// Trust & Security Report

    Replit, Inc. logo

    Replit, Inc.

    AI-powered IDE and app development platform with Replit Agent for code generation, databases, authentication, and deployment across web/mobile/design applications. Pricing tiers: Starter (Free), Core, Pro, Enterprise.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Enterprise reached major security milestones: SOC 2 Type II certification with zero exceptions and an 'Advanced' Bitsight ranking (780 security score).

    Verify on replit.com
    GDPR
    HELD

    Data Protection Law means all applicable laws...including...the General Data Protection Regulation, Regulation (EU) 2016/679 ('GDPR'). The DPA incorporates Standard Contractual Clauses required under GDPR for international data transfers.

    Verify on replit.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No direct mention of Replit holding ISO 27001 certification in own documentation. Only GCP (infrastructure provider) holds ISO 27001 certification. Replit's own company certification is limited to SOC 2 Type II.

    source: docs.replit.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance on Replit's own domain: its Terms of Service, security documentation, and trust center contain no HIPAA or Business Associate Agreement (BAA) language, and Replit does not advertise HIPAA eligibility. Third-party sources report that Replit does not offer a BAA, but that assertion is not confirmed by the vendor's own documentation.

    source: docs.replit.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on Replit's vendor-domain documentation.

    source: replit.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP certification on Replit's vendor-domain documentation.

    source: replit.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification on Replit's vendor-domain documentation.

    source: replit.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Configurable: North America, EU, South America, Asia, Australia. Development environments run in North America. Subprocessors include US-based companies (Anthropic, OpenAI, Google Cloud, Cloudflare, Stripe, etc.).

    Public app content may be used for training LLMs: 'Content published in public Apps may be used by Replit for improving the Service, including but not limited to developing or training large language models.' Private apps: Replit reserves access 'for the purpose of troubleshooting, improving our service, and ensuring the safety and security of the Service'—no explicit opt-out mechanism documented.

    // Security controls

    Encryption in Transit

    TLS 1.2+

    docs.replit.com

    Encryption at Rest

    AES-256

    docs.replit.com

    Bitsight Rating

    Advanced (780 security score)

    replit.com

    Enterprise Controls

    SSO/SAML, SOC 2, Admin controls, Secure services screening

    replit.com

    Shared Responsibility Model

    Defined and documented

    docs.replit.com

    // Products & data scope

    Replit Platform (IDE/Development)Development Environment

    data: Source code, user profiles, project metadata. Public projects may be used for AI training.

    Freemium tier available. Supports web, mobile, design, data visualization, 3D games. Multi-user collaboration available. Public/private project visibility options.

    Replit AgentAI Code Generation Assistant

    data: User prompts, generated code, project context. Effort-based pricing. May use project data for AI training on public projects.

    Parallel agent execution. Integrated with multiple AI models (via subprocessors: Anthropic, OpenAI, OpenRouter). Requires credits (Core: $20/mo, Pro: $100/mo includes more credits).

    Replit EnterpriseManaged Development Platform

    data: Same as platform plus advanced audit logs, SSO/SCIM, VPC peering, static outbound IPs, design system support, single-tenant environments.

    Custom pricing. Designed for regulated industries and enterprise compliance requirements, though HIPAA BAA not available.

    // What to watch

    • OVER-CLAIM DETECTED: Nudge Security profile lists ISO 27001, PCI DSS, FedRAMP, CSA STAR as Replit certifications without vendor-domain proof. Only SOC 2 Type II is publicly documented by Replit. ISO 27001 and other certs are attributed to GCP (infrastructure), not Replit itself.
    • HIPAA: No public evidence on Replit's own domain that it offers a Business Associate Agreement (BAA) or supports HIPAA-regulated PHI workloads; its Terms of Service, security docs, and trust center contain no HIPAA/BAA language. Third-party sources report Replit does not sign BAAs, but this is unconfirmed by the vendor. Absent a signed BAA, not recommended for workloads involving protected health information.
    • AI TRAINING CONSENT: Public app content is used for LLM training per Terms of Service. Private apps reserve access for service improvement but lack explicit opt-out. Users must be aware of this data use.
    • HOST VS VENDOR: GCP's ISO 27001 and SOC 2 certifications are attributed to Google Cloud, not Replit. Replit relies on GCP's infrastructure certifications but does not hold these certifications independently.

    // At a glance

    Pricing model

    Freemium + Subscription (monthly/annual). Starter (Free), Core ($20/mo), Pro ($100/mo), Enterprise (custom). Agent uses effort-based add-on pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Replit, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.replit.com

    > Browse all vendor trust reports