// Trust & Security Report

    Smartly.io Solutions Oy logo

    Smartly.io Solutions Oy

    AI advertising platform with three integrated suites: Smartly Creative (ad creative production/personalization), Smartly Media (cross-channel campaign management/buying), and Smartly Intelligence (analytics/insights), plus Smartly Synapse, a newly announced (2026) AI orchestration/memory layer that spans all three suites.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001
    HELD

    Smartly is certified under the ISO 27001 standard. The globally recognized standard specifies the best practices for information security management.

    Verify on smartly.io
    GDPR / CCPA compliance posture
    HELD

    Our services are compliant with GDPR and CCPA requirements – we are committed to provide services that help our customers to comply with the GDPR and CCPA.

    Verify on smartly.io
    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence on smartly.io's own Security page, Privacy Policy, or DPA of a SOC 2 report. A non-vendor-domain vendor-risk aggregator (Nudge Security) states Smartly was 'working towards SOC 2 Type I and later Type II' as of April 2024, but this is unconfirmed on any smartly.io page as of this review.

    source: smartly.io
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance on smartly.io. Not applicable to Smartly's advertising/marketing product (no indication of handling PHI).

    source: smartly.io
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS on smartly.io. Search-engine-generated summaries claimed 'PCI Compliant' but this does not appear on the vendor's own Security page, Privacy Policy, or DPA and is treated as unverified.

    source: smartly.io
    CSA STAR
    NOT CONFIRMED

    No public evidence of a CSA STAR registry entry or self-assessment on smartly.io. A third-party summary claimed 'CSA Star Level 1 Compliant' but this is not stated anywhere on the vendor's own domain.

    source: smartly.io
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No mention of ISO/IEC 42001 or any AI-governance-specific certification on smartly.io's Security page, despite the company actively marketing AI features (Smartly Synapse).

    source: smartly.io
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on smartly.io. Not applicable; Smartly does not market to U.S. federal agencies.

    source: smartly.io
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    Only ISO 27001 is named on the Security page; no mention of ISO 27017 (cloud security), 27018 (cloud privacy), or 27701 (privacy information management) extensions.

    source: smartly.io

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Primary hosting in Germany (Hetzner Online GmbH) with additional AWS European regions and CloudFlare; Privacy Policy discloses that personal data may also be transferred outside the EU (including to the US, Brazil, Australia, Japan, Singapore, Argentina) under Standard Contractual Clauses for certain processing purposes such as marketing.

    The Privacy Policy and Security page make no explicit statement about whether customer data is used to train AI/ML models, and no opt-out mechanism for AI training is disclosed. The newly announced Smartly Synapse product is described in vendor marketing as a 'memory layer' that 'synthesizes company context, user behavior, market trends, pre-launch intelligence and performance data at scale' and 'learns from every campaign, improving future recommendations, execution and performance' — language that implies continuous learning from aggregated/cross-account data, but no per-customer training-data scope, retention, or opt-out policy could be located on smartly.io as of this review. Flagged for follow-up with the vendor directly.

    // Security controls

    Encryption in transit

    TLS 1.2+ (TLS 1.2 and 1.3 supported with strongest cipher suites)

    smartly.io

    Encryption at rest

    Disk encryption, aes-xts-plain64:sha512 with 512-bit keys; encrypted backups

    smartly.io

    Authentication

    Minimum 12-character passwords, optional TOTP two-factor authentication, bcrypt password hashing (cost factor 13) plus application salt

    smartly.io

    Penetration testing

    Annual external penetration testing and code reviews by third-party consultants; internal pen testing/code review at least annually and after major changes; monthly scanning of internet-facing systems

    smartly.io

    Hosting / infrastructure

    Linux servers in German data centers (Hetzner Online GmbH), plus AWS European regions and CloudFlare; all infra providers state their own ISO 27001 certification (host-level, not Smartly's own cert)

    smartly.io

    Network security

    Production isolated from dev/test, multiple firewall layers, CloudFlare WAF and DDoS protection

    smartly.io

    Incident response / monitoring

    Centralized logging, continuous anomaly monitoring, intrusion detection system, documented incident response procedures

    smartly.io

    Business continuity

    24-hour RTO/RPO targets, multi-datacenter distribution with load balancing, daily monitored and tested backups

    smartly.io

    // Products & data scope

    Smartly CreativeAd creative production/personalization

    data: Customer brand assets, creative templates, product feeds used to build/personalize ads

    One of three core suites; positioned to reduce creative production time.

    Smartly MediaCross-channel media buying/campaign management

    data: Connected ad-platform accounts (Meta, Google, TikTok, Pinterest, Snapchat, etc.), spend, targeting, and campaign configuration data

    Automates campaign launch/management across social and other ad channels.

    Smartly IntelligenceAd performance analytics

    data: Aggregated cross-channel performance/metrics data

    Reporting and insight layer across Creative and Media.

    Smartly SynapseAI orchestration / shared memory layer

    data: Aggregates company context, user behavior, market trends, pre-launch intelligence and performance data across the platform to inform recommendations

    Newly announced (2026); vendor marketing describes continuous cross-campaign learning, but public documentation of data retention, isolation between customers, and training-data opt-out was not found. Flagged for extra scrutiny before enterprise listing claims.

    // What to watch

    • Third-party/aggregator sources (search-engine summaries, Nudge Security-style vendor-risk profiles) claim Smartly.io is 'SOC 2 Compliant, HIPAA Compliant, PCI Compliant, FedRAMP Compliant, and CSA Star Level 1 Compliant' — none of these appear on smartly.io's own Security page, Privacy Policy, or DPA. Treated as unverified over-claims; do not list these certs without direct vendor confirmation.
    • Name-conflation risk: 'Smartly.rocks' is a distinct, unrelated compliance-automation SaaS company that dominates search results for queries like 'Smartly SOC 2 ISO 27001'. Its certifications/marketing must not be attributed to Smartly.io (the ad-tech vendor assessed here).
    • Smartly's infrastructure providers (Hetzner, AWS, CloudFlare) are described as ISO 27001 certified on the vendor's own Security page — that is the hosting providers' certification, not an independent Smartly.io claim beyond its own stated ISO 27001 registration; kept distinct in this record.
    • No disclosed AI-training opt-out or training-data scope for the new Smartly Synapse feature; marketing language implies continuous cross-campaign learning without a clear customer-data boundary statement.
    • ISO 27001 certificate PDF is linked from the vendor's Security page but is a scanned/binary PDF; scope and expiry date could not be machine-extracted during this review (existence and vendor claim confirmed via page text, not via reading the certificate itself).

    // At a glance

    Pricing model

    Enterprise sales-led / custom quote (no public self-serve pricing; site funnels to 'Get a Demo')

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Smartly.io Solutions Oy's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    smartly.io

    > Browse all vendor trust reports