// Trust & Security Report
Smartly.io Solutions Oy
AI advertising platform with three integrated suites: Smartly Creative (ad creative production/personalization), Smartly Media (cross-channel campaign management/buying), and Smartly Intelligence (analytics/insights), plus Smartly Synapse, a newly announced (2026) AI orchestration/memory layer that spans all three suites.
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on smartly.io“Smartly is certified under the ISO 27001 standard. The globally recognized standard specifies the best practices for information security management.”
Verify on smartly.io“Our services are compliant with GDPR and CCPA requirements – we are committed to provide services that help our customers to comply with the GDPR and CCPA.”
> Show 7 unconfirmed / not-held certifications
source: smartly.ioNo public evidence on smartly.io's own Security page, Privacy Policy, or DPA of a SOC 2 report. A non-vendor-domain vendor-risk aggregator (Nudge Security) states Smartly was 'working towards SOC 2 Type I and later Type II' as of April 2024, but this is unconfirmed on any smartly.io page as of this review.
source: smartly.ioNo public evidence of HIPAA compliance on smartly.io. Not applicable to Smartly's advertising/marketing product (no indication of handling PHI).
source: smartly.ioNo public evidence of PCI DSS on smartly.io. Search-engine-generated summaries claimed 'PCI Compliant' but this does not appear on the vendor's own Security page, Privacy Policy, or DPA and is treated as unverified.
source: smartly.ioNo public evidence of a CSA STAR registry entry or self-assessment on smartly.io. A third-party summary claimed 'CSA Star Level 1 Compliant' but this is not stated anywhere on the vendor's own domain.
source: smartly.ioNo mention of ISO/IEC 42001 or any AI-governance-specific certification on smartly.io's Security page, despite the company actively marketing AI features (Smartly Synapse).
source: smartly.ioNo public evidence of FedRAMP authorization on smartly.io. Not applicable; Smartly does not market to U.S. federal agencies.
source: smartly.ioOnly ISO 27001 is named on the Security page; no mention of ISO 27017 (cloud security), 27018 (cloud privacy), or 27701 (privacy information management) extensions.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Primary hosting in Germany (Hetzner Online GmbH) with additional AWS European regions and CloudFlare; Privacy Policy discloses that personal data may also be transferred outside the EU (including to the US, Brazil, Australia, Japan, Singapore, Argentina) under Standard Contractual Clauses for certain processing purposes such as marketing.
The Privacy Policy and Security page make no explicit statement about whether customer data is used to train AI/ML models, and no opt-out mechanism for AI training is disclosed. The newly announced Smartly Synapse product is described in vendor marketing as a 'memory layer' that 'synthesizes company context, user behavior, market trends, pre-launch intelligence and performance data at scale' and 'learns from every campaign, improving future recommendations, execution and performance' — language that implies continuous learning from aggregated/cross-account data, but no per-customer training-data scope, retention, or opt-out policy could be located on smartly.io as of this review. Flagged for follow-up with the vendor directly.
// Security controls
Encryption at rest
Disk encryption, aes-xts-plain64:sha512 with 512-bit keys; encrypted backups
smartly.ioAuthentication
Minimum 12-character passwords, optional TOTP two-factor authentication, bcrypt password hashing (cost factor 13) plus application salt
smartly.ioPenetration testing
Annual external penetration testing and code reviews by third-party consultants; internal pen testing/code review at least annually and after major changes; monthly scanning of internet-facing systems
smartly.ioHosting / infrastructure
Linux servers in German data centers (Hetzner Online GmbH), plus AWS European regions and CloudFlare; all infra providers state their own ISO 27001 certification (host-level, not Smartly's own cert)
smartly.ioNetwork security
Production isolated from dev/test, multiple firewall layers, CloudFlare WAF and DDoS protection
smartly.ioIncident response / monitoring
Centralized logging, continuous anomaly monitoring, intrusion detection system, documented incident response procedures
smartly.ioBusiness continuity
24-hour RTO/RPO targets, multi-datacenter distribution with load balancing, daily monitored and tested backups
smartly.io// Products & data scope
data: Customer brand assets, creative templates, product feeds used to build/personalize ads
One of three core suites; positioned to reduce creative production time.
data: Connected ad-platform accounts (Meta, Google, TikTok, Pinterest, Snapchat, etc.), spend, targeting, and campaign configuration data
Automates campaign launch/management across social and other ad channels.
data: Aggregated cross-channel performance/metrics data
Reporting and insight layer across Creative and Media.
data: Aggregates company context, user behavior, market trends, pre-launch intelligence and performance data across the platform to inform recommendations
Newly announced (2026); vendor marketing describes continuous cross-campaign learning, but public documentation of data retention, isolation between customers, and training-data opt-out was not found. Flagged for extra scrutiny before enterprise listing claims.
// What to watch
- Third-party/aggregator sources (search-engine summaries, Nudge Security-style vendor-risk profiles) claim Smartly.io is 'SOC 2 Compliant, HIPAA Compliant, PCI Compliant, FedRAMP Compliant, and CSA Star Level 1 Compliant' — none of these appear on smartly.io's own Security page, Privacy Policy, or DPA. Treated as unverified over-claims; do not list these certs without direct vendor confirmation.
- Name-conflation risk: 'Smartly.rocks' is a distinct, unrelated compliance-automation SaaS company that dominates search results for queries like 'Smartly SOC 2 ISO 27001'. Its certifications/marketing must not be attributed to Smartly.io (the ad-tech vendor assessed here).
- Smartly's infrastructure providers (Hetzner, AWS, CloudFlare) are described as ISO 27001 certified on the vendor's own Security page — that is the hosting providers' certification, not an independent Smartly.io claim beyond its own stated ISO 27001 registration; kept distinct in this record.
- No disclosed AI-training opt-out or training-data scope for the new Smartly Synapse feature; marketing language implies continuous cross-campaign learning without a clear customer-data boundary statement.
- ISO 27001 certificate PDF is linked from the vendor's Security page but is a scanned/binary PDF; scope and expiry date could not be machine-extracted during this review (existence and vendor claim confirmed via page text, not via reading the certificate itself).
// At a glance
Pricing model
Enterprise sales-led / custom quote (no public self-serve pricing; site funnels to 'Get a Demo')
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Smartly.io Solutions Oy's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
smartly.io