// Trust & Security Report
Unbounce Marketing Solutions Inc.
Unbounce landing page builder and conversion-rate optimization (CRO) platform (drag-and-drop builder, AI-assisted "Smart Copy" writing, A/B testing, "Smart Traffic" AI optimization); parent company of Insightly CRM (acquired July 2024), which is marketed and compliance-documented as a separate product/brand.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on unbounce.com“"Unbounce is a PCI Level 4 Merchant and has successfully completed all SAQ A-EP requirements." Note: PCI Level 4 / SAQ A-EP is a self-assessment tier for lower-volume merchants, not a full PCI DSS Level 1 service-provider attestation; full cardholder data is handled by a separate 'Level 1 PCI-DSS compliant payment processor,' not Unbounce directly.”
> Show 7 unconfirmed / not-held certifications
source: unbounce.comContradictory vendor-domain evidence: unbounce.com/product/security/ states 'Unbounce is SOC 2 Type 1 certified, validating our internal controls...' but the more detailed unbounce.com/security/ page, which itemizes Unbounce's actual compliance posture, does not mention SOC 2 anywhere and states 'Any compliance certification not listed here is assumed to not be present or in use at Unbounce.' No SOC 2 report, auditor name, or trust-center corroboration (Vanta/Drata/SafeBase) could be found. Treated as unconfirmed pending vendor clarification.
source: unbounce.comNo public evidence of a SOC 2 Type 2 report; only a marketing-page reference to 'Type 1' exists, and that reference is itself contradicted elsewhere on the same domain (see SOC 2 Type 1 entry).
source: unbounce.comNo public evidence. Not mentioned on unbounce.com/security/, unbounce.com/product/security/, or the GDPR page. The security page's explicit disclaimer ('Any compliance certification not listed here is assumed to not be present') further confirms absence.
source: unbounce.comNo public evidence Unbounce (the landing page product) is HIPAA compliant or offers a BAA. Note: search results surfaced a HIPAA-compliance claim from 'Insightly, an Unbounce company' (a separate CRM product Unbounce acquired in July 2024) -- that claim belongs to a different product/brand and does not extend to the core Unbounce landing-page platform being assessed here.
source: unbounce.comNo public evidence of any AI-governance certification. Not referenced on any Unbounce security, product, or privacy page found.
source: unbounce.comNo public evidence. Not referenced on any vendor page reviewed.
source: unbounce.comNo public evidence. Not referenced on any vendor page reviewed; Unbounce is a mid-market marketing SaaS product with no public government/federal offering.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Lead/form Data: hosted in Frankfurt, Germany (moved to the EU specifically to support GDPR compliance for EU-based leads). Application infrastructure: AWS, with content delivery via data centers in California, Northern Virginia, Ireland, Singapore, and Frankfurt for performance. Broader personal data 'may be stored and processed in any country where we have facilities or in which we engage Third-Party service providers.'
No explicit statement on either the privacy policy or terms of service confirming or denying use of customer content/data to train AI/ML models. The Terms of Service grant Unbounce a broad non-exclusive, perpetual, sublicensable license to use 'User Content' to operate the service, and reserve rights to create and use 'Aggregate Data' (anonymized/scrubbed) for internal use and third-party sharing. A separate clause on 'Content through Artificial Intelligence and Machine Learning software/tools' only disclaims Unbounce's liability for third-party AI-generated output (relevant to the Smart Copy AI writing feature) rather than stating whether Unbounce or its AI sub-processors train models on customer data. No opt-out mechanism for AI features was found. Given the absence of a clear policy either way, this should be treated as unconfirmed rather than assumed safe.
// Security controls
Encryption in transit
All communication between customer browser and the Unbounce app, and all Unbounce landing pages, are encrypted via industry-standard SSL/HTTPS.
unbounce.comEncryption at rest
Data is classified by sensitivity level; the most sensitive data is encrypted at rest.
unbounce.comHosting infrastructure
All application services hosted on AWS within a private virtual network (VPC); stateless, short-lived, immutable systems architecture.
unbounce.comAuthentication
Two-factor authentication (2FA) available on every plan; single sign-on (SSO) offered; auto session timeouts and password security controls.
unbounce.comAccess control
Policies restrict customer-data access to authorized employees only, granted case-by-case based on business need.
unbounce.comLogging & monitoring
Centralized, write-only logging retained 1 year per PCI policy; external third-party penetration testing performed; protections against SQL injection, XSS, CSRF.
unbounce.comBackups
Daily customer data backups with regular restoration testing; soft-delete retains deleted data in backups for approximately 2 weeks.
unbounce.comPayment data handling
Full credit card data passes directly between customer browser and a Level 1 PCI-DSS compliant payment processor; never sent to or accessible by Unbounce.
unbounce.comSub-processor transparency
Published sub-processor list available as a PDF; DPAs signed with sub-processors.
unbounce.com// Products & data scope
data: Landing page content, visitor/lead form data (names, emails, custom fields), A/B test analytics, integration data with connected marketing/CRM tools.
Primary product assessed in this file. Lead data is EU-hosted (Frankfurt) specifically for GDPR posture; broader account data may be processed globally. AI features (Smart Copy, Smart Traffic) exist but no explicit customer-data-training policy is published.
data: Full customer/contact records, sales pipeline, project data.
Operates as a distinct brand ('Insightly, an Unbounce company') with its own marketing claims, including a HIPAA-compliance claim on Insightly's own channels. That claim is specific to Insightly and should NOT be applied to the core Unbounce landing-page product without independent verification against Insightly's own trust/security pages.
// What to watch
- Direct contradiction on unbounce.com's own domain: /product/security/ claims 'SOC 2 Type 1 certified' while the more detailed /security/ page omits SOC 2 entirely and states any certification not listed there should be assumed absent. No independent SOC 2 report, auditor, or trust-center evidence was found to resolve this. Recommend NOT displaying SOC 2 as held until the vendor confirms/produces a report.
- Identity-conflation risk: a HIPAA-compliance claim found in search results belongs to 'Insightly, an Unbounce company' (a CRM Unbounce acquired in July 2024), not to the core Unbounce landing-page product. Do not apply Insightly's compliance claims to Unbounce's listing.
- No public evidence of ISO 27001, HIPAA, ISO 42001, CSA STAR, or FedRAMP; vendor's own security page explicitly disclaims any certification not listed there, which supports treating these as genuinely absent rather than an evidence-capture gap.
- No clear, published statement on whether customer content/data is used to train Unbounce's AI features (Smart Copy, Smart Traffic) or third-party AI providers behind them, and no AI-specific opt-out was found.
- DPA is available on request via email rather than self-serve download, and the sub-processor list is a static PDF (dated Sep 26, 2024) rather than a live, continuously updated trust center.
// At a glance
Pricing model
Tiered SaaS subscription (Build / Launch / more advanced agency and enterprise plans), with feature gating (e.g., audit logs, SSO reserved for higher/Enterprise tiers).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Unbounce Marketing Solutions Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
unbounce.com