// Trust & Security Report

    Polymer Search logo

    Polymer Search

    Self-serve BI / embedded-analytics platform ("Polymer"): Dashboard Creator and AI-assisted dashboards for direct business users, plus an Embedded Analytics API (from $500/month) that lets SaaS companies white-label Polymer's dashboards inside their own product. Also includes a "Poly AI" AI-insights/conversational feature and third-party data connectors (Shopify, Google Ads, Facebook Ads, GA4, Salesforce, CSV upload, ETL tools).

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 9 unconfirmed / not-held certifications
    SOC 2 (Type I/II)
    NOT CONFIRMED

    No public evidence of a SOC 2 report or attestation on any polymersearch.com page (privacy policy, terms of service, data-handling, data-privacy help center, or pricing pages checked); no trust center exists to host such a report.

    source: polymersearch.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification anywhere on polymersearch.com.

    source: polymersearch.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence found on vendor domain.

    source: polymersearch.com
    HIPAA
    NOT CONFIRMED

    Polymer's own glossary page defines HIPAA generically for readers but makes no first-person claim that Polymer itself is HIPAA compliant or offers a BAA; no BAA offering found anywhere on the site.

    source: polymersearch.com
    GDPR (compliance posture)
    NOT CONFIRMED

    The privacy policy is US/CCPA-focused with no dedicated GDPR section or EU legal-basis language. The GDPR glossary page positions Polymer only as 'a robust partner in your GDPR journey, helping you navigate...' — marketing language, not a compliance claim.

    source: polymersearch.com
    PCI DSS
    NOT CONFIRMED

    No first-person PCI DSS claim found; a glossary/blog article mentions PCI compliance only as general advice to readers, not as a statement about Polymer's own certification status.

    source: polymersearch.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of AI governance certification on vendor domain, despite the product marketing AI-driven ('Poly AI') features.

    source: polymersearch.com
    CSA STAR / CSA STAR AI
    NOT CONFIRMED

    No public evidence found on vendor domain.

    source: polymersearch.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found; product is not marketed to US federal government.

    source: polymersearch.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Not publicly specified. Third-party cloud-infrastructure research (Intricately) indicates Polymer runs on AWS (S3-based storage with an added application-level AES-256 encryption layer), but no vendor-published data-residency commitment or region choice was found.

    The Terms of Service grant Polymer a 'worldwide, royalty-free and non-exclusive, perpetual, irrevocable and fully sublicensable license to use, distribute, reproduce, modify, adapt, publish, translate, and publicly display' customer data. No page found explicitly confirms or denies whether uploaded/connected customer data is used to train the 'Poly AI' feature or any underlying model, and no opt-out mechanism is documented publicly. This is an unresolved gap, not a confirmed practice.

    // Security controls

    Encryption in transit

    TLS and HSTS for data in transit across public networks

    polymersearch.com

    Encryption at rest

    AES-256 encryption; an application-level AES-256 layer is added on top of underlying S3 encryption so Polymer's own backend cannot read data at rest without decryption

    polymersearch.com

    Secrets management

    KMS-based key management plus GPG encryption for additional protection

    polymersearch.com

    Monitoring / logging

    Central logging system with automated alarms for suspicious activity; infrastructure monitoring for security and stability events

    polymersearch.com

    Data containment

    Uploaded data is treated as confidential and is not authorized to leave Polymer's service environment except in limited circumstances (e.g., resolving a customer's support request)

    polymersearch.com

    Data deletion

    Users can permanently delete datasets through the product interface; deletion removes encrypted data, metadata, and associated information with no stated recovery option

    polymersearch.com

    Independent audit / attestation

    None published — all security claims above are self-reported by Polymer with no third-party audit report, trust center, or certification badge found

    polymersearch.com

    // Products & data scope

    Polymer Dashboard Creator / AI DashboardsSelf-serve BI

    data: Connected marketing/ecommerce/sales data (Shopify, Google Ads, Facebook Ads, GA4, Salesforce, CSV) belonging to the paying customer

    Direct-use product for marketers/agencies/ecommerce teams; freemium entry with paid tiers

    Polymer Embedded Analytics APIEmbedded / white-label analytics

    data: End-customer data of the SaaS company embedding Polymer, passed through Polymer's API and rendered in white-labeled dashboards

    Starts at $500/month; this tier carries the most third-party-data risk since the embedding company's own end users' data flows through Polymer with 'secure user access control' described only in marketing copy, not backed by a certification

    Polymer EnterpriseEnterprise BI / API

    data: Same as API tier, at higher volume

    Adds dedicated account manager, auto real-time data syncing, unlimited accounts per connector, uncapped 'Poly AI' responses; pricing is custom/contact-sales. No enterprise-specific security page (SSO, custom DPA, dedicated tenancy) was found

    // What to watch

    • No trust center and no SOC 2, ISO 27001, HIPAA, or GDPR-specific certification found anywhere on the vendor's own domain, despite the Embedded Analytics/API product routing third-party end-customer data through Polymer's infrastructure.
    • Privacy policy is US/CCPA-oriented with no explicit GDPR section; a glossary page markets Polymer as a 'partner in your GDPR journey' which could be misread by prospects as a compliance claim — it is not one, and is graded held=false accordingly.
    • Terms of Service grant Polymer a broad, perpetual, sublicensable right to use/reproduce/modify/publish customer data, with no explicit statement on whether this data feeds AI/model training or how to opt out; unresolved gap, not a confirmed practice.
    • Identity-conflation risk: multiple unrelated companies share 'Polymer' branding (polymer.co — a data-loss-prevention/security vendor with its own SOC 2/GDPR content; PolyAI — a voice-agent platform; Polymer Nation; Polymer Engineering GmbH). None of those companies' certifications or policies were used in this assessment — all findings are sourced strictly from polymersearch.com pages matching the evidence file's URL.
    • Security controls described on /data-handling (AES-256, TLS/HSTS, KMS, GPG, logging) are reasonably detailed and consistent with growth-stage engineering practice, but are entirely self-reported with no third-party audit backing them.

    // At a glance

    Pricing model

    Freemium self-serve tiers, plus API/Enterprise access starting at $500/month with custom pricing for higher volume

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Polymer Search's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    polymersearch.com

    > Browse all vendor trust reports