// Trust & Security Report

    ReadMe logo

    ReadMe

    Developer-facing API and technical documentation platform; includes API Reference, Guides, Help Center, Changelog, Recipes, AI Writer, AI Linter, Ask AI, and Metrics/Analytics for developer hub operators.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Compliance section lists 'SOC 2 Type II'; Resources section lists 'ReadMe - SOC 2 Type II' report available upon request. AI page states 'SOC 2 Type II' as a listed enterprise compliance credential.

    Verify on trust.readme.com
    GDPR
    HELD

    Compliance section lists 'GDPR'; Data Processing Addendum (2025) available; Standard Contractual Clauses govern EEA/UK data transfers; DPA covers EU GDPR, CCPA, UK GDPR, and Swiss FADP.

    Verify on trust.readme.com
    HIPAA
    HELD

    Compliance section at trust.readme.com lists 'HIPAA' as a compliance framework. No public BAA or HIPAA-specific controls enumerated on the public trust center page; BAA availability should be confirmed with ReadMe directly.

    Verify on trust.readme.com
    WCAG 2.1
    HELD

    Compliance section at trust.readme.com lists 'WCAG 2.1' as a compliance framework.

    Verify on trust.readme.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence found on readme.com, trust.readme.com, or via web search. Not listed in trust center compliance section.

    source: trust.readme.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence found. Not listed in trust center or any vendor-domain page.

    source: trust.readme.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found. Not listed in trust center or any vendor-domain page.

    source: trust.readme.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found. Not listed in trust center or any vendor-domain page.

    source: trust.readme.com
    PCI DSS
    NOT CONFIRMED

    No public evidence found. Payment processing appears delegated to subprocessors. Not listed in trust center compliance section.

    source: trust.readme.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (AWS us-east-1, Virginia). Data may be transferred to the US from the EEA/UK under Standard Contractual Clauses.

    ReadMe's AI page explicitly states: 'Your data generates answers. It never trains a model.' Customer documentation is logically separated per-account. The general privacy policy does not address AI training; the AI-specific page (readme.com/ai) is the authoritative source for this claim. Third-party AI provider GPT-4o (OpenAI) is referenced as a configurable model option — data sharing with OpenAI for inference is implied but OpenAI's model training opt-out status for ReadMe is not confirmed on a vendor-domain page.

    // Security controls

    Encryption at rest

    Provided by database providers (Clickhouse via Altinity, MongoDB). ReadMe does not apply an additional encryption layer. Sensitive data exclusion from requests is recommended.

    docs.readme.com

    Encryption in transit

    TLS/HTTPS confirmed ('Data transmission encrypted' listed as a product security control on trust center).

    trust.readme.com

    Data hosting

    AWS, US-East (Virginia). Subprocessors include Algolia (search), AWS (hosting), Baremetrics (payment analytics), Cloudflare (CDN/network security).

    docs.readme.com

    Access controls

    Role-based access controls (Viewer, Editor, Admin); SSO via Microsoft Entra ID, Google Workspace, and Okta Workforce; 2FA available per user settings.

    readme.com

    Audit logs

    Detailed audit logs available for enterprise tier. Track every change across docs.

    readme.com

    Incident response

    ReadMe - Incident Response Plan - 2025 listed as a downloadable resource on the trust center.

    trust.readme.com

    Business continuity

    ReadMe - Business Continuity and Disaster Recovery Plan - 2025 listed; continuity and DR plans are tested (listed as an internal security procedures control).

    trust.readme.com

    Vulnerability management

    Bug bounty program in place (docs.readme.com/main/docs/bug-bounty-program). Anti-malware technology utilized (listed as organizational security control).

    docs.readme.com

    Cybersecurity insurance

    Cybersecurity insurance maintained (listed as an internal security procedures control).

    trust.readme.com

    Data retention

    DPA: customer data retained up to 60 days after contract termination. Security FAQ for metrics data: 'ReadMe retains all data indefinitely.' These apply to different data types but the wording discrepancy should be clarified with ReadMe.

    dpa.readme.io

    // Products & data scope

    ReadMe Documentation PlatformAPI and Technical Documentation

    data: Customer-authored documentation content, API specs (OpenAPI), user account data, and developer API usage metrics. Data hosted on AWS in Virginia, US.

    Core product. Includes WYSIWYG editor, bi-directional GitHub/GitLab sync, versioning, branching, and customizable themes.

    ReadMe AI (AI Writer, AI Linter, Ask AI)AI-powered Documentation Tools

    data: Customer documentation is used for retrieval-augmented generation (RAG) to answer developer queries. GPT-4o (OpenAI) referenced as AI model. Customer data is NOT used for model training per vendor claim.

    AI Writer proposes doc updates from Git pull requests. AI Linter enforces style guides. Ask AI provides instant AI answers powered by the customer's own docs. AI audit trail available. Available on enterprise tier with SOC 2 and DPA support.

    ReadMe MetricsAPI Analytics

    data: API call logs, developer email, API keys, endpoint usage, error rates. Stored indefinitely per security FAQ. Admin-level visibility of metrics data; configurable allowlist/denylist via SDKs.

    Sensitive data should be excluded from API requests sent to ReadMe. Data export not currently available.

    ReadMe EnterpriseEnterprise Documentation

    data: Same as core platform; adds SSO, RBAC, audit logs, migration services, multilingual docs support, and enforced review requirements for branches.

    Enterprise tier includes compliance questionnaire support and DPA. HIPAA compliance listed for enterprise context.

    // What to watch

    • DATA_RETENTION_INCONSISTENCY: Security FAQ states 'ReadMe retains all data indefinitely' (metrics data), while the DPA states customer data is retained 'up to 60 days after contract termination.' These likely refer to different data categories but the apparent contradiction should be clarified with ReadMe before use in regulated environments.
    • HIPAA_BAA_NOT_PUBLICLY_CONFIRMED: HIPAA is listed in the trust center compliance section, but no public BAA document or HIPAA-specific controls are enumerated on the public trust center page. Customers requiring HIPAA coverage must request and execute a BAA directly with ReadMe.
    • AI_TRAINING_CLAIM_NOT_IN_PRIVACY_POLICY: The 'never trains a model' commitment appears only on readme.com/ai, not in the main privacy policy (readme.com/privacy). If the AI page is updated or retired, the privacy policy does not provide backup protection. Customers should request contractual confirmation via DPA.
    • OPENAI_GPT4O_SUBPROCESSOR: GPT-4o is referenced as a configurable AI model on readme.com/ai, implying OpenAI is a subprocessor for AI features. OpenAI's model training opt-out status for ReadMe's API usage is not confirmed on a vendor-domain page. Customers should verify this in the current subprocessors list at trust.readme.com.
    • ENCRYPTION_AT_REST_DELEGATED: ReadMe explicitly states it does not add an additional encryption layer beyond what database providers (Clickhouse/Altinity, MongoDB) supply. Customers with strict encryption key management requirements should verify provider-level controls.
    • NO_EU_DATA_RESIDENCY: All data is hosted in the US (AWS Virginia). No EU or regional data residency option found. GDPR transfers rely on Standard Contractual Clauses. Organizations in jurisdictions requiring in-country data storage cannot use ReadMe.

    // At a glance

    Pricing model

    Tiered SaaS (free trial available; paid plans scale by features and team size; Enterprise plan with custom pricing for SSO, RBAC, audit logs, and compliance support).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on ReadMe's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.readme.com

    > Browse all vendor trust reports