// Trust & Security Report
Block, Inc. (Square)
Business commerce platform including Point of Sale hardware and software, Payments, Payroll, Banking (Checking/Savings), Marketing, Loyalty, Appointments, and Square AI analytics
Certifications held
10
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.squareup.com“Compliance (9) ... PCI DSS 4.0.1 ... PCI DSS AOC [document available]”
Verify on trust.squareup.com“Compliance (9) ... SOC 2 Type 2 ... SOC 2 Type II Report [document available]”
Verify on trust.squareup.com“Compliance (9) ... ISO 27001:2022 ... ISO 27001 [certificate document available]. Original certification achieved January 12, 2022 via third-party audit firm extensive review of Square's ISMS.”
Verify on trust.squareup.com“Compliance (9) ... ISO 22301:2019”
Verify on trust.squareup.com“Compliance (9) ... PCI PTS POI ... PCI PTS Approval [document available]”
Verify on squareup.com“Square offers a HIPAA Business Associate Agreement available through their legal resources page, applicable to Square Appointments, Invoices, and other features explicitly marked as HIPAA-compliant. Excludes Square Buyer Services.”
Verify on squareup.com“EU/UK residents enjoy access, rectification, erasure, portability rights. Square uses Standard Contractual Clauses for international transfers. The Irish Data Protection Commission serves as lead supervisory authority for EU processing.”
> Show 4 unconfirmed / not-held certifications
source: trust.squareup.comNo public evidence found on vendor domain or trust center.
source: trust.squareup.comNo public evidence found on vendor domain or trust center.
source: trust.squareup.comNo public evidence found on vendor domain or trust center.
source: trust.squareup.comNot listed in Trust Center compliance section (9 items). No public evidence found.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Multi-region: United States, United Kingdom, EU, Australia, Japan. No data residency lock-in; global transfers permitted to affiliates and subprocessors.
Square's AI Terms of Service explicitly grant Square a broad license to use customer AI Content 'to provide, promote, incorporate into, train, fine-tune, test, evaluate and develop the AI Products.' No opt-out mechanism exists. The ToS states: 'IF YOU DO NOT WISH TO GRANT SQUARE A LICENSE TO ANY OF YOUR AI CONTENT, PLEASE DO NOT USE SQUARE'S AI PRODUCTS.' This applies only to Square AI Products, not to core payment/POS features. Outputs may persist in historical or cached copies indefinitely.
// Security controls
Encryption in transit
Industry-standard SSL/TLS. Symmetric keys minimum 128 bits; asymmetric keys minimum 2048 bits. Only standard, well-reviewed cryptographic protocols and message formats (SSL, PGP) used.
squareup.comEncryption at rest
Sensitive data encrypted using industry-standard methods when stored on disk. Full data encryption within card reader at moment of swipe.
squareup.comBug Bounty Program
Active program listed in Trust Center Application Security controls.
trust.squareup.comPenetration Testing
Ongoing penetration testing listed in Audits and Assessments controls.
trust.squareup.comEndpoint Protection and MDM
Endpoint Protection and Mobile Device Management (MDM) listed in controls.
trust.squareup.comBackground Checks
Employee background checks listed in Access Management controls.
trust.squareup.comSOX Compliance
SOX Compliance noted via SEC Filings (Block, Inc. is publicly traded).
trust.squareup.com// Products & data scope
data: Transaction data, customer payment card data (encrypted), sales records
PCI DSS 4.0.1 compliant; merchants do not need separate PCI validation. Hardware includes Reader, Terminal, Stand, Register, Handheld.
data: Payment card data, transaction history, payout data
PCI DSS Level 1 certified. End-to-end encryption at point of swipe/tap/dip.
data: Banking transactions, account balances, financial data
FDIC pass-through insurance via Sutton Bank. Issued by Square Financial Services, Inc., a Block, Inc. subsidiary. Not FDIC-insured bank itself.
data: Employee PII, salary/wage data, tax records
Subject to payroll-specific terms. Sensitive employee data processed.
data: Customer booking data, potentially PHI for healthcare providers
HIPAA BAA available and applies to Appointments for eligible healthcare providers.
data: Business data, sales analytics, customer insights
Trains on customer AI Content. No opt-out. Governed by separate AI Terms of Service. ISO 42001 not held.
data: Customer contact data, purchase history, loyalty points
Customer Directory subject to standard privacy notice.
// What to watch
- AI_TRAINING_NO_OPTOUT: Square AI Terms explicitly grant Square a broad license to train on customer AI Content with zero opt-out mechanism. Businesses that do not wish to grant this license must forgo all Square AI Products.
- HIPAA_SCOPE_GAP: HIPAA BAA explicitly excludes Square Buyer Services (consumer-facing features). Organizations handling PHI must verify each specific product is covered before use.
- TRUST_CENTER_GATED: Trust Center (trust.squareup.com) is powered by Vendict and some reports (SOC 2 Type II, ISO 27001 certificate) require account access to download. Public-facing overview is accessible without login.
- NO_DATA_RESIDENCY_GUARANTEE: No contractual data residency lock-in; data may be processed globally. EU users are protected via SCCs with Irish DPA as lead supervisory authority, but no dedicated EU-only data region option is publicly documented.
// At a glance
Pricing model
Freemium core POS with transaction-based fees; subscription tiers for advanced features (Plus, Premium); hardware sold separately or via installment plans
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Block, Inc. (Square)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.squareup.com