// Trust & Security Report

    Semrush (SEMrush Inc. / Semrush Holdings, now an Adobe company) logo

    Semrush (SEMrush Inc. / Semrush Holdings, now an Adobe company)

    Semrush One — unified SEO, AI search visibility, content, traffic/market intelligence, local, advertising, social, and PR platform (SaaS), plus Enterprise tier (Enterprise SEO/AIO/SI), App Center marketplace, and a public API

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    PCI DSS Level 1
    HELD

    We have fully implemented and support all processes related to PCI DSS compliance. Once a year, we confirm our compliance by passing an independent QSA audit. As a result, we have achieved a PCI DSS Level 1 certificate.

    Verify on semrush.com
    GDPR
    HELD

    Semrush's products adhere to GDPR requirements effective May 25, 2018.

    Verify on semrush.com
    SOC 2 Type II
    HELD

    Not stated on Semrush's own security/legal pages as reviewed (2026-06-27). Third-party aggregators (Nudge Security, UpGuard) describe Semrush as SOC 2 audited, but no SOC 2 claim or report link was found on the vendor's own domain to confirm with a direct quote.

    Verify on semrush.com
    ISO/IEC 27001
    HELD

    Not stated on Semrush's own security/legal pages as reviewed (2026-06-27). ISO 27001 appears only in third-party write-ups, not in a vendor-domain statement, so it cannot be confirmed.

    Verify on semrush.com
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No HIPAA claim on vendor security or legal pages. Semrush is a marketing/SEO platform not positioned for PHI; HIPAA is not advertised.

    source: semrush.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Controller is SEMrush Inc. (US-based). Privacy Policy describes international transfers of personal data and processing on behalf of business customers as a processor under the customer agreement (DPA). Specific data-residency / region-pinning options not documented on public pages.

    Semrush AI Services Terms state directly: 'Semrush does not train or develop its models, and does not allow its third-party providers to train or develop its models on User Input.' Customers retain rights: 'You retain all rights you may have in User Input.' For Mailbox (Gmail/Outlook) integration data, the Privacy Policy says it is used only to provide the tool features, is stored encrypted, is not used for advertising, and human access is restricted. Note: AI Generative Services are 'not intended to collect personal data' and users are told not to submit personal data into them.

    // Security controls

    Encryption in transit

    TLS 1.2 or higher (HTTPS) everywhere on the website with industry-standard algorithms and certificates; personal data encrypted in transit

    semrush.com

    Encryption at rest

    AES-256 encryption for secure data storage in data centers

    semrush.com

    Penetration testing

    Annual third-party penetration tests; internal security team additionally pentests new features weekly per release policy

    semrush.com

    Bug bounty

    Active bug bounty program on HackerOne inviting independent researchers to disclose security flaws

    semrush.com

    Access control

    Role-based, need-to-know access to personal data; SSO + 2FA for apps processing critical data; staff use VPN; activity logged to a SIEM

    semrush.com

    Physical / data center security

    Data centers carry best-practice compliance certificates; 24/7 monitoring, CCTV on server-room access points, electronic intrusion detection, strict personnel access control

    semrush.com

    // Products & data scope

    Semrush One (core SaaS)SEO + AI search visibility, content, traffic/market analytics

    data: Account profile data, billing/payment info (PCI scope), project domains, keywords, crawled site data; product analytics via cookies/Google Analytics

    Self-serve and team plans; primary consumer-of-record is SEMrush Inc. under the Privacy Policy

    Semrush Enterprise (Enterprise SEO / Enterprise AIO / Enterprise SI)Enterprise SEO and AI visibility

    data: Same platform data at larger scale, contracted under custom subscription agreement; Semrush acts as processor with a DPA for business-customer data

    Enterprise contracts governed by the customer agreement, not just the website Privacy Policy

    Mailbox integration (Gmail / Outlook / Exchange)Outreach / backlink email tooling

    data: OAuth API token, email subject/body, replies, recipient/sender, thread/message IDs, send/open/reply metadata — stored encrypted

    Explicitly NOT used for advertising; human read access restricted; user can revoke and delete at any time. Highest-sensitivity data flow on the platform

    Semrush AI / Generative ServicesAI content and AI visibility tooling

    data: User Input (text/images/data submitted to generative tools)

    Governed by Semrush Artificial Intelligence Services Terms; no model training on User Input; users own their input; users told not to submit personal data

    Semrush API + App CenterDeveloper API and third-party app marketplace

    data: API access to platform data; App Center apps subject to separate App Center Terms and security requirements

    Third-party apps have their own data scopes; review per-app before procurement

    // What to watch

    • SOC 2 Type II and ISO 27001 are widely attributed to Semrush by third-party aggregators (Nudge Security, UpGuard) but were NOT confirmable with a direct quote on Semrush's own domain as of 2026-06-27 — marked unknown, not held.
    • Ownership change: Adobe has completed acquisition of Semrush (per Semrush newsroom). Long-term compliance/data-handling posture may shift under Adobe; re-verify trust center and DPA after integration.
    • Mailbox (Gmail/Outlook) integration is the most sensitive data flow and should be flagged for buyers who connect mailboxes.

    // At a glance

    Pricing model

    Subscription SaaS (7-day free trial; tiered self-serve plans plus custom-quoted Enterprise)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Semrush (SEMrush Inc. / Semrush Holdings, now an Adobe company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    semrush.com

    > Browse all vendor trust reports