// Trust & Security Report
Snyk Limited
Snyk AI Security Platform (developer security / AppSec). Independent security layer that validates AI-generated code, governs development agents, and secures AI-native applications. Includes Snyk Code (SAST), Snyk Open Source (SCA), Snyk Container, Snyk IaC, DeepCode AI, and Evo (Agentic Development Security).
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.snyk.io“We uphold ISO 27001, SOC2 Type II, and GDPR compliance, protecting your data with encryption and regional residency.”
Verify on trust.snyk.io“Compliance ... ISO 27001:2022 ISO 27017:2015 SOC 2 Type II PCI DSS - SAQ A ... FedRAMP Rev. 5”
Verify on trust.snyk.io“We uphold ISO 27001, SOC2 Type II, and GDPR compliance ... SOC 2 - Type II”
Verify on trust.snyk.io“We uphold ISO 27001, SOC2 Type II, and GDPR compliance, protecting your data with encryption and regional residency.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Customer-selectable: data can be hosted in the U.S., EU, or Australia at the customer's election (AWS-backed). CDN (Akamai) processes data from the region closest to the user.
Trust Center states explicitly: 'We ensure transparency: customer code is never used for AI training.' Snyk's DeepCode AI is trained on its own curated security data, not customer code. An 'AI FAQ' and dedicated 'How does Snyk leverage AI within the product?' FAQ are published in the Trust Center.
// Security controls
Bug bounty / vulnerability disclosure
Vulnerability Disclosure Program (VDP) hosted on Intigriti (Snyk VDP) with safe-harbour terms. Responsible disclosure program for Snyk products; Snyk is also a CVE Numbering Authority (CNA). Not HackerOne/Bugcrowd.
app.intigriti.comPenetration testing
Multiple third-party penetration tests published in Trust Center, including Container, IaC, Network, Open Source SCA, and 'Pen Test - 2025-12 - Probely Redacted.pdf'. Pentests are recurring and product-scoped.
trust.snyk.ioEncryption
Data protected with encryption (at rest and in transit) per Trust Center statement.
trust.snyk.ioSSO / authentication
Single Sign-On (SSO) supported; identity via Okta/Auth0 as subprocessor.
trust.snyk.ioBusiness continuity / DR
Published BC/DR overview, BC and DR test reports (2025), Business Continuity Plan and Disaster Recovery Plan available in Trust Center.
trust.snyk.ioSubprocessors transparency
Full subprocessor list published (AWS, Akamai, Amplitude, Okta/Auth0, etc.) with data-location and access notes.
trust.snyk.ioRecent incident transparency
Disclosed a third-party vendor (Klue) security incident on June 20, 2026 affecting Snyk's Salesforce environment via Klue integration. Snyk states no impact to Snyk products, scanning engines, or customer-facing services; investigation ongoing.
trust.snyk.io// Products & data scope
data: Scans customer source code; customer code is not used for AI training per Trust Center.
AI-powered static analysis. Available in IDEs, CLI, and CI/CD.
data: Analyzes dependency manifests against Snyk's vulnerability database.
Backed by the Snyk Security Database (security.snyk.io); Snyk is a CNA.
data: Scans container images and IaC configs (AWS, Azure, GCP, Kubernetes).
Dedicated penetration tests published for both.
data: Validates AI-generated code and governs development agents (Claude Code, Cursor, Codex integrations).
Newest offering; positioned as the 'AI Security Fabric'.
// What to watch
- Recent third-party (Klue) security incident disclosed 2026-06-20 affecting Snyk's Salesforce CRM environment; Snyk states no impact to products/customer data, investigation ongoing. Worth noting for procurement due diligence.
- Bug handling is via an Intigriti Vulnerability Disclosure Program (not a paid public bug bounty on HackerOne/Bugcrowd).
// At a glance
Pricing model
Freemium + tiered SaaS subscription (Free, Team, Enterprise). Free account, no credit card required; enterprise pricing via sales.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Snyk Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.snyk.io