// Trust & Security Report

    Screaming Frog Limited logo

    Screaming Frog Limited

    UK-based SEO software and agency: SEO Spider (desktop website crawler, local data storage), Log File Analyser (desktop server-log tool), plus a separate SEO/digital-marketing agency service line (technical SEO, PPC, content, digital PR, AI search optimisation).

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture)
    HELD

    "If you believe that we are not holding your information correctly or are unhappy at any dealings with us regarding your information you may complain to the Information Commissioners Office." The policy also documents user rights ("you have the right, at any time and free of charge, to ask us to provide you with copies of all personal information we hold about you"; rights to amend, delete, and opt out of marketing) and cross-border transfer disclosure ("Our website and some of our products or services or parts of them may be hosted in the United States and this means that we may transfer any information which is submitted by you through the website, product or service outside the European Economic Area").

    Verify on screamingfrog.co.uk
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. Not mentioned on the privacy policy, disclaimer, EULA, or FAQ pages at screamingfrog.co.uk. Note: an AI-generated web search summary claimed Screaming Frog is 'SOC 2 Compliant' but this claim traces to no vendor-domain source and could not be corroborated on any Screaming Frog page; treated as unverified/likely fabricated.

    source: screamingfrog.co.uk
    ISO 27001
    NOT CONFIRMED

    No public evidence. Not mentioned on the privacy policy, disclaimer, EULA, or FAQ pages. Same AI-search hallucination issue as SOC 2 above; no vendor-domain corroboration found.

    source: screamingfrog.co.uk
    HIPAA
    NOT CONFIRMED

    No public evidence. HIPAA is not referenced anywhere on the vendor's privacy policy, disclaimer, EULA, or FAQ pages; product is a general-purpose SEO crawler, not positioned for healthcare/PHI use cases.

    source: screamingfrog.co.uk
    PCI DSS
    NOT CONFIRMED

    No public evidence found on vendor-domain pages. Payment processing for licences is not detailed with PCI DSS language on the reviewed pages.

    source: screamingfrog.co.uk
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence on any reviewed vendor page.

    source: screamingfrog.co.uk
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence. No AI-governance certification referenced anywhere on the vendor's site.

    source: screamingfrog.co.uk
    CSA STAR
    NOT CONFIRMED

    No public evidence. An AI-generated search summary asserted 'CSA Star Level 1 Compliant' with no traceable vendor-domain source; not corroborated on any Screaming Frog page and treated as unverified/likely fabricated.

    source: screamingfrog.co.uk
    FedRAMP
    NOT CONFIRMED

    No public evidence. FedRAMP applies to US federal cloud services; Screaming Frog is a UK SME selling desktop software and agency services with no indication of FedRAMP authorization. An AI-generated search summary claimed 'FedRamp Compliant' with no vendor-domain source; treated as unverified/likely fabricated.

    source: screamingfrog.co.uk

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    UK & US: "Your data is stored in secure data centres located in the United Kingdom & United States of America"; the site/services may also transfer data outside the EEA to the US.

    No evidence Screaming Frog trains AI/ML models on customer or crawl data. The company is a crawler/SEO-tooling vendor, not an AI model provider; its blog discusses using the SEO Spider to prepare content for customers' own downstream LLM/RAG workflows, which is unrelated to Screaming Frog training on customer data. No public statement either way, so marked unknown (null) rather than assumed.

    // Security controls

    Encryption / data protection measures

    Privacy policy states only a general assurance: "appropriate technical and organisational measures against ... unauthorised or unlawful processing and against ... accidental loss, destruction or damage." No specifics on encryption algorithms, in-transit/at-rest details, or audit evidence.

    screamingfrog.co.uk

    Primary data storage model

    SEO Spider and Log File Analyser are desktop applications; crawl data and licence files are stored locally on the user's machine (e.g. a '.ScreamingFrogSEOSpider' folder in the user's home directory), not by default uploaded to Screaming Frog's servers. The tool can also be run on a user-controlled server/cloud instance at the customer's discretion.

    screamingfrog.co.uk

    Third-party / subprocessor data sharing

    "Where you have instructed us to do so, our software applications may share your crawl data with third party services or APIs; you accept full responsibility for ensuring the privacy of all such data." Screaming Frog states it requires service providers to have Data Processing Addendums in place and states it will never sell customer information to third parties.

    screamingfrog.co.uk

    Google account data

    "Our software applications may, with your consent, access and store your Google user data, however, such data is only available and stored by the user, will only be used for the purposes outlined in this policy and will not be accessible or shared by us."

    screamingfrog.co.uk

    Data retention

    "Your data will be stored for the duration of your enquiry, contract, or dealings with us. We may be required to store your data for longer to comply with legal, contractual or compliance obligations."

    screamingfrog.co.uk

    // Products & data scope

    SEO SpiderDesktop website crawler / technical SEO audit tool

    data: Crawls websites specified by the user; crawl output stored locally on the user's own machine or user-controlled server by default. No indication crawl data is uploaded to Screaming Frog's own infrastructure unless the user opts into cloud/API integrations.

    Free tier (limited to 500 URLs) plus a paid licence unlocking full features; runs on Windows, Mac, Linux.

    Log File AnalyserDesktop server-log analysis tool

    data: Processes server log files uploaded by the user; local desktop tool, same general data-locality profile as SEO Spider.

    Sold as a separate licensed product from SEO Spider.

    Screaming Frog Agency ServicesSEO / digital marketing agency (SEM, SEO, PPC, content marketing, digital PR, AI search optimisation, analytics consultancy)

    data: Client engagements involve access to client analytics/ad accounts and business data under standard agency service agreements; no distinct security/compliance documentation found for the agency side beyond the general company privacy policy.

    Materially different trust profile from the desktop software products since it involves ongoing access to client accounts; no agency-specific DPA or security page was located.

    // What to watch

    • No trust center or dedicated security/compliance page found on screamingfrog.co.uk; all findings sourced from the general privacy policy, disclaimer, EULA, and product FAQ.
    • An AI-generated web search summary asserted Screaming Frog is 'SOC 2 Compliant, GDPR Compliant, ISO 27001 Compliant, FedRamp Compliant, and CSA Star Level 1 Compliant.' This claim could not be traced to any vendor-domain source and directly contradicts the privacy policy, disclaimer, EULA, and FAQ pages, none of which mention any certification. Treated as a fabricated/hallucinated claim and excluded from the assessment; flagged so it is not repeated downstream.
    • GDPR posture is graded held=true based on documented user rights, ICO complaint pathway, and cross-border transfer disclosures, but Screaming Frog does not publish a standalone GDPR compliance statement or offer a customer-facing DPA download; enterprise buyers requiring a signed DPA should contact Screaming Frog directly to confirm availability.
    • Agency services (client account access) were not separately assessed for security controls; only the general company privacy policy applies across both software and agency lines.

    // At a glance

    Pricing model

    Per-seat annual software licence for SEO Spider / Log File Analyser (free tier available with reduced URL limit); custom/retainer pricing for agency services.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Screaming Frog Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    screamingfrog.co.uk

    > Browse all vendor trust reports