// Trust & Security Report
Netpeak Group / Serpstat (operated by Netpeak LTD, Serpstat Global LTD, Serpstat LTD, and Promotions and Development Group Corporation, per Serpstat's own license agreement)
All-in-one SEO and content marketing platform: keyword research, rank tracking, backlink analysis, site/page audit, competitor analysis, SERP scraper, keyword clustering, and a public API/data solutions tier for bulk/programmatic access.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on serpstat.com“"We never sell personal data, and we carry out all processing operations in strict compliance with the EU General Data Protection Regulation ("GDPR")." The policy also names an EU representative, Netpeak Group Ltd. (Sofia, Bulgaria).”
> Show 7 unconfirmed / not-held certifications
source: serpstat.comNo public evidence. No SOC 2 report, badge, or mention found on serpstat.com (home page, privacy policy, license/user agreement, or about-us page). A third-party risk-profile aggregator (Nudge Security) lists 'SOC 2 Compliant' with no supporting link, certificate, or citation, and its own Security Page/Security Portal/Bug Bounty links are broken - this is an unverified aggregator claim, not vendor-sourced proof, so it is disregarded per the identity/over-claim rule.
source: serpstat.comNo public evidence. No ISO 27001 certificate, registry entry, or mention found anywhere on serpstat.com. Same third-party aggregator over-claim issue as SOC 2 above.
source: serpstat.comNo public evidence. No HIPAA mention, BAA offering, or healthcare-data language found on serpstat.com. HIPAA is also out of scope for an SEO/marketing analytics tool that does not process PHI. Third-party aggregator's 'HIPAA Compliant' badge is unverified and disregarded.
source: serpstat.comNo public evidence of Serpstat's own PCI DSS certification. Payment processing is delegated to third parties (Stripe, PayPal per the privacy policy), so card-data handling sits with those processors, not with Serpstat directly. Third-party aggregator's 'PCI Compliant' badge is unverified and disregarded.
source: serpstat.comNo public evidence. FedRAMP applies to cloud services sold to US federal agencies; nothing on serpstat.com references FedRAMP authorization. The 'FedRamp Compliant' claim only appears on an unverified third-party aggregator page and is disregarded as an over-claim.
source: serpstat.comNo public evidence. No CSA STAR registry listing or vendor-domain mention found. The 'CSA Star Level 1 Compliant' claim only appears on an unverified third-party aggregator page and is disregarded.
source: serpstat.comNo public evidence. No AI-governance certification or dedicated AI-security page found on serpstat.com.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not disclosed. The privacy policy does not name a hosting region/data center location. The license agreement is governed by the laws of Cyprus; the company's roots and stated team are in Odesa, Ukraine, with a UK-registered Netpeak LTD entity and an EU (Bulgaria) representative for GDPR purposes.
No public statement found on whether Serpstat's own AI features (e.g. AI content checker) train on customer inputs, and no opt-out mechanism is documented. The privacy policy and license agreement are both silent on AI/ML data use, so this is marked unknown rather than assumed either way.
// Security controls
Encryption in transit
Not documented on a dedicated security page (none exists). Site itself is served over HTTPS, but no vendor statement commits to encryption standards for the product/API.
serpstat.comData backups
Privacy policy states account data is processed to "maintain back-ups of their databases" but gives no detail on frequency, retention, or method.
serpstat.comSubprocessors / third-party services
Named third parties include Google, OWOX, Reply, GetResponse, plus payment processors Stripe and PayPal; policy states these are "contractually bound to keep information confidential." No full subprocessor list published.
serpstat.comBug bounty / vulnerability disclosure
Not found on serpstat.com. A third-party aggregator page references a security portal and bug bounty link, but both are broken/empty, so this cannot be confirmed as vendor-offered.
serpstat.comLiability / uptime commitments
License agreement provides the service "AS-IS" and "AS-AVAILABLE" with no uptime SLA and disclaims liability for direct, indirect, incidental, punitive, and consequential damages.
serpstat.com// Products & data scope
data: Customer account data, tracked keywords/domains, and third-party SEO metrics (backlinks, SERP data); no PII beyond account/billing info per the privacy policy.
Primary product; self-serve subscription plans (individual/agency tiers). No enterprise-specific security tier or dedicated compliance page identified.
data: Programmatic access to the same underlying keyword/backlink/SERP datasets; usage tied to API credentials.
No separate API-specific security documentation (rate limiting, auth model, data handling) found on the vendor's own domain.
// What to watch
- Over-claim risk: a third-party risk-profile aggregator (Nudge Security) lists Serpstat as SOC 2, ISO 27001, GDPR, PCI, HIPAA, FedRAMP, and CSA STAR Level 1 'Compliant' with no citations and broken source links; none of these claims (other than the GDPR posture, which IS directly supported by Serpstat's own privacy policy) could be verified on Serpstat's own domain. Do not surface these aggregator badges as verified certifications.
- No dedicated trust/security page exists on serpstat.com (serpstat.com/security returns 404); compliance information is limited to a general privacy policy and license/user agreement.
- Identity/entity complexity: Serpstat's own license agreement names four different operating entities (Netpeak LTD, Serpstat Global LTD, Serpstat LTD, Promotions and Development Group Corporation) across at least three jurisdictions (UK, Cyprus governing law, Ukraine origin, Bulgaria EU rep) with no single named legal entity as the clear contracting party - this should be clarified with the vendor before any enterprise procurement decision.
- No data hosting/region disclosure and no formal DPA reference found, which will be a gap for enterprise or regulated buyers even though the vendor is GDPR-postured for EU personal data generally.
- AI-training posture on customer data is undocumented (product includes an AI content checker feature) - unknown, not confirmed either way.
// At a glance
Pricing model
Tiered SaaS subscription (per-seat/usage plans) plus a free 7-day trial; separate API/custom-dataset pricing for bulk data access.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Netpeak Group / Serpstat (operated by Netpeak LTD, Serpstat Global LTD, Serpstat LTD, and Promotions and Development Group Corporation, per Serpstat's own license agreement)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
serpstat.com