// Trust & Security Report

    Tabnine Ltd. logo

    Tabnine Ltd.

    AI code completion and coding-agent platform: Tabnine (individual/Pro, cloud SaaS), Tabnine Enterprise (VPC/on-prem/air-gapped self-hosted with SSO and admin controls), and the Enterprise Context Engine (organizational context layer for third-party agents/IDEs/models).

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    SOC 2 listed as a compliance badge/document category on Tabnine's SafeBase trust center, with the report available on request.

    Verify on trust.tabnine.com
    ISO/IEC 27001
    HELD

    ISO/IEC 27001 listed as a compliance badge on Tabnine's trust center.

    Verify on trust.tabnine.com
    ISO 9001:2015
    HELD

    ISO 9001:2015 listed as a compliance badge on Tabnine's trust center.

    Verify on trust.tabnine.com
    GDPR
    HELD

    "Tabnine has successfully achieved compliance with the General Data Protection Regulation (GDPR)"

    Verify on tabnine.com
    > Show 6 unconfirmed / not-held certifications
    HIPAA / BAA
    NOT CONFIRMED

    HIPAA does not appear as a certification/badge on Tabnine's own trust center (only SOC 2, ISO 9001, ISO/IEC 27001 and GDPR are listed). Tabnine's security docs page states infrastructure providers maintain alignment with 'ISO 27001, 27017, 27018, SOC1/SOC2/SOC3, PCI DSS Level 1, HIPAA, and FedRAMP' - this describes the cloud host (AWS/GCP), not a Tabnine-issued HIPAA attestation or BAA. No vendor-owned page was found explicitly offering a signed BAA; third-party trackers describe BAA as available 'on request' through sales, which could not be confirmed on a Tabnine-owned page.

    source: docs.tabnine.com
    PCI DSS
    NOT CONFIRMED

    Not listed as a Tabnine certification on the trust center; only referenced as a host/infrastructure-provider standard on the security docs page, which is the host's compliance, not Tabnine's.

    source: trust.tabnine.com
    ISO 27017 / ISO 27018 (cloud security/privacy)
    NOT CONFIRMED

    Not listed as a Tabnine-held certification on the trust center; mentioned only as an infrastructure-provider (AWS/GCP) standard on the security docs page.

    source: trust.tabnine.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence found of ISO/IEC 42001 certification on Tabnine's trust center or site.

    source: trust.tabnine.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found of CSA STAR registration/certification on Tabnine's trust center or site.

    source: trust.tabnine.com
    FedRAMP
    NOT CONFIRMED

    Not listed as a Tabnine certification; mentioned only as an infrastructure-provider (AWS/GCP) standard, which is the host's authorization, not Tabnine's own FedRAMP status.

    source: docs.tabnine.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    SaaS hosted on AWS (US-East / N. Virginia), GCP (Council Bluffs, Iowa), and Heroku (Virginia) per vendor security docs; Enterprise customers can choose VPC, on-prem, or fully air-gapped deployment to keep data in their own region/network.

    Vendor states a 'no-train-no-retain' policy across all deployment tiers: "We never use your code to train any of our models" and "Tabnine's code completion model and Tabnine Protected chat model are only trained on open source code with permissive licenses." Code sent for inference/personalization (local repo context, completions) is used ephemerally at request time and is not used to retrain foundation models; this local-context feature is enabled by default for completions across tiers but Enterprise admins can control broader 'code awareness' connectors. No documented opt-out is needed for model training because customer code is never used for that purpose in the first place.

    // Security controls

    Encryption in transit

    TLS 1.2 / HTTPS for all traffic between client and Tabnine server; described as 'end-to-end encryption using industry-standard encryption algorithms'.

    docs.tabnine.com

    Encryption at rest

    Stored data (operational logs/metrics, not customer code) encrypted on disk using 256-bit AES.

    docs.tabnine.com

    Code retention

    "No code is stored on our servers. The code is only ephemerally processed to provide coding suggestions and is then immediately discarded." Operational metrics/logs retained approximately one week.

    docs.tabnine.com

    Deployment options

    SaaS (multi-tenant cloud), VPC, on-premises (Kubernetes, incl. SAML2 SSO), and fully air-gapped/offline installation for Enterprise customers with no internet connection.

    docs.tabnine.com

    Penetration testing

    A pentest report is listed as an available document on the trust center (available on request/NDA).

    trust.tabnine.com

    // Products & data scope

    Tabnine (Free / Pro individual)Cloud SaaS AI code completion / chat

    data: Code snippets sent ephemerally to Tabnine's cloud service for inference; not stored or used for model training per vendor policy.

    Consumer/individual tier; trust-center certifications (SOC2, ISO27001, GDPR) apply at the company/infrastructure level but customers should confirm applicability for their specific contract tier.

    Tabnine EnterpriseTeam/enterprise AI coding platform

    data: Deployable as VPC, on-prem Kubernetes, or fully air-gapped, so customer code can be kept entirely within the customer's own network; includes SSO (SAML2), admin policy controls, and audit logging.

    Positioned by the vendor as suited to regulated/highly-secure environments; air-gapped mode removes the SaaS data-transmission question entirely, which is the strongest lever for customers with HIPAA/PCI-type requirements even though Tabnine itself does not list HIPAA as a formal certification.

    Enterprise Context EngineOrganizational context/indexing layer for third-party AI agents, IDEs, and models

    data: Indexes an organization's codebase, architecture, and standards to feed context to any connected agent/tool; described as opt-in/admin-controlled for connecting individual repos.

    Newer standalone product line (per 2025-2026 homepage messaging); no separate trust-center or certification scope was found distinct from the core Tabnine platform, so it should be treated as covered by the same company-wide attestations until confirmed otherwise.

    // What to watch

    • HIPAA/BAA over-claim risk: multiple third-party review sites (Augment Code, AIUnpacking, a HIPAA-BAA vendor tracker) describe Tabnine as 'HIPAA-eligible' or offering a BAA 'on request', but Tabnine's own trust center does NOT list HIPAA as a certification, and the only vendor-domain HIPAA language attributes ISO/SOC/PCI/HIPAA alignment to Tabnine's infrastructure providers (AWS/GCP), not to Tabnine itself. Graded held=false pending a vendor-issued BAA confirmation; do not list Tabnine as HIPAA-certified without direct written confirmation from Tabnine sales/legal.
    • No public DPA (Data Processing Agreement) URL was found on Tabnine's own domain; independent sources note it must be requested during procurement.
    • The newer 'Enterprise Context Engine' product (2025-2026 messaging) does not have distinct, separately verified security/compliance documentation from the core Tabnine platform; treat its data-handling claims as unverified until a dedicated trust page is found.

    // At a glance

    Pricing model

    Per-user subscription (individual Pro tier plus higher-priced Enterprise tier); exact current pricing not verified in this pass.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Tabnine Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.tabnine.com

    > Browse all vendor trust reports