// Trust & Security Report

    Typeform logo

    Typeform

    AI-powered forms, surveys, and automated workflows (Intelligent Forms, Growth Flow, Research Flow, plus public REST API and embeds)

    Certifications held

    11

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Certifications: SOC2 Type II Report ... our new SOC 2 Type II and HIPAA compliance reports are also finalized and ready!

    Verify on trust.typeform.com
    ISO/IEC 27001:2022
    HELD

    Compliance: SOC 2, ISO/IEC 42001:2023, ISO 27001:2022, ISO 27017:2015, ISO 27018:2019 ... ISO 27001 Certificate

    Verify on trust.typeform.com
    ISO/IEC 42001:2023 (AI Management System)
    HELD

    Typeform has achieved ISO/IEC 42001 certification - the international standard for AI Management Systems ... independent, third-party validation

    Verify on trust.typeform.com
    ISO/IEC 27017:2015
    HELD

    We have successfully completed our scheduled surveillance audit for ISO/IEC 27001, 27017, and 27018.

    Verify on trust.typeform.com
    ISO/IEC 27018:2019
    HELD

    We have successfully completed our scheduled surveillance audit for ISO/IEC 27001, 27017, and 27018.

    Verify on trust.typeform.com
    HIPAA
    HELD

    our new SOC 2 Type II and HIPAA compliance reports are also finalized and ready! ... HIPAA Report

    Verify on trust.typeform.com
    PCI DSS 4.0.1 (Service Provider + Merchant)
    HELD

    Compliance: ... PCI DSS 4.0.1 Service Provider ... PCI DSS 4.0.1 Merchant

    Verify on trust.typeform.com
    CSA STAR Level 1
    HELD

    we have successfully renewed our CSA STAR Level 1 certification! ... our CAIQ is also available here on our Trust Center

    Verify on trust.typeform.com
    GDPR
    HELD

    Compliance: ... GDPR ... CCPA COMPLIANT

    Verify on trust.typeform.com
    CCPA
    HELD

    Compliance: ... CCPA COMPLIANT

    Verify on trust.typeform.com
    HECVAT 4.1.1 (higher-ed vendor assessment)
    HELD

    Typeform has completed and uploaded the Higher Education Community Vendor Assessment Toolkit (HECVAT) ... You can access the HECVAT now on our Trust Center.

    Verify on trust.typeform.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US by default; EU data residency available for EU-hosting customers (subprocessors AWS and Okta noted as 'US / EU (for EU hosting customers)'; Salesforce EU). US and EU data centers.

    Typeform states none of its customers' data is used to train any model regardless of the underlying provider. AI features run on private model copies (including Anthropic and others) so respondent data is not sent to providers for training; for some analysis features only the form's questions and answer choices (not respondent answers) are sent, and PII is excluded. ISO/IEC 42001 certification provides independent validation of its AI governance. Verified via Typeform's AI FAQ summary (help center page returned 403 to automated fetch, so the no-training claim is corroborated but not captured as a verbatim on-domain quote).

    // Security controls

    Encryption

    Data encryption utilized (control listed under Product security on Trust Center); admin-security page references encryption controls. Standard TLS in transit / encryption at rest for a platform at this maturity.

    trust.typeform.com

    Penetration testing

    Yes - 'Penetration testing performed' control listed; a Penetration Test report is available under Trust Center Additional Resources.

    trust.typeform.com

    MFA / access control

    Remote access MFA enforced; unique account and network authentication enforced (Infrastructure security controls).

    trust.typeform.com

    Vulnerability disclosure

    Dedicated security vulnerability reporting program via help center ('How to report a security vulnerability to Typeform'). A formal public bug-bounty platform (HackerOne/Bugcrowd) is not confirmed from Typeform's own domain; treat as VDP confirmed, paid bug-bounty platform unverified.

    help.typeform.com

    Business continuity / DR

    Continuity and Disaster Recovery plans established and tested; cybersecurity insurance maintained.

    trust.typeform.com

    Subprocessors

    Published list: AWS (cloud infra + AI features, US/EU), Okta (identity, US/EU), Salesforce (CRM, EU), Snowflake (data warehouse, US).

    trust.typeform.com

    // Products & data scope

    Intelligent Forms (core Typeform)AI forms & surveys

    data: Collects respondent/zero-party data; AI builds forms and runs topic/sentiment analysis. Customer + response data stored US or EU.

    Core product; 48M+ responses/month. AI analysis runs on private model copies, not used for training.

    Growth FlowAI automation / lead enrichment

    data: Enriches lead/customer data, builds segments, triggers email/SMS follow-ups; integrates Stripe, PayPal, Calendly, Google Calendar. Broader PII and payment-adjacent data flows.

    Newer module; data enrichment expands data scope beyond form responses - reviewers handling regulated data should scope this separately.

    Research FlowAI-moderated research

    data: Runs AI-moderated text/video/voice interviews at scale, recruits verified panels, captures voice/video and incentive/payment data.

    Newer module; voice/video capture and panel recruitment add biometric-adjacent and respondent-PII considerations.

    Developer API & embedsAPI / integrations

    data: REST API and embeds for programmatic form/response access under Developer Terms and Conditions.

    Governed by separate Developer Terms; same underlying compliance posture.

    // What to watch

    • AI no-training claim is well-corroborated (search summary of Typeform AI FAQ + ISO 42001 cert) but the help-center FAQ page returned HTTP 403 to automated fetch, so it was not captured as a verbatim on-domain quote.
    • Vulnerability disclosure program confirmed on Typeform's domain, but a paid public bug-bounty platform (HackerOne/Bugcrowd) could not be confirmed from a first-party source.
    • Privacy Policy and DPA live behind a Trust Center document selector (admin.typeform.com/to/dwk6gt) rather than a static URL.
    • Newer Growth Flow and Research Flow modules expand data scope (enrichment, voice/video, payments); compliance reports cover the platform but per-module scoping is advisable for regulated buyers.

    // At a glance

    Pricing model

    Freemium SaaS with paid Basic/Plus/Business tiers plus custom Enterprise plans (free 'Get started' tier advertised).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Typeform's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.typeform.com

    > Browse all vendor trust reports