// Trust & Security Report
Saturn Cloud, Inc
Two product generations on saturncloud.io: (1) a legacy hosted data-science / ML platform (Jupyter, VS Code, Dask, GPU notebooks, deployable into a customer's own AWS account) and (2) a newer 'Control Plane for GPU Clouds' / Token Factory product aimed at GPU cloud operators and BMaaS resellers (white-label console for bare metal, Kubernetes, Slurm, and per-token managed inference). Both are marketed on the same domain and same legal entity.
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on saturncloud.io“Service Organization Control (SOC) 2 Type 1 audit, which affirms that information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, and confidentiality.”
> Show 8 unconfirmed / not-held certifications
source: saturncloud.ioNo public evidence of a Type 2 (operating-effectiveness) report anywhere on saturncloud.io; the only public announcement found is a 2020 PR Newswire release for Type 1, and the vendor security page still only references 'Type 1' with no renewal date.
source: saturncloud.ioNo public evidence on the vendor's own domain (security, privacy, terms, docs, or enterprise pages). A third-party summary claimed Saturn Cloud holds ISO 27001, PCI, HIPAA, FedRAMP and CSA STAR, but this could not be corroborated on any saturncloud.io page or the AWS Marketplace listing and is treated as unverified marketing noise, not vendor-confirmed.
source: saturncloud.ioNo HIPAA claim, BAA offer, or compliant-hosting language appears on the security, enterprise, or docs pages. The enterprise page mentions private VPC deployment and SSO but never references HIPAA.
source: saturncloud.ioThe privacy policy's only stated legal basis for EU data transfer is 'We participate in, and comply with, the EU-US Privacy Shield Principles...' Privacy Shield was invalidated by the CJEU in 2020 (Schrems II); the policy is dated January 21, 2019 and has not been updated to reference SCCs or the EU-US Data Privacy Framework. No DPA is offered on the public site.
source: saturncloud.ioNo public evidence on the vendor's own domain; Saturn Cloud does not process cardholder data directly (billing/payment is handled through standard SaaS checkout), and no PCI claim is made anywhere on saturncloud.io.
source: saturncloud.ioNo public evidence on the vendor's own domain. Not listed on the FedRAMP Marketplace under Saturn Cloud.
source: saturncloud.ioNo public evidence on the vendor's own domain or the CSA STAR registry search.
source: saturncloud.ioNo public evidence of an AI-governance certification on the vendor's own domain. Not referenced on the security page or in any product/enterprise page found.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Legacy data-science tier: enterprise deployments run inside the customer's own AWS account/VPC ('all data stays within the user's AWS environment... no data ever has to leave the user's AWS account'). Newer GPU control-plane product: deployed onto the customer's own bare-metal/data-center infrastructure via their BMaaS partner, so residency is customer-determined. No default multi-region or EU-specific hosting commitment is published.
The 2020 Terms of Service state Saturn 'has the right to collect, use and analyze any deidentified information derived from Your Content ... for Saturn's lawful business purposes, including to improve and enhance the Saturn Services.' Raw/identifiable customer content is licensed only 'as necessary for purposes of providing the Saturn Services,' not for training. No dedicated AI-training-opt-out page or tier-specific training policy was found for the newer GPU/inference product line; this is a gap given the product now brokers per-token inference endpoints.
// Security controls
Encryption at rest
Volumes for pods are AWS EBS volumes encrypted using AWS KMS (legacy data-science platform).
saturncloud.ioEncryption in transit
Not explicitly stated on the public security page beyond 'our own authentication proxy' for internet-facing notebooks; no TLS version or cipher detail published.
saturncloud.ioHosting / physical security
Hosted exclusively on AWS; 'AWS takes care of maintenance, access monitoring, intrusion detection, environmental concerns, and asset management' (this is the host's control, not an independent Saturn Cloud certification).
saturncloud.ioBackup
Application automatically backed up nightly, preconfigured and cannot be altered.
saturncloud.ioNetwork isolation (GPU control-plane product)
Per-tenant Kubernetes/Slurm clusters, per-tenant InfiniBand P_Keys, per-tenant storage namespaces, single-tenant by default, no shared scheduler/etcd/admission webhooks between customers; RBAC/IAM and audit logging; per-tenant SSO federation.
saturncloud.ioSSO / IAM (enterprise tier)
SSO sign-on with identity provider integration; connection to cloud users/roles directly; ability to restrict IAM permissions used by the installer/updater.
saturncloud.io// Products & data scope
data: Customer code, notebooks, and data connected via S3/Redshift/Snowflake or a customer AWS account; can run entirely inside the customer's own AWS environment on the Enterprise tier.
Original Saturn Cloud product (Jupyter, VS Code, SSH, Dask clusters, GPUs). Security and privacy pages found publicly are written for this product and have not been updated since 2019-2020.
data: Operates at the infrastructure/orchestration layer (provisioning, billing, tenancy isolation) on top of the operator's own bare metal, not typically direct end-user PII; per-tenant hardware isolation is the core security claim.
This is the product now leading the homepage ('The Control Plane for GPU Clouds'). No dedicated security/compliance page specific to this product was found; it inherits only the general saturncloud.io security page written for the older data-science product.
// What to watch
- SOC 2 Type 1 is the only certification with vendor-domain proof, and the only public announcement of it is a PR Newswire release from October 2020 (6 years old as of this review). Type 1 attests to control design at a single point in time, not operating effectiveness over a period, and there is no evidence of a Type 2 report or a recent renewal/bridge letter.
- Privacy policy (dated January 21, 2019) cites the EU-US Privacy Shield as its GDPR transfer mechanism; Privacy Shield was invalidated by the CJEU in 2020 (Schrems II). This is a stale, legally outdated document with no visible SCC/DPF replacement language and no public DPA link.
- Terms of Service last updated January 13, 2020, i.e. before the company's apparent pivot toward the GPU-cloud-operator ('Token Factory') business shown on the current homepage; it's unclear whether the ToS's data-license and liability terms were re-reviewed for the new product line.
- Identity/product-line ambiguity: the homepage now leads with a B2B 'Control Plane for GPU Clouds' / BMaaS-reseller pitch, while every security/privacy/terms page that could be found describes the older hosted Jupyter/data-science product (S3/Redshift/Snowflake integration, EKS, Dask). Treat compliance claims as applying to the legacy product only until the vendor confirms otherwise.
- A third-party web summary asserted Saturn Cloud holds PCI, ISO 27001, HIPAA, FedRAMP, and CSA STAR certifications. None of this could be corroborated on saturncloud.io or the AWS Marketplace listing; treated as an unverified over-claim and excluded from held=true grading. Flag this discrepancy to the account team if the vendor is pressed for compliance docs, since a prospect may encounter the same inflated third-party claim.
// At a glance
Pricing model
Consumption-based: GPU-hour pricing (from $2.95/hr for H100) and per-token metering for managed inference on the GPU control-plane product; the legacy data-science platform uses per-plan/seat pricing (see /plans/saturn_cloud_plans/). Enterprise/BMaaS deals are contract-negotiated.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Saturn Cloud, Inc's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
saturncloud.io