// Trust & Security Report

    Snyk Limited logo

    Snyk Limited

    Snyk AI Security Platform (developer security / AppSec). Independent security layer that validates AI-generated code, governs development agents, and secures AI-native applications. Includes Snyk Code (SAST), Snyk Open Source (SCA), Snyk Container, Snyk IaC, DeepCode AI, and Evo (Agentic Development Security).

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001:2022
    HELD

    We uphold ISO 27001, SOC2 Type II, and GDPR compliance, protecting your data with encryption and regional residency.

    Verify on trust.snyk.io
    ISO 27017:2015
    HELD

    Compliance ... ISO 27001:2022 ISO 27017:2015 SOC 2 Type II PCI DSS - SAQ A ... FedRAMP Rev. 5

    Verify on trust.snyk.io
    SOC 2 Type II
    HELD

    We uphold ISO 27001, SOC2 Type II, and GDPR compliance ... SOC 2 - Type II

    Verify on trust.snyk.io
    PCI DSS (SAQ A)
    HELD

    Compliance ... PCI DSS - SAQ A ... PCI-DSS Certificate

    Verify on trust.snyk.io
    FedRAMP Rev. 5
    HELD

    Compliance ... FedRAMP Rev. 5

    Verify on trust.snyk.io
    GDPR
    HELD

    We uphold ISO 27001, SOC2 Type II, and GDPR compliance, protecting your data with encryption and regional residency.

    Verify on trust.snyk.io
    Secure by Design Pledge (CISA)
    HELD

    Compliance ... Secure by Design Pledge

    Verify on trust.snyk.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer-selectable: data can be hosted in the U.S., EU, or Australia at the customer's election (AWS-backed). CDN (Akamai) processes data from the region closest to the user.

    Trust Center states explicitly: 'We ensure transparency: customer code is never used for AI training.' Snyk's DeepCode AI is trained on its own curated security data, not customer code. An 'AI FAQ' and dedicated 'How does Snyk leverage AI within the product?' FAQ are published in the Trust Center.

    // Security controls

    Bug bounty / vulnerability disclosure

    Vulnerability Disclosure Program (VDP) hosted on Intigriti (Snyk VDP) with safe-harbour terms. Responsible disclosure program for Snyk products; Snyk is also a CVE Numbering Authority (CNA). Not HackerOne/Bugcrowd.

    app.intigriti.com

    Penetration testing

    Multiple third-party penetration tests published in Trust Center, including Container, IaC, Network, Open Source SCA, and 'Pen Test - 2025-12 - Probely Redacted.pdf'. Pentests are recurring and product-scoped.

    trust.snyk.io

    Encryption

    Data protected with encryption (at rest and in transit) per Trust Center statement.

    trust.snyk.io

    SSO / authentication

    Single Sign-On (SSO) supported; identity via Okta/Auth0 as subprocessor.

    trust.snyk.io

    Business continuity / DR

    Published BC/DR overview, BC and DR test reports (2025), Business Continuity Plan and Disaster Recovery Plan available in Trust Center.

    trust.snyk.io

    Subprocessors transparency

    Full subprocessor list published (AWS, Akamai, Amplitude, Okta/Auth0, etc.) with data-location and access notes.

    trust.snyk.io

    Recent incident transparency

    Disclosed a third-party vendor (Klue) security incident on June 20, 2026 affecting Snyk's Salesforce environment via Klue integration. Snyk states no impact to Snyk products, scanning engines, or customer-facing services; investigation ongoing.

    trust.snyk.io

    // Products & data scope

    Snyk Code (DeepCode AI / SAST)Static application security testing

    data: Scans customer source code; customer code is not used for AI training per Trust Center.

    AI-powered static analysis. Available in IDEs, CLI, and CI/CD.

    Snyk Open Source (SCA)Software composition analysis

    data: Analyzes dependency manifests against Snyk's vulnerability database.

    Backed by the Snyk Security Database (security.snyk.io); Snyk is a CNA.

    Snyk Container & Snyk IaCContainer / infrastructure-as-code security

    data: Scans container images and IaC configs (AWS, Azure, GCP, Kubernetes).

    Dedicated penetration tests published for both.

    Evo (Agentic Development Security / ADS)AI / agentic development security

    data: Validates AI-generated code and governs development agents (Claude Code, Cursor, Codex integrations).

    Newest offering; positioned as the 'AI Security Fabric'.

    // What to watch

    • Recent third-party (Klue) security incident disclosed 2026-06-20 affecting Snyk's Salesforce CRM environment; Snyk states no impact to products/customer data, investigation ongoing. Worth noting for procurement due diligence.
    • Bug handling is via an Intigriti Vulnerability Disclosure Program (not a paid public bug bounty on HackerOne/Bugcrowd).

    // At a glance

    Pricing model

    Freemium + tiered SaaS subscription (Free, Team, Enterprise). Free account, no credit card required; enterprise pricing via sales.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Snyk Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.snyk.io

    > Browse all vendor trust reports