// Trust & Security Report
Semrush (SEMrush Inc. / Semrush Holdings, now an Adobe company)
Semrush One — unified SEO, AI search visibility, content, traffic/market intelligence, local, advertising, social, and PR platform (SaaS), plus Enterprise tier (Enterprise SEO/AIO/SI), App Center marketplace, and a public API
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on semrush.com“We have fully implemented and support all processes related to PCI DSS compliance. Once a year, we confirm our compliance by passing an independent QSA audit. As a result, we have achieved a PCI DSS Level 1 certificate.”
Verify on semrush.com“Semrush's products adhere to GDPR requirements effective May 25, 2018.”
Verify on semrush.com“Not stated on Semrush's own security/legal pages as reviewed (2026-06-27). Third-party aggregators (Nudge Security, UpGuard) describe Semrush as SOC 2 audited, but no SOC 2 claim or report link was found on the vendor's own domain to confirm with a direct quote.”
Verify on semrush.com“Not stated on Semrush's own security/legal pages as reviewed (2026-06-27). ISO 27001 appears only in third-party write-ups, not in a vendor-domain statement, so it cannot be confirmed.”
> Show 1 unconfirmed / not-held certifications
source: semrush.comNo HIPAA claim on vendor security or legal pages. Semrush is a marketing/SEO platform not positioned for PHI; HIPAA is not advertised.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Controller is SEMrush Inc. (US-based). Privacy Policy describes international transfers of personal data and processing on behalf of business customers as a processor under the customer agreement (DPA). Specific data-residency / region-pinning options not documented on public pages.
Semrush AI Services Terms state directly: 'Semrush does not train or develop its models, and does not allow its third-party providers to train or develop its models on User Input.' Customers retain rights: 'You retain all rights you may have in User Input.' For Mailbox (Gmail/Outlook) integration data, the Privacy Policy says it is used only to provide the tool features, is stored encrypted, is not used for advertising, and human access is restricted. Note: AI Generative Services are 'not intended to collect personal data' and users are told not to submit personal data into them.
// Security controls
Encryption in transit
TLS 1.2 or higher (HTTPS) everywhere on the website with industry-standard algorithms and certificates; personal data encrypted in transit
semrush.comPenetration testing
Annual third-party penetration tests; internal security team additionally pentests new features weekly per release policy
semrush.comBug bounty
Active bug bounty program on HackerOne inviting independent researchers to disclose security flaws
semrush.comAccess control
Role-based, need-to-know access to personal data; SSO + 2FA for apps processing critical data; staff use VPN; activity logged to a SIEM
semrush.comPhysical / data center security
Data centers carry best-practice compliance certificates; 24/7 monitoring, CCTV on server-room access points, electronic intrusion detection, strict personnel access control
semrush.com// Products & data scope
data: Account profile data, billing/payment info (PCI scope), project domains, keywords, crawled site data; product analytics via cookies/Google Analytics
Self-serve and team plans; primary consumer-of-record is SEMrush Inc. under the Privacy Policy
data: Same platform data at larger scale, contracted under custom subscription agreement; Semrush acts as processor with a DPA for business-customer data
Enterprise contracts governed by the customer agreement, not just the website Privacy Policy
data: OAuth API token, email subject/body, replies, recipient/sender, thread/message IDs, send/open/reply metadata — stored encrypted
Explicitly NOT used for advertising; human read access restricted; user can revoke and delete at any time. Highest-sensitivity data flow on the platform
data: User Input (text/images/data submitted to generative tools)
Governed by Semrush Artificial Intelligence Services Terms; no model training on User Input; users own their input; users told not to submit personal data
data: API access to platform data; App Center apps subject to separate App Center Terms and security requirements
Third-party apps have their own data scopes; review per-app before procurement
// What to watch
- SOC 2 Type II and ISO 27001 are widely attributed to Semrush by third-party aggregators (Nudge Security, UpGuard) but were NOT confirmable with a direct quote on Semrush's own domain as of 2026-06-27 — marked unknown, not held.
- Ownership change: Adobe has completed acquisition of Semrush (per Semrush newsroom). Long-term compliance/data-handling posture may shift under Adobe; re-verify trust center and DPA after integration.
- Mailbox (Gmail/Outlook) integration is the most sensitive data flow and should be flagged for buyers who connect mailboxes.
// At a glance
Pricing model
Subscription SaaS (7-day free trial; tiered self-serve plans plus custom-quoted Enterprise)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Semrush (SEMrush Inc. / Semrush Holdings, now an Adobe company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
semrush.com