// Trust & Security Report
SentinelOne, Inc.
AI-native enterprise cybersecurity platform (Singularity Platform) spanning endpoint & identity protection (Singularity Endpoint, Singularity Identity), cloud security / CNAPP (Singularity Cloud Security), AI-driven security operations (Singularity Data Lake / AI SIEM, Singularity Hyperautomation), an agentic AI SOC analyst (Purple AI), and AI-application security via the acquired Prompt Security product. Public company (NYSE: S), sold via tiered packages (Core, Control, Complete, Commercial, Enterprise) plus a public-sector/FedRAMP line.
Certifications held
12
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.sentinelone.com“"SOC 2 Type 2" listed under Compliance Certifications on the SentinelOne Trust Center, with the associated report available for download to authenticated visitors.”
Verify on trust.sentinelone.com“"ISO/IEC 27001:2022" listed under Compliance Certifications on the SentinelOne Trust Center, alongside the associated ISO/IEC 27001 Statement of Applicability (SoA) document.”
Verify on trust.sentinelone.com“"ISO/IEC 27017:2015" listed under Compliance Certifications on the SentinelOne Trust Center.”
Verify on trust.sentinelone.com“"ISO/IEC 27018:2019" listed under Compliance Certifications on the SentinelOne Trust Center.”
Verify on sentinelone.com“"Purple AI, Singularity Cloud Security and Singularity Hyperautomation are available as Federal Risk and Authorization Management Program (FedRAMP) authorized services at the High Impact Level." (May 15, 2025 press release; Singularity Platform and Singularity Data Lake achieved the same High Impact Level authorization in September 2024.) Note: the Trust Center itself displays the item as "FedRAMP Certified Class D", nonstandard FedRAMP terminology that does not match the "High Impact Level" language used in SentinelOne's own press releases -- flagged for review.”
Verify on trust.sentinelone.com“"FISMA High" listed under Compliance Certifications on the SentinelOne Trust Center (consistent with FedRAMP High authorization, which requires FISMA High baseline controls).”
Verify on sentinelone.com“"SentinelOne participates in the EU-U.S. Data Privacy Framework and has certified compliance with its principles regarding personal information from the European Union, Switzerland, and the United Kingdom." GDPR is also listed as a compliance item on the Trust Center, and a Data Protection Addendum with EU Standard Contractual Clauses is offered to all customers.”
Verify on sentinelone.com“"SentinelOne helps healthcare organizations meet HIPAA requirements by delivering advanced security and automation that align with HIPAA Security Rule compliance." ... "When SentinelOne processes PHI on behalf of a customer as a Business Associate, we are committed to helping support the customer's compliance requirements, which may include signing a Business Associate Agreement."”
Verify on trust.sentinelone.com“"CCPA" listed under Compliance Certifications on the SentinelOne Trust Center; a dedicated U.S. State Privacy Notice is also published.”
Verify on trust.sentinelone.com“"Common Criteria" listed under Compliance Certifications on the SentinelOne Trust Center.”
Verify on trust.sentinelone.com“"Cyber Essentials" and "Cyber Essentials Plus" both listed under Compliance Certifications on the SentinelOne Trust Center.”
Verify on trust.sentinelone.com“"TX-RAMP" listed under Compliance Certifications on the SentinelOne Trust Center.”
> Show 3 unconfirmed / not-held certifications
source: trust.sentinelone.comNo PCI DSS entry appears in the Trust Center's Compliance Certifications list; SentinelOne only publishes a customer-facing whitepaper describing how its platform can help other organizations meet PCI DSS control requirements. No evidence SentinelOne itself holds a PCI DSS attestation (it is not a payment processor).
source: trust.sentinelone.comNo public evidence. Not listed on the SentinelOne Trust Center's Compliance Certifications list, and no ISO 42001 press release or certificate found on sentinelone.com.
source: trust.sentinelone.comSentinelOne has a public entry in the third-party Cloud Security Alliance STAR Registry (cloudsecurityalliance.org/star/registry/sentinelone), but this is a CSA-hosted, not vendor-domain, page, and CSA STAR is not listed among the Compliance Certifications on SentinelOne's own Trust Center. Cannot confirm on vendor domain, graded not held per evidence rules.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
U.S.-based company operating globally; customers select a hosting region on their Order Form (data centers in multiple geographies), with cross-border transfers covered by Standard Contractual Clauses under the Data Protection Addendum. Prompt Security and Observo (recently acquired sub-products) have their own designated regions per the DPA.
SentinelOne's own FAQ states its data science team "trains our AI / ML models in our development lab" using aggregated threat/telemetry data collected from customer endpoints ("System Data"), and that "SentinelOne machine learning algorithms are not configurable" by customers -- i.e. training happens centrally, not per-tenant, and there is no documented customer opt-out from contributing telemetry to model improvement. The Privacy Notice separately states "Any limited personal information contained within System Data is never incorporated into the Solutions, nor is it used to contact or market products or services," indicating PII is filtered out of the training pipeline even though telemetry/threat data itself is used. No explicit per-customer opt-out toggle was found in public documentation.
// Security controls
Encryption in transit
TLS encryption used on all customer data transfers (per third-party summaries of SentinelOne security documentation; not independently quoted from a vendor page in this pass).
trust.sentinelone.comData Protection Addendum
Standard DPA available to all customers as part of the Master Subscription Agreement, incorporating EU Standard Contractual Clauses, a 48-hour breach notification commitment, 60-day post-termination data deletion, annual penetration testing, quarterly vulnerability assessments, and daily Customer Data backups.
sentinelone.comSub-processor transparency
Published, maintained sub-processor list with 30 days' advance notice of new sub-processors and a customer objection right.
sentinelone.comResponsible disclosure
Published Responsible Disclosure Policy for third-party security researchers.
sentinelone.comDeployment flexibility
Endpoint agent deployable in SaaS, on-premises, hybrid, and air-gapped environments, in addition to the primary cloud-hosted Singularity console.
sentinelone.com// Products & data scope
data: Endpoint telemetry, process/behavioral data, identity/directory signals from customer environments
Core, Control, Complete, Commercial and Enterprise packages gate feature depth (e.g. identity protection, managed hunting, extended data retention) at higher tiers.
data: Cloud workload, container, and serverless configuration and runtime data
FedRAMP High authorized as of May 2025.
data: Queries threat telemetry already collected by the platform via natural language; included from the Complete tier, with autonomous/agentic triage reserved for Enterprise
FedRAMP High authorized as of May 2025 -- described by SentinelOne as the first AI SOC analyst to achieve that authorization level.
data: Aggregated security telemetry and log data across the customer's environment
FedRAMP High authorized as of September 2024.
data: Prompts, AI application traffic, and model usage metadata; has its own dedicated data region per the DPA
Recently acquired product line, sold under a separate Solutions Addendum; distinct data-handling terms from the core endpoint platform.
data: Same platform capabilities delivered under FedRAMP High / FISMA High boundaries, with a separate Master Subscription Agreement (GSA) and Public Sector Addendum
Distinct legal terms and hosting boundary from the commercial SaaS product.
// What to watch
- Flag for the crawler team.
- SentinelOne's own Trust Center displays FedRAMP status as "FedRAMP Certified Class D", which is nonstandard FedRAMP terminology and does not match the "High Impact Level" authorization language used in SentinelOne's own press releases for the same products. Likely a labeling artifact in the Trust Center's automated compliance-item template rather than a different/lesser authorization, but this discrepancy should be verified directly with the vendor before publishing as "FedRAMP High" without qualification.
- HIPAA and PCI DSS are marketing/compliance-posture claims (BAA support, Security Rule alignment, customer-facing whitepapers) rather than formal third-party certifications; graded accordingly (HIPAA held=true as a documented BAA/posture claim, PCI DSS held=false as no attestation of SentinelOne's own compliance was found).
- CSA STAR appears in the third-party CSA STAR Registry but is not listed on SentinelOne's own Trust Center; graded held=false per the vendor-domain-only evidentiary rule -- worth a live look at the CSA registry entry to see if it upgrades this.
- AI training posture is nuanced: SentinelOne trains detection models centrally on aggregated customer telemetry (not per-tenant, no documented opt-out), while explicitly excluding personal information from that pipeline. This is standard practice for a security telemetry vendor but should be described precisely rather than as a flat 'no training on customer data' claim some competitors make.
- No ISO/IEC 42001 (AI management system) certification found; as an AI-native security vendor this may become a gap versus AI-governance-focused competitors over time.
// At a glance
Pricing model
Per-endpoint, per-year subscription across five commercial tiers (Core, Control, Complete, Commercial, Enterprise), plus custom/contact-sales pricing for Enterprise and public-sector deployments; volume discounts at 500+ endpoints.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on SentinelOne, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.sentinelone.com