// Trust & Security Report

    Netpeak Group / Serpstat (operated by Netpeak LTD, Serpstat Global LTD, Serpstat LTD, and Promotions and Development Group Corporation, per Serpstat's own license agreement) logo

    Netpeak Group / Serpstat (operated by Netpeak LTD, Serpstat Global LTD, Serpstat LTD, and Promotions and Development Group Corporation, per Serpstat's own license agreement)

    All-in-one SEO and content marketing platform: keyword research, rank tracking, backlink analysis, site/page audit, competitor analysis, SERP scraper, keyword clustering, and a public API/data solutions tier for bulk/programmatic access.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR
    HELD

    "We never sell personal data, and we carry out all processing operations in strict compliance with the EU General Data Protection Regulation ("GDPR")." The policy also names an EU representative, Netpeak Group Ltd. (Sofia, Bulgaria).

    Verify on serpstat.com
    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. No SOC 2 report, badge, or mention found on serpstat.com (home page, privacy policy, license/user agreement, or about-us page). A third-party risk-profile aggregator (Nudge Security) lists 'SOC 2 Compliant' with no supporting link, certificate, or citation, and its own Security Page/Security Portal/Bug Bounty links are broken - this is an unverified aggregator claim, not vendor-sourced proof, so it is disregarded per the identity/over-claim rule.

    source: serpstat.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. No ISO 27001 certificate, registry entry, or mention found anywhere on serpstat.com. Same third-party aggregator over-claim issue as SOC 2 above.

    source: serpstat.com
    HIPAA
    NOT CONFIRMED

    No public evidence. No HIPAA mention, BAA offering, or healthcare-data language found on serpstat.com. HIPAA is also out of scope for an SEO/marketing analytics tool that does not process PHI. Third-party aggregator's 'HIPAA Compliant' badge is unverified and disregarded.

    source: serpstat.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of Serpstat's own PCI DSS certification. Payment processing is delegated to third parties (Stripe, PayPal per the privacy policy), so card-data handling sits with those processors, not with Serpstat directly. Third-party aggregator's 'PCI Compliant' badge is unverified and disregarded.

    source: serpstat.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. FedRAMP applies to cloud services sold to US federal agencies; nothing on serpstat.com references FedRAMP authorization. The 'FedRamp Compliant' claim only appears on an unverified third-party aggregator page and is disregarded as an over-claim.

    source: serpstat.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. No CSA STAR registry listing or vendor-domain mention found. The 'CSA Star Level 1 Compliant' claim only appears on an unverified third-party aggregator page and is disregarded.

    source: serpstat.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence. No AI-governance certification or dedicated AI-security page found on serpstat.com.

    source: serpstat.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Not disclosed. The privacy policy does not name a hosting region/data center location. The license agreement is governed by the laws of Cyprus; the company's roots and stated team are in Odesa, Ukraine, with a UK-registered Netpeak LTD entity and an EU (Bulgaria) representative for GDPR purposes.

    No public statement found on whether Serpstat's own AI features (e.g. AI content checker) train on customer inputs, and no opt-out mechanism is documented. The privacy policy and license agreement are both silent on AI/ML data use, so this is marked unknown rather than assumed either way.

    // Security controls

    Encryption in transit

    Not documented on a dedicated security page (none exists). Site itself is served over HTTPS, but no vendor statement commits to encryption standards for the product/API.

    serpstat.com

    Encryption at rest

    n/a - no public evidence found.

    serpstat.com

    Data backups

    Privacy policy states account data is processed to "maintain back-ups of their databases" but gives no detail on frequency, retention, or method.

    serpstat.com

    Subprocessors / third-party services

    Named third parties include Google, OWOX, Reply, GetResponse, plus payment processors Stripe and PayPal; policy states these are "contractually bound to keep information confidential." No full subprocessor list published.

    serpstat.com

    Bug bounty / vulnerability disclosure

    Not found on serpstat.com. A third-party aggregator page references a security portal and bug bounty link, but both are broken/empty, so this cannot be confirmed as vendor-offered.

    serpstat.com

    Liability / uptime commitments

    License agreement provides the service "AS-IS" and "AS-AVAILABLE" with no uptime SLA and disclaims liability for direct, indirect, incidental, punitive, and consequential damages.

    serpstat.com

    // Products & data scope

    Serpstat (core SaaS platform)SEO / content marketing suite

    data: Customer account data, tracked keywords/domains, and third-party SEO metrics (backlinks, SERP data); no PII beyond account/billing info per the privacy policy.

    Primary product; self-serve subscription plans (individual/agency tiers). No enterprise-specific security tier or dedicated compliance page identified.

    Serpstat API / Data SolutionsBulk SEO/SERP data access (API, custom datasets, search volume crawling service)

    data: Programmatic access to the same underlying keyword/backlink/SERP datasets; usage tied to API credentials.

    No separate API-specific security documentation (rate limiting, auth model, data handling) found on the vendor's own domain.

    // What to watch

    • Over-claim risk: a third-party risk-profile aggregator (Nudge Security) lists Serpstat as SOC 2, ISO 27001, GDPR, PCI, HIPAA, FedRAMP, and CSA STAR Level 1 'Compliant' with no citations and broken source links; none of these claims (other than the GDPR posture, which IS directly supported by Serpstat's own privacy policy) could be verified on Serpstat's own domain. Do not surface these aggregator badges as verified certifications.
    • No dedicated trust/security page exists on serpstat.com (serpstat.com/security returns 404); compliance information is limited to a general privacy policy and license/user agreement.
    • Identity/entity complexity: Serpstat's own license agreement names four different operating entities (Netpeak LTD, Serpstat Global LTD, Serpstat LTD, Promotions and Development Group Corporation) across at least three jurisdictions (UK, Cyprus governing law, Ukraine origin, Bulgaria EU rep) with no single named legal entity as the clear contracting party - this should be clarified with the vendor before any enterprise procurement decision.
    • No data hosting/region disclosure and no formal DPA reference found, which will be a gap for enterprise or regulated buyers even though the vendor is GDPR-postured for EU personal data generally.
    • AI-training posture on customer data is undocumented (product includes an AI content checker feature) - unknown, not confirmed either way.

    // At a glance

    Pricing model

    Tiered SaaS subscription (per-seat/usage plans) plus a free 7-day trial; separate API/custom-dataset pricing for bulk data access.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Netpeak Group / Serpstat (operated by Netpeak LTD, Serpstat Global LTD, Serpstat LTD, and Promotions and Development Group Corporation, per Serpstat's own license agreement)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    serpstat.com

    > Browse all vendor trust reports