// Trust & Security Report
Polymer Search
Self-serve BI / embedded-analytics platform ("Polymer"): Dashboard Creator and AI-assisted dashboards for direct business users, plus an Embedded Analytics API (from $500/month) that lets SaaS companies white-label Polymer's dashboards inside their own product. Also includes a "Poly AI" AI-insights/conversational feature and third-party data connectors (Shopify, Google Ads, Facebook Ads, GA4, Salesforce, CSV upload, ETL tools).
Certifications held
0
Maturity
Startup
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 9 unconfirmed / not-held certifications
source: polymersearch.comNo public evidence of a SOC 2 report or attestation on any polymersearch.com page (privacy policy, terms of service, data-handling, data-privacy help center, or pricing pages checked); no trust center exists to host such a report.
source: polymersearch.comNo public evidence of ISO 27001 certification anywhere on polymersearch.com.
source: polymersearch.comNo public evidence found on vendor domain.
source: polymersearch.comPolymer's own glossary page defines HIPAA generically for readers but makes no first-person claim that Polymer itself is HIPAA compliant or offers a BAA; no BAA offering found anywhere on the site.
source: polymersearch.comThe privacy policy is US/CCPA-focused with no dedicated GDPR section or EU legal-basis language. The GDPR glossary page positions Polymer only as 'a robust partner in your GDPR journey, helping you navigate...' — marketing language, not a compliance claim.
source: polymersearch.comNo first-person PCI DSS claim found; a glossary/blog article mentions PCI compliance only as general advice to readers, not as a statement about Polymer's own certification status.
source: polymersearch.comNo public evidence of AI governance certification on vendor domain, despite the product marketing AI-driven ('Poly AI') features.
source: polymersearch.comNo public evidence found on vendor domain.
source: polymersearch.comNo public evidence found; product is not marketed to US federal government.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not publicly specified. Third-party cloud-infrastructure research (Intricately) indicates Polymer runs on AWS (S3-based storage with an added application-level AES-256 encryption layer), but no vendor-published data-residency commitment or region choice was found.
The Terms of Service grant Polymer a 'worldwide, royalty-free and non-exclusive, perpetual, irrevocable and fully sublicensable license to use, distribute, reproduce, modify, adapt, publish, translate, and publicly display' customer data. No page found explicitly confirms or denies whether uploaded/connected customer data is used to train the 'Poly AI' feature or any underlying model, and no opt-out mechanism is documented publicly. This is an unresolved gap, not a confirmed practice.
// Security controls
Encryption at rest
AES-256 encryption; an application-level AES-256 layer is added on top of underlying S3 encryption so Polymer's own backend cannot read data at rest without decryption
polymersearch.comSecrets management
KMS-based key management plus GPG encryption for additional protection
polymersearch.comMonitoring / logging
Central logging system with automated alarms for suspicious activity; infrastructure monitoring for security and stability events
polymersearch.comData containment
Uploaded data is treated as confidential and is not authorized to leave Polymer's service environment except in limited circumstances (e.g., resolving a customer's support request)
polymersearch.comData deletion
Users can permanently delete datasets through the product interface; deletion removes encrypted data, metadata, and associated information with no stated recovery option
polymersearch.comIndependent audit / attestation
None published — all security claims above are self-reported by Polymer with no third-party audit report, trust center, or certification badge found
polymersearch.com// Products & data scope
data: Connected marketing/ecommerce/sales data (Shopify, Google Ads, Facebook Ads, GA4, Salesforce, CSV) belonging to the paying customer
Direct-use product for marketers/agencies/ecommerce teams; freemium entry with paid tiers
data: End-customer data of the SaaS company embedding Polymer, passed through Polymer's API and rendered in white-labeled dashboards
Starts at $500/month; this tier carries the most third-party-data risk since the embedding company's own end users' data flows through Polymer with 'secure user access control' described only in marketing copy, not backed by a certification
data: Same as API tier, at higher volume
Adds dedicated account manager, auto real-time data syncing, unlimited accounts per connector, uncapped 'Poly AI' responses; pricing is custom/contact-sales. No enterprise-specific security page (SSO, custom DPA, dedicated tenancy) was found
// What to watch
- No trust center and no SOC 2, ISO 27001, HIPAA, or GDPR-specific certification found anywhere on the vendor's own domain, despite the Embedded Analytics/API product routing third-party end-customer data through Polymer's infrastructure.
- Privacy policy is US/CCPA-oriented with no explicit GDPR section; a glossary page markets Polymer as a 'partner in your GDPR journey' which could be misread by prospects as a compliance claim — it is not one, and is graded held=false accordingly.
- Terms of Service grant Polymer a broad, perpetual, sublicensable right to use/reproduce/modify/publish customer data, with no explicit statement on whether this data feeds AI/model training or how to opt out; unresolved gap, not a confirmed practice.
- Identity-conflation risk: multiple unrelated companies share 'Polymer' branding (polymer.co — a data-loss-prevention/security vendor with its own SOC 2/GDPR content; PolyAI — a voice-agent platform; Polymer Nation; Polymer Engineering GmbH). None of those companies' certifications or policies were used in this assessment — all findings are sourced strictly from polymersearch.com pages matching the evidence file's URL.
- Security controls described on /data-handling (AES-256, TLS/HSTS, KMS, GPG, logging) are reasonably detailed and consistent with growth-stage engineering practice, but are entirely self-reported with no third-party audit backing them.
// At a glance
Pricing model
Freemium self-serve tiers, plus API/Enterprise access starting at $500/month with custom pricing for higher volume
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Polymer Search's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
polymersearch.com