must "ensure that your... use of the Services and End User Data is in compliance with all laws applicable to you, including... any security requirements, including under the Payment Card Industry Data Security Standards (PCI-DSS), as may be applicable to you." No PCI DSS certificate is listed on Plaid's own Trust Center.
source: security.plaid.comNo public evidence of HIPAA compliance or a BAA program on Plaid's own domain (Trust Center, legal, or blog pages). Plaid is a financial-data platform, not a healthcare processor, so HIPAA is out of scope for its core product.
source: security.plaid.comNot listed on Plaid's Trust Center or in any vendor-domain page found; no public evidence.
source: security.plaid.comNo public evidence of CSA STAR registration on Plaid's own domain.
source: security.plaid.comNo public evidence of FedRAMP authorization; Plaid's public materials describe a Cloud Security Alliance-style questionnaire and AWS Foundational Technical Review, not a FedRAMP ATO.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Global platform with region-specific regulated entities: Plaid Inc. (US), Plaid B.V. (Netherlands, DNB-supervised), Plaid Financial Limited (UK, FCA-regulated). Cross-border EEA/UK transfers rely on adequacy decisions and standard contractual clauses (SCCs).
Plaid's End User Privacy Policy states Plaid uses data to "develop, train, test, and deploy artificial intelligence ('AI') systems" as part of building new products/features. Plaid's CTO has stated third-party AI partners (e.g. OpenAI) only receive data with explicit end-user consent, and Plaid's transaction foundation model is described as trained on de-identified data across the Plaid Network. However, no dedicated, general-purpose AI-training opt-out toggle was found on Plaid's own site; users can withdraw consent, submit data-deletion requests, or disconnect apps via Plaid Portal, but there is no explicit "do not use my data for AI training" control distinct from general data deletion. This is a gap worth flagging to buyers who care about AI-training opt-out specifically.
// Security controls
Encryption
Plaid states it "keeps your data safe with advanced security features like encryption and 24/7 monitoring" (specific in-transit/at-rest cipher details are not published on the public trust-safety page; full technical detail is gated behind the Trust Center's NDA'd documents).
plaid.comIndependent penetration testing
Trust Center lists a third-party penetration test performed by Doyensec, with reports available to vetted customers.
security.plaid.comCloud infrastructure review
AWS Foundational Technical Review completed, per Plaid's Trust Center.
security.plaid.comThird-party risk assessment
Plaid participates in TruSight, a standardized third-party vendor risk assessment consortium used by financial institutions.
security.plaid.comData minimization / retention
Plaid states it retains user data "only as long as it is needed" and systems are "designed to automatically delete your personal data" once a developer connection ends, subject to fraud-prevention, legal, and aggregated/anonymized-data exceptions.
plaid.com// Products & data scope
data: Bank account, transaction, income, balance, and identity data pulled from 12,000+ financial institutions via user-permissioned links.
Primary developer-facing API product; underlies most fintech integrations.
data: Payment initiation and account data; operates under PSD2 Account Information/Payment Initiation Service licenses in the EU/UK.
Regulated by FCA (Plaid Financial Limited) and DNB (Plaid B.V.) for EEA/UK payment services; funds are not held by Plaid and are not FSCS/Dutch Deposit Guarantee Scheme covered.
data: Government ID, biometric/facial-recognition data governed by a separate Biometric Policy and Release and IDV Privacy Statement.
Higher-sensitivity data category (biometrics) with its own dedicated policy; buyers handling biometric data should review this policy specifically.
data: Data used for lending/underwriting decisions, governed by its own CRA Privacy Policy (implying FCRA-adjacent obligations in the US).
Distinct compliance surface from the core API product; relevant to credit/lending use cases.
// What to watch
- Third-party sites (e.g. payment-processor blogs) claim Plaid holds PCI DSS certification, but Plaid's own Developer Policy frames PCI-DSS compliance as the customer/developer's responsibility, not Plaid's own certification -- graded held=false to avoid an over-claim. Do not list PCI DSS as a Plaid credential.
- Do not confuse 'Plaid Inc.' (this vendor, financial data API) with 'PlaidCloud' (an unrelated data-analytics company) or 'Plaud' (an unrelated AI voice-recorder company) -- both surfaced in search results under similar names and carry their own separate SOC 2/ISO/HIPAA claims that do NOT apply to Plaid Inc.
- Plaid's privacy policy confirms it uses customer/user data to train AI systems, but there is no dedicated AI-training opt-out separate from general data-deletion/consent-withdrawal mechanisms -- flag for AI-governance-sensitive buyers.
- Full technical detail behind certain security claims (e.g. exact encryption standards, SOC 2 report itself) sits behind Plaid's gated Trust Center portal (NDA/access request), so only summary-level claims could be verified directly from public vendor pages.
// At a glance
Pricing model
Usage/API-call-based enterprise contracts; not self-serve public pricing ("Contact sales" / "Talk with our team").
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Plaid Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.plaid.com