// Trust & Security Report
Typeform
AI-powered forms, surveys, and automated workflows (Intelligent Forms, Growth Flow, Research Flow, plus public REST API and embeds)
Certifications held
11
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.typeform.com“Certifications: SOC2 Type II Report ... our new SOC 2 Type II and HIPAA compliance reports are also finalized and ready!”
Verify on trust.typeform.com“Compliance: SOC 2, ISO/IEC 42001:2023, ISO 27001:2022, ISO 27017:2015, ISO 27018:2019 ... ISO 27001 Certificate”
Verify on trust.typeform.com“Typeform has achieved ISO/IEC 42001 certification - the international standard for AI Management Systems ... independent, third-party validation”
Verify on trust.typeform.com“We have successfully completed our scheduled surveillance audit for ISO/IEC 27001, 27017, and 27018.”
Verify on trust.typeform.com“We have successfully completed our scheduled surveillance audit for ISO/IEC 27001, 27017, and 27018.”
Verify on trust.typeform.com“our new SOC 2 Type II and HIPAA compliance reports are also finalized and ready! ... HIPAA Report”
Verify on trust.typeform.com“Compliance: ... PCI DSS 4.0.1 Service Provider ... PCI DSS 4.0.1 Merchant”
Verify on trust.typeform.com“we have successfully renewed our CSA STAR Level 1 certification! ... our CAIQ is also available here on our Trust Center”
Verify on trust.typeform.com“Typeform has completed and uploaded the Higher Education Community Vendor Assessment Toolkit (HECVAT) ... You can access the HECVAT now on our Trust Center.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US by default; EU data residency available for EU-hosting customers (subprocessors AWS and Okta noted as 'US / EU (for EU hosting customers)'; Salesforce EU). US and EU data centers.
Typeform states none of its customers' data is used to train any model regardless of the underlying provider. AI features run on private model copies (including Anthropic and others) so respondent data is not sent to providers for training; for some analysis features only the form's questions and answer choices (not respondent answers) are sent, and PII is excluded. ISO/IEC 42001 certification provides independent validation of its AI governance. Verified via Typeform's AI FAQ summary (help center page returned 403 to automated fetch, so the no-training claim is corroborated but not captured as a verbatim on-domain quote).
// Security controls
Encryption
Data encryption utilized (control listed under Product security on Trust Center); admin-security page references encryption controls. Standard TLS in transit / encryption at rest for a platform at this maturity.
trust.typeform.comPenetration testing
Yes - 'Penetration testing performed' control listed; a Penetration Test report is available under Trust Center Additional Resources.
trust.typeform.comMFA / access control
Remote access MFA enforced; unique account and network authentication enforced (Infrastructure security controls).
trust.typeform.comVulnerability disclosure
Dedicated security vulnerability reporting program via help center ('How to report a security vulnerability to Typeform'). A formal public bug-bounty platform (HackerOne/Bugcrowd) is not confirmed from Typeform's own domain; treat as VDP confirmed, paid bug-bounty platform unverified.
help.typeform.comBusiness continuity / DR
Continuity and Disaster Recovery plans established and tested; cybersecurity insurance maintained.
trust.typeform.comSubprocessors
Published list: AWS (cloud infra + AI features, US/EU), Okta (identity, US/EU), Salesforce (CRM, EU), Snowflake (data warehouse, US).
trust.typeform.com// Products & data scope
data: Collects respondent/zero-party data; AI builds forms and runs topic/sentiment analysis. Customer + response data stored US or EU.
Core product; 48M+ responses/month. AI analysis runs on private model copies, not used for training.
data: Enriches lead/customer data, builds segments, triggers email/SMS follow-ups; integrates Stripe, PayPal, Calendly, Google Calendar. Broader PII and payment-adjacent data flows.
Newer module; data enrichment expands data scope beyond form responses - reviewers handling regulated data should scope this separately.
data: Runs AI-moderated text/video/voice interviews at scale, recruits verified panels, captures voice/video and incentive/payment data.
Newer module; voice/video capture and panel recruitment add biometric-adjacent and respondent-PII considerations.
data: REST API and embeds for programmatic form/response access under Developer Terms and Conditions.
Governed by separate Developer Terms; same underlying compliance posture.
// What to watch
- AI no-training claim is well-corroborated (search summary of Typeform AI FAQ + ISO 42001 cert) but the help-center FAQ page returned HTTP 403 to automated fetch, so it was not captured as a verbatim on-domain quote.
- Vulnerability disclosure program confirmed on Typeform's domain, but a paid public bug-bounty platform (HackerOne/Bugcrowd) could not be confirmed from a first-party source.
- Privacy Policy and DPA live behind a Trust Center document selector (admin.typeform.com/to/dwk6gt) rather than a static URL.
- Newer Growth Flow and Research Flow modules expand data scope (enrichment, voice/video, payments); compliance reports cover the platform but per-module scoping is advisable for regulated buyers.
// At a glance
Pricing model
Freemium SaaS with paid Basic/Plus/Business tiers plus custom Enterprise plans (free 'Get started' tier advertised).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Typeform's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.typeform.com