// Trust & Security Report

    Saturn Cloud, Inc logo

    Saturn Cloud, Inc

    Two product generations on saturncloud.io: (1) a legacy hosted data-science / ML platform (Jupyter, VS Code, Dask, GPU notebooks, deployable into a customer's own AWS account) and (2) a newer 'Control Plane for GPU Clouds' / Token Factory product aimed at GPU cloud operators and BMaaS resellers (white-label console for bare metal, Kubernetes, Slurm, and per-token managed inference). Both are marketed on the same domain and same legal entity.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 1
    HELD

    Service Organization Control (SOC) 2 Type 1 audit, which affirms that information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, and confidentiality.

    Verify on saturncloud.io
    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of a Type 2 (operating-effectiveness) report anywhere on saturncloud.io; the only public announcement found is a 2020 PR Newswire release for Type 1, and the vendor security page still only references 'Type 1' with no renewal date.

    source: saturncloud.io
    ISO 27001
    NOT CONFIRMED

    No public evidence on the vendor's own domain (security, privacy, terms, docs, or enterprise pages). A third-party summary claimed Saturn Cloud holds ISO 27001, PCI, HIPAA, FedRAMP and CSA STAR, but this could not be corroborated on any saturncloud.io page or the AWS Marketplace listing and is treated as unverified marketing noise, not vendor-confirmed.

    source: saturncloud.io
    HIPAA
    NOT CONFIRMED

    No HIPAA claim, BAA offer, or compliant-hosting language appears on the security, enterprise, or docs pages. The enterprise page mentions private VPC deployment and SSO but never references HIPAA.

    source: saturncloud.io
    GDPR
    NOT CONFIRMED

    The privacy policy's only stated legal basis for EU data transfer is 'We participate in, and comply with, the EU-US Privacy Shield Principles...' Privacy Shield was invalidated by the CJEU in 2020 (Schrems II); the policy is dated January 21, 2019 and has not been updated to reference SCCs or the EU-US Data Privacy Framework. No DPA is offered on the public site.

    source: saturncloud.io
    PCI DSS
    NOT CONFIRMED

    No public evidence on the vendor's own domain; Saturn Cloud does not process cardholder data directly (billing/payment is handled through standard SaaS checkout), and no PCI claim is made anywhere on saturncloud.io.

    source: saturncloud.io
    FedRAMP
    NOT CONFIRMED

    No public evidence on the vendor's own domain. Not listed on the FedRAMP Marketplace under Saturn Cloud.

    source: saturncloud.io
    CSA STAR
    NOT CONFIRMED

    No public evidence on the vendor's own domain or the CSA STAR registry search.

    source: saturncloud.io
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence of an AI-governance certification on the vendor's own domain. Not referenced on the security page or in any product/enterprise page found.

    source: saturncloud.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Legacy data-science tier: enterprise deployments run inside the customer's own AWS account/VPC ('all data stays within the user's AWS environment... no data ever has to leave the user's AWS account'). Newer GPU control-plane product: deployed onto the customer's own bare-metal/data-center infrastructure via their BMaaS partner, so residency is customer-determined. No default multi-region or EU-specific hosting commitment is published.

    The 2020 Terms of Service state Saturn 'has the right to collect, use and analyze any deidentified information derived from Your Content ... for Saturn's lawful business purposes, including to improve and enhance the Saturn Services.' Raw/identifiable customer content is licensed only 'as necessary for purposes of providing the Saturn Services,' not for training. No dedicated AI-training-opt-out page or tier-specific training policy was found for the newer GPU/inference product line; this is a gap given the product now brokers per-token inference endpoints.

    // Security controls

    Encryption at rest

    Volumes for pods are AWS EBS volumes encrypted using AWS KMS (legacy data-science platform).

    saturncloud.io

    Encryption in transit

    Not explicitly stated on the public security page beyond 'our own authentication proxy' for internet-facing notebooks; no TLS version or cipher detail published.

    saturncloud.io

    Hosting / physical security

    Hosted exclusively on AWS; 'AWS takes care of maintenance, access monitoring, intrusion detection, environmental concerns, and asset management' (this is the host's control, not an independent Saturn Cloud certification).

    saturncloud.io

    Application/code security

    Static analysis and container scans via Snyk.

    saturncloud.io

    Backup

    Application automatically backed up nightly, preconfigured and cannot be altered.

    saturncloud.io

    Network isolation (GPU control-plane product)

    Per-tenant Kubernetes/Slurm clusters, per-tenant InfiniBand P_Keys, per-tenant storage namespaces, single-tenant by default, no shared scheduler/etcd/admission webhooks between customers; RBAC/IAM and audit logging; per-tenant SSO federation.

    saturncloud.io

    SSO / IAM (enterprise tier)

    SSO sign-on with identity provider integration; connection to cloud users/roles directly; ability to restrict IAM permissions used by the installer/updater.

    saturncloud.io

    // Products & data scope

    Saturn Cloud Data Science Platform (legacy/current)Hosted data science / ML notebooks and compute

    data: Customer code, notebooks, and data connected via S3/Redshift/Snowflake or a customer AWS account; can run entirely inside the customer's own AWS environment on the Enterprise tier.

    Original Saturn Cloud product (Jupyter, VS Code, SSH, Dask clusters, GPUs). Security and privacy pages found publicly are written for this product and have not been updated since 2019-2020.

    GPU Control Plane / Token Factory (current homepage focus)White-label B2B infrastructure software for GPU cloud operators and BMaaS resellers

    data: Operates at the infrastructure/orchestration layer (provisioning, billing, tenancy isolation) on top of the operator's own bare metal, not typically direct end-user PII; per-tenant hardware isolation is the core security claim.

    This is the product now leading the homepage ('The Control Plane for GPU Clouds'). No dedicated security/compliance page specific to this product was found; it inherits only the general saturncloud.io security page written for the older data-science product.

    // What to watch

    • SOC 2 Type 1 is the only certification with vendor-domain proof, and the only public announcement of it is a PR Newswire release from October 2020 (6 years old as of this review). Type 1 attests to control design at a single point in time, not operating effectiveness over a period, and there is no evidence of a Type 2 report or a recent renewal/bridge letter.
    • Privacy policy (dated January 21, 2019) cites the EU-US Privacy Shield as its GDPR transfer mechanism; Privacy Shield was invalidated by the CJEU in 2020 (Schrems II). This is a stale, legally outdated document with no visible SCC/DPF replacement language and no public DPA link.
    • Terms of Service last updated January 13, 2020, i.e. before the company's apparent pivot toward the GPU-cloud-operator ('Token Factory') business shown on the current homepage; it's unclear whether the ToS's data-license and liability terms were re-reviewed for the new product line.
    • Identity/product-line ambiguity: the homepage now leads with a B2B 'Control Plane for GPU Clouds' / BMaaS-reseller pitch, while every security/privacy/terms page that could be found describes the older hosted Jupyter/data-science product (S3/Redshift/Snowflake integration, EKS, Dask). Treat compliance claims as applying to the legacy product only until the vendor confirms otherwise.
    • A third-party web summary asserted Saturn Cloud holds PCI, ISO 27001, HIPAA, FedRAMP, and CSA STAR certifications. None of this could be corroborated on saturncloud.io or the AWS Marketplace listing; treated as an unverified over-claim and excluded from held=true grading. Flag this discrepancy to the account team if the vendor is pressed for compliance docs, since a prospect may encounter the same inflated third-party claim.

    // At a glance

    Pricing model

    Consumption-based: GPU-hour pricing (from $2.95/hr for H100) and per-token metering for managed inference on the GPU control-plane product; the legacy data-science platform uses per-plan/seat pricing (see /plans/saturn_cloud_plans/). Enterprise/BMaaS deals are contract-negotiated.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Saturn Cloud, Inc's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    saturncloud.io

    > Browse all vendor trust reports