// Trust & Security Report

    Block, Inc. (Square) logo

    Block, Inc. (Square)

    Business commerce platform including Point of Sale hardware and software, Payments, Payroll, Banking (Checking/Savings), Marketing, Loyalty, Appointments, and Square AI analytics

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    PCI DSS 4.0.1
    HELD

    Compliance (9) ... PCI DSS 4.0.1 ... PCI DSS AOC [document available]

    Verify on trust.squareup.com
    SOC 2 Type 2
    HELD

    Compliance (9) ... SOC 2 Type 2 ... SOC 2 Type II Report [document available]

    Verify on trust.squareup.com
    SOC 1 Type 2
    HELD

    Compliance (9) ... SOC 1 Type 2

    Verify on trust.squareup.com
    ISO 27001:2022
    HELD

    Compliance (9) ... ISO 27001:2022 ... ISO 27001 [certificate document available]. Original certification achieved January 12, 2022 via third-party audit firm extensive review of Square's ISMS.

    Verify on trust.squareup.com
    ISO 22301:2019 (Business Continuity)
    HELD

    Compliance (9) ... ISO 22301:2019

    Verify on trust.squareup.com
    PCI MPoC
    HELD

    Compliance (9) ... PCI MPoC

    Verify on trust.squareup.com
    PCI PIN
    HELD

    Compliance (9) ... PCI PIN

    Verify on trust.squareup.com
    PCI PTS POI
    HELD

    Compliance (9) ... PCI PTS POI ... PCI PTS Approval [document available]

    Verify on trust.squareup.com
    HIPAA
    HELD

    Square offers a HIPAA Business Associate Agreement available through their legal resources page, applicable to Square Appointments, Invoices, and other features explicitly marked as HIPAA-compliant. Excludes Square Buyer Services.

    Verify on squareup.com
    GDPR (compliance posture)
    HELD

    EU/UK residents enjoy access, rectification, erasure, portability rights. Square uses Standard Contractual Clauses for international transfers. The Irish Data Protection Commission serves as lead supervisory authority for EU processing.

    Verify on squareup.com
    > Show 4 unconfirmed / not-held certifications
    FedRAMP
    NOT CONFIRMED

    No public evidence found on vendor domain or trust center.

    source: trust.squareup.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on vendor domain or trust center.

    source: trust.squareup.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence found on vendor domain or trust center.

    source: trust.squareup.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    Not listed in Trust Center compliance section (9 items). No public evidence found.

    source: trust.squareup.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Multi-region: United States, United Kingdom, EU, Australia, Japan. No data residency lock-in; global transfers permitted to affiliates and subprocessors.

    Square's AI Terms of Service explicitly grant Square a broad license to use customer AI Content 'to provide, promote, incorporate into, train, fine-tune, test, evaluate and develop the AI Products.' No opt-out mechanism exists. The ToS states: 'IF YOU DO NOT WISH TO GRANT SQUARE A LICENSE TO ANY OF YOUR AI CONTENT, PLEASE DO NOT USE SQUARE'S AI PRODUCTS.' This applies only to Square AI Products, not to core payment/POS features. Outputs may persist in historical or cached copies indefinitely.

    // Security controls

    Encryption in transit

    Industry-standard SSL/TLS. Symmetric keys minimum 128 bits; asymmetric keys minimum 2048 bits. Only standard, well-reviewed cryptographic protocols and message formats (SSL, PGP) used.

    squareup.com

    Encryption at rest

    Sensitive data encrypted using industry-standard methods when stored on disk. Full data encryption within card reader at moment of swipe.

    squareup.com

    Zero Trust Architecture

    Listed as an active control in Trust Center.

    trust.squareup.com

    Bug Bounty Program

    Active program listed in Trust Center Application Security controls.

    trust.squareup.com

    Penetration Testing

    Ongoing penetration testing listed in Audits and Assessments controls.

    trust.squareup.com

    DDoS Protection

    DDoS Protection listed in Network Security controls.

    trust.squareup.com

    Endpoint Protection and MDM

    Endpoint Protection and Mobile Device Management (MDM) listed in controls.

    trust.squareup.com

    Incident Response

    Formal Incident Response Plan listed in controls.

    trust.squareup.com

    Background Checks

    Employee background checks listed in Access Management controls.

    trust.squareup.com

    SOX Compliance

    SOX Compliance noted via SEC Filings (Block, Inc. is publicly traded).

    trust.squareup.com

    // Products & data scope

    Square Point of SalePayment Processing / POS

    data: Transaction data, customer payment card data (encrypted), sales records

    PCI DSS 4.0.1 compliant; merchants do not need separate PCI validation. Hardware includes Reader, Terminal, Stand, Register, Handheld.

    Square PaymentsPayment Processing

    data: Payment card data, transaction history, payout data

    PCI DSS Level 1 certified. End-to-end encryption at point of swipe/tap/dip.

    Square Banking (Checking/Savings)Financial Services

    data: Banking transactions, account balances, financial data

    FDIC pass-through insurance via Sutton Bank. Issued by Square Financial Services, Inc., a Block, Inc. subsidiary. Not FDIC-insured bank itself.

    Square PayrollHR / Payroll

    data: Employee PII, salary/wage data, tax records

    Subject to payroll-specific terms. Sensitive employee data processed.

    Square AppointmentsScheduling / Booking

    data: Customer booking data, potentially PHI for healthcare providers

    HIPAA BAA available and applies to Appointments for eligible healthcare providers.

    Square AIAI Analytics / Business Intelligence

    data: Business data, sales analytics, customer insights

    Trains on customer AI Content. No opt-out. Governed by separate AI Terms of Service. ISO 42001 not held.

    Square Marketing and LoyaltyCRM / Marketing

    data: Customer contact data, purchase history, loyalty points

    Customer Directory subject to standard privacy notice.

    // What to watch

    • AI_TRAINING_NO_OPTOUT: Square AI Terms explicitly grant Square a broad license to train on customer AI Content with zero opt-out mechanism. Businesses that do not wish to grant this license must forgo all Square AI Products.
    • HIPAA_SCOPE_GAP: HIPAA BAA explicitly excludes Square Buyer Services (consumer-facing features). Organizations handling PHI must verify each specific product is covered before use.
    • TRUST_CENTER_GATED: Trust Center (trust.squareup.com) is powered by Vendict and some reports (SOC 2 Type II, ISO 27001 certificate) require account access to download. Public-facing overview is accessible without login.
    • NO_DATA_RESIDENCY_GUARANTEE: No contractual data residency lock-in; data may be processed globally. EU users are protected via SCCs with Irish DPA as lead supervisory authority, but no dedicated EU-only data region option is publicly documented.

    // At a glance

    Pricing model

    Freemium core POS with transaction-based fees; subscription tiers for advanced features (Plus, Premium); hardware sold separately or via installment plans

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Block, Inc. (Square)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.squareup.com

    > Browse all vendor trust reports