// Trust & Security Report
Semgrep, Inc.
Semgrep AppSec Platform - unified static application security testing (SAST), software composition analysis (SCA / Supply Chain), and secrets scanning, plus Semgrep Assistant (AI-assisted triage/autofix) and a Semgrep MCP server for AI coding agents. Semgrep Code, Supply Chain, and Secrets are sold together as the AppSec Platform; the underlying Semgrep CLI/engine is also available as a free, open-source, locally-run scanner.
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on docs.semgrep.dev“Semgrep Inc. is SOC 2 Type II certified... our latest SOC 2 Type II report (covering December 1, 2023 - November 30, 2024)”
Verify on semgrep.dev“In some regions (like the European Economic Area), you have certain rights under applicable data protection laws... GDPR badge is displayed on the trust portal; a 'Data Transfer Impact Assessment' and 'Data Processing Agreement' are published for customer request.”
> Show 6 unconfirmed / not-held certifications
source: docs.semgrep.devSemgrep Inc. is not itself ISO 27001 certified, but the product can be used in deployment models that support an organization's ISO 27001 certification efforts.
source: docs.semgrep.devSemgrep provides security tooling that can support compliance efforts, but does not guarantee compliance... PHI should not exist in code repositories, as Semgrep scans code repositories, not production systems or databases containing PHI data. No public evidence of a signed BAA or a HIPAA certification held by Semgrep Inc. itself.
source: docs.semgrep.devSemgrep can help address security requirements in compliance frameworks including... PCI DSS (page describes how the tool helps customers meet PCI DSS controls; no evidence Semgrep Inc. itself holds a PCI DSS attestation, and it is not listed on the trust portal).
source: docs.semgrep.devSemgrep can help address security requirements in compliance frameworks including FedRAMP, NIST 800-171... (framework the product helps customers with; not a FedRAMP authorization held by Semgrep Inc., and not listed on the trust portal).
source: trust.semgrep.devno public evidence - not referenced on the trust portal, compliance docs, or privacy pages
source: trust.semgrep.devno public evidence - not referenced on the trust portal or compliance docs
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary servers located in the United States per the Privacy Notice; a 'Data Transfer Impact Assessment' document is published on the trust portal for EU customers, but no explicit EU/other-region hosting option is documented publicly.
Semgrep and its AI subprocessors (OpenAI, AWS Bedrock) operate under zero data retention agreements by default: 'AI subprocessors do not retain or use your data to train their models.' Semgrep maintains DPAs with all AI subprocessors, available via the trust portal on request. An 'Enterprise minimal data retention' option further limits code/prompt persistence within Semgrep's own systems for the Assistant/Multimodal feature. No contradiction found between the legacy Terms of Service and the current AI/Assistant privacy page.
// Security controls
Third-party penetration testing
Annual full-scope, whitebox penetration test performed by Include Security; report available via the trust portal.
trust.semgrep.devSSO / SAML
SAML 2.0 and OpenID Connect / OAuth 2.0 single sign-on supported on the Semgrep AppSec Platform (Enterprise), with documented setup guides for Google Workspace and Microsoft Entra ID.
docs.semgrep.devSelf-assessment questionnaire
CAIQ Lite self-assessment published on the trust portal.
trust.semgrep.devSubprocessor transparency
Subprocessor list, including AI model vendors OpenAI and AWS Bedrock, published on the trust portal with associated DPAs (including an 'OpenAI DPA').
trust.semgrep.devEncryption in transit / at rest
No public evidence found describing Semgrep's own infrastructure encryption specifics (e.g. TLS version, at-rest algorithm); not stated on the pages reviewed. Not graded as a claim.
trust.semgrep.devResponsible disclosure
Responsible Disclosure program referenced on the trust portal and a vulnerability reporting process documented in the security docs.
docs.semgrep.dev// Products & data scope
data: Scans customer source code for vulnerabilities; combines static analysis rules with AI reasoning.
Core product of the AppSec Platform; also runs via the free, open-source Semgrep CLI/engine, which can run entirely locally without sending code to Semgrep's cloud.
data: Analyzes project dependency manifests/lockfiles; reachability analysis to prioritize exploitable findings.
Sold as part of the AppSec Platform alongside Code and Secrets.
data: Scans repositories for hardcoded secrets/credentials using semantic and entropy analysis, with validation.
Blocks unsafe merges by default per marketing copy.
data: Sends relevant code snippets/findings to AI subprocessors (OpenAI, AWS Bedrock) under zero-data-retention agreements to generate fix suggestions and triage false positives.
Enterprise customers can bring their own OpenAI/Azure OpenAI API key or use AWS Bedrock; an 'Enterprise minimal data retention' mode is available.
data: Exposes Semgrep scanning to AI coding agents and IDEs (e.g. Cursor, Replit) via the Model Context Protocol.
Positioned for securing AI-generated code at the point of authorship.
// What to watch
- Semgrep's own docs.semgrep.dev/compliance/* pages (SOC2, ISO27001, HIPAA, PCI DSS, FedRAMP, GDPR, ISO27017) are primarily written to describe how the Semgrep TOOL helps customers meet those frameworks, not Semgrep's own certification status - only the SOC 2 page contains an explicit self-certification claim ('Semgrep Inc. is SOC 2 Type II certified'), and only the ISO 27001 page contains an explicit self-disclaimer ('Semgrep Inc. is not itself ISO 27001 certified'). PCI DSS, FedRAMP, and HIPAA pages do not clearly state Semgrep's own certification status either way, so they are graded held=false as 'no public evidence' rather than a confirmed absence - this is a nuance an advisor should double check before listing.
- No explicit EU/non-US data hosting option is documented for the standard SaaS product; only a Data Transfer Impact Assessment document is referenced for cross-border transfers.
// At a glance
Pricing model
Freemium: Free Edition (up to 10 contributors), Teams (from $30/contributor/month), Enterprise (custom pricing via sales).
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Semgrep, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.semgrep.dev