// Trust & Security Report
Similarweb LTD
Digital data intelligence suite (Web Intelligence, App Intelligence, Sales Intelligence, Retail Intelligence, AI Search Intelligence, Stock Intelligence, Data-as-a-Service API, browser extension, free web tools)
Certifications held
7
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on similarweb.com“We're dedicated to customer data security and hold an independently validated SOC2 and ISO 27001 certification. This demonstrates our unwavering commitment to secure services and processes, and to data confidentiality. ... Heading: 'SOC2 Type II and ISO 27001 validated'”
Verify on trustcenter.similarweb.com“SOC 3 - Listed in the compliance section of the Similarweb Trust Center alongside SOC 2 Type 2 and ISO/IEC 27001:2022.”
Verify on trustcenter.similarweb.com“hold an independently validated SOC2 and ISO 27001 certification ... Trust Center lists 'ISO/IEC 27001:2022' in its compliance section.”
Verify on trustcenter.similarweb.com“CCPA - Listed in the compliance section of the Similarweb Trust Center.”
Verify on trustcenter.similarweb.com“VPAT - Listed in the compliance section of the Similarweb Trust Center.”
Verify on similarweb.com“Similarweb states it strives to 'go above and beyond data privacy laws, regulations, and industry standards' and references compliance with privacy laws like GDPR/CCPA, but GDPR is a regulation (not a certification) and was not displayed as a discrete badge on the Trust Center compliance list. Posture is present; treated as compliance posture, not a held certificate.”
Verify on trustcenter.similarweb.com“Not displayed on the Trust Center compliance list (payments are typically handled by a third-party processor).”
> Show 1 unconfirmed / not-held certifications
source: trustcenter.similarweb.comNot listed on the Trust Center or security page. Not applicable to a digital-market-intelligence product.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not stated
Data region
unknown (Similarweb runs on cloud infrastructure; the privacy statement allows international transfer with safeguards. The third-party cookie/consent provider referenced on the marketing site is Microsoft.)
Similarweb is itself a data vendor, not an LLM provider. Its 'Data for AI' offering states training datasets are 'aggregated, anonymized, and privacy-compliant' and 'fully licensed for commercial AI training', sourced from a global opted-in panel - this concerns the data products it SELLS, not ingestion of a SaaS customer's own uploaded business data. No statement was found indicating Similarweb trains models on a customer's CRM/account data submitted to Sales Intelligence or other SaaS products. Customers ingesting personal data (e.g. CRM enrichment) should review the DPA and obtain explicit AI-use terms.
// Security controls
Disaster recovery / business continuity
Maintain and enhance disaster recovery and business continuity plans, and test them regularly
similarweb.comThird-party / vendor risk management
Use a dedicated third parties risk assessment platform to perform an ongoing third-party security review of our key suppliers
similarweb.comPenetration testing
unknown - not explicitly stated on public pages; SOC 2 Type II + ISO 27001:2022 audits ordinarily require periodic pen testing, and a Security Whitepaper is available via the Trust Center (gated)
trustcenter.similarweb.comBug bounty / vulnerability disclosure
unknown - no public HackerOne/Bugcrowd program or VDP page found on the vendor domain
trustcenter.similarweb.com// Products & data scope
data: Aggregated digital traffic, audience, keyword and market data; minimal customer-supplied PII
Core flagship product. Data is aggregated market intelligence, low direct-PII risk for the buyer.
data: Contains contact data, lead/company data and CRM enrichment - higher PII handling; buyers should sign a DPA
This product handles third-party contact PII (lead generation, contact data, CRM enrichment), so it carries the heaviest data-protection scope of the suite.
data: Aggregated, panel-derived app usage metrics
Aggregated/anonymized panel data.
data: Aggregated retail/SKU and shopping-behavior data
Market-level retail analytics.
data: Brand visibility, citation and sentiment data across AI search
Newer AI-era visibility tracking module.
data: Large-scale licensed digital datasets delivered via API
Enterprise data feeds; governed by separate data-licensing terms.
data: Extension contributes to the opted-in measurement panel; free tools are anonymous lookups
The browser extension feeds Similarweb's measurement panel - relevant for end users who install it, separate from the paid SaaS data scope.
// What to watch
- Public company (NYSE: SMWB), 6,000+ customers, mature enterprise security program - low vendor-risk profile.
- SOC 2 Type II + ISO/IEC 27001:2022 + SOC 3 confirmed on vendor's own Trust Center and security page with direct quotes.
- Penetration testing and bug bounty/VDP not publicly documented; detailed evidence (Security Whitepaper, InfoSec Policy) sits behind a gated Trust Center - request under NDA for procurement.
- Sales Intelligence handles third-party contact PII - require a DPA for that product specifically.
- DPA, AI-training-on-customer-data stance, and data residency could not be confirmed from public pages; verify in contract.
// At a glance
Pricing model
Commercial subscription (free tools + free trial; paid Starter/Team/Enterprise tiers; custom enterprise and DaaS/API contracts; 'Get a demo' / 'Talk to Sales' for higher tiers)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Similarweb LTD's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trustcenter.similarweb.com