// Trust & Security Report
ReadMe
Developer-facing API and technical documentation platform; includes API Reference, Guides, Help Center, Changelog, Recipes, AI Writer, AI Linter, Ask AI, and Metrics/Analytics for developer hub operators.
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.readme.com“Compliance section lists 'SOC 2 Type II'; Resources section lists 'ReadMe - SOC 2 Type II' report available upon request. AI page states 'SOC 2 Type II' as a listed enterprise compliance credential.”
Verify on trust.readme.com“Compliance section lists 'GDPR'; Data Processing Addendum (2025) available; Standard Contractual Clauses govern EEA/UK data transfers; DPA covers EU GDPR, CCPA, UK GDPR, and Swiss FADP.”
Verify on trust.readme.com“Compliance section at trust.readme.com lists 'HIPAA' as a compliance framework. No public BAA or HIPAA-specific controls enumerated on the public trust center page; BAA availability should be confirmed with ReadMe directly.”
Verify on trust.readme.com“Compliance section at trust.readme.com lists 'WCAG 2.1' as a compliance framework.”
> Show 5 unconfirmed / not-held certifications
source: trust.readme.comNo public evidence found on readme.com, trust.readme.com, or via web search. Not listed in trust center compliance section.
source: trust.readme.comNo public evidence found. Not listed in trust center or any vendor-domain page.
source: trust.readme.comNo public evidence found. Not listed in trust center or any vendor-domain page.
source: trust.readme.comNo public evidence found. Not listed in trust center or any vendor-domain page.
source: trust.readme.comNo public evidence found. Payment processing appears delegated to subprocessors. Not listed in trust center compliance section.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (AWS us-east-1, Virginia). Data may be transferred to the US from the EEA/UK under Standard Contractual Clauses.
ReadMe's AI page explicitly states: 'Your data generates answers. It never trains a model.' Customer documentation is logically separated per-account. The general privacy policy does not address AI training; the AI-specific page (readme.com/ai) is the authoritative source for this claim. Third-party AI provider GPT-4o (OpenAI) is referenced as a configurable model option — data sharing with OpenAI for inference is implied but OpenAI's model training opt-out status for ReadMe is not confirmed on a vendor-domain page.
// Security controls
Encryption at rest
Provided by database providers (Clickhouse via Altinity, MongoDB). ReadMe does not apply an additional encryption layer. Sensitive data exclusion from requests is recommended.
docs.readme.comEncryption in transit
TLS/HTTPS confirmed ('Data transmission encrypted' listed as a product security control on trust center).
trust.readme.comData hosting
AWS, US-East (Virginia). Subprocessors include Algolia (search), AWS (hosting), Baremetrics (payment analytics), Cloudflare (CDN/network security).
docs.readme.comAccess controls
Role-based access controls (Viewer, Editor, Admin); SSO via Microsoft Entra ID, Google Workspace, and Okta Workforce; 2FA available per user settings.
readme.comAudit logs
Detailed audit logs available for enterprise tier. Track every change across docs.
readme.comIncident response
ReadMe - Incident Response Plan - 2025 listed as a downloadable resource on the trust center.
trust.readme.comBusiness continuity
ReadMe - Business Continuity and Disaster Recovery Plan - 2025 listed; continuity and DR plans are tested (listed as an internal security procedures control).
trust.readme.comVulnerability management
Bug bounty program in place (docs.readme.com/main/docs/bug-bounty-program). Anti-malware technology utilized (listed as organizational security control).
docs.readme.comCybersecurity insurance
Cybersecurity insurance maintained (listed as an internal security procedures control).
trust.readme.comData retention
DPA: customer data retained up to 60 days after contract termination. Security FAQ for metrics data: 'ReadMe retains all data indefinitely.' These apply to different data types but the wording discrepancy should be clarified with ReadMe.
dpa.readme.io// Products & data scope
data: Customer-authored documentation content, API specs (OpenAPI), user account data, and developer API usage metrics. Data hosted on AWS in Virginia, US.
Core product. Includes WYSIWYG editor, bi-directional GitHub/GitLab sync, versioning, branching, and customizable themes.
data: Customer documentation is used for retrieval-augmented generation (RAG) to answer developer queries. GPT-4o (OpenAI) referenced as AI model. Customer data is NOT used for model training per vendor claim.
AI Writer proposes doc updates from Git pull requests. AI Linter enforces style guides. Ask AI provides instant AI answers powered by the customer's own docs. AI audit trail available. Available on enterprise tier with SOC 2 and DPA support.
data: API call logs, developer email, API keys, endpoint usage, error rates. Stored indefinitely per security FAQ. Admin-level visibility of metrics data; configurable allowlist/denylist via SDKs.
Sensitive data should be excluded from API requests sent to ReadMe. Data export not currently available.
data: Same as core platform; adds SSO, RBAC, audit logs, migration services, multilingual docs support, and enforced review requirements for branches.
Enterprise tier includes compliance questionnaire support and DPA. HIPAA compliance listed for enterprise context.
// What to watch
- DATA_RETENTION_INCONSISTENCY: Security FAQ states 'ReadMe retains all data indefinitely' (metrics data), while the DPA states customer data is retained 'up to 60 days after contract termination.' These likely refer to different data categories but the apparent contradiction should be clarified with ReadMe before use in regulated environments.
- HIPAA_BAA_NOT_PUBLICLY_CONFIRMED: HIPAA is listed in the trust center compliance section, but no public BAA document or HIPAA-specific controls are enumerated on the public trust center page. Customers requiring HIPAA coverage must request and execute a BAA directly with ReadMe.
- AI_TRAINING_CLAIM_NOT_IN_PRIVACY_POLICY: The 'never trains a model' commitment appears only on readme.com/ai, not in the main privacy policy (readme.com/privacy). If the AI page is updated or retired, the privacy policy does not provide backup protection. Customers should request contractual confirmation via DPA.
- OPENAI_GPT4O_SUBPROCESSOR: GPT-4o is referenced as a configurable AI model on readme.com/ai, implying OpenAI is a subprocessor for AI features. OpenAI's model training opt-out status for ReadMe's API usage is not confirmed on a vendor-domain page. Customers should verify this in the current subprocessors list at trust.readme.com.
- ENCRYPTION_AT_REST_DELEGATED: ReadMe explicitly states it does not add an additional encryption layer beyond what database providers (Clickhouse/Altinity, MongoDB) supply. Customers with strict encryption key management requirements should verify provider-level controls.
- NO_EU_DATA_RESIDENCY: All data is hosted in the US (AWS Virginia). No EU or regional data residency option found. GDPR transfers rely on Standard Contractual Clauses. Organizations in jurisdictions requiring in-country data storage cannot use ReadMe.
// At a glance
Pricing model
Tiered SaaS (free trial available; paid plans scale by features and team size; Enterprise plan with custom pricing for SSO, RBAC, audit logs, and compliance support).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on ReadMe's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.readme.com