// Trust & Security Report

    Unbounce Marketing Solutions Inc. logo

    Unbounce Marketing Solutions Inc.

    Unbounce landing page builder and conversion-rate optimization (CRO) platform (drag-and-drop builder, AI-assisted "Smart Copy" writing, A/B testing, "Smart Traffic" AI optimization); parent company of Insightly CRM (acquired July 2024), which is marketed and compliance-documented as a separate product/brand.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    PCI DSS
    HELD

    "Unbounce is a PCI Level 4 Merchant and has successfully completed all SAQ A-EP requirements." Note: PCI Level 4 / SAQ A-EP is a self-assessment tier for lower-volume merchants, not a full PCI DSS Level 1 service-provider attestation; full cardholder data is handled by a separate 'Level 1 PCI-DSS compliant payment processor,' not Unbounce directly.

    Verify on unbounce.com
    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type 1)
    NOT CONFIRMED

    Contradictory vendor-domain evidence: unbounce.com/product/security/ states 'Unbounce is SOC 2 Type 1 certified, validating our internal controls...' but the more detailed unbounce.com/security/ page, which itemizes Unbounce's actual compliance posture, does not mention SOC 2 anywhere and states 'Any compliance certification not listed here is assumed to not be present or in use at Unbounce.' No SOC 2 report, auditor name, or trust-center corroboration (Vanta/Drata/SafeBase) could be found. Treated as unconfirmed pending vendor clarification.

    source: unbounce.com
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of a SOC 2 Type 2 report; only a marketing-page reference to 'Type 1' exists, and that reference is itself contradicted elsewhere on the same domain (see SOC 2 Type 1 entry).

    source: unbounce.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. Not mentioned on unbounce.com/security/, unbounce.com/product/security/, or the GDPR page. The security page's explicit disclaimer ('Any compliance certification not listed here is assumed to not be present') further confirms absence.

    source: unbounce.com
    HIPAA
    NOT CONFIRMED

    No public evidence Unbounce (the landing page product) is HIPAA compliant or offers a BAA. Note: search results surfaced a HIPAA-compliance claim from 'Insightly, an Unbounce company' (a separate CRM product Unbounce acquired in July 2024) -- that claim belongs to a different product/brand and does not extend to the core Unbounce landing-page platform being assessed here.

    source: unbounce.com
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence of any AI-governance certification. Not referenced on any Unbounce security, product, or privacy page found.

    source: unbounce.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. Not referenced on any vendor page reviewed.

    source: unbounce.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not referenced on any vendor page reviewed; Unbounce is a mid-market marketing SaaS product with no public government/federal offering.

    source: unbounce.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Lead/form Data: hosted in Frankfurt, Germany (moved to the EU specifically to support GDPR compliance for EU-based leads). Application infrastructure: AWS, with content delivery via data centers in California, Northern Virginia, Ireland, Singapore, and Frankfurt for performance. Broader personal data 'may be stored and processed in any country where we have facilities or in which we engage Third-Party service providers.'

    No explicit statement on either the privacy policy or terms of service confirming or denying use of customer content/data to train AI/ML models. The Terms of Service grant Unbounce a broad non-exclusive, perpetual, sublicensable license to use 'User Content' to operate the service, and reserve rights to create and use 'Aggregate Data' (anonymized/scrubbed) for internal use and third-party sharing. A separate clause on 'Content through Artificial Intelligence and Machine Learning software/tools' only disclaims Unbounce's liability for third-party AI-generated output (relevant to the Smart Copy AI writing feature) rather than stating whether Unbounce or its AI sub-processors train models on customer data. No opt-out mechanism for AI features was found. Given the absence of a clear policy either way, this should be treated as unconfirmed rather than assumed safe.

    // Security controls

    Encryption in transit

    All communication between customer browser and the Unbounce app, and all Unbounce landing pages, are encrypted via industry-standard SSL/HTTPS.

    unbounce.com

    Encryption at rest

    Data is classified by sensitivity level; the most sensitive data is encrypted at rest.

    unbounce.com

    Hosting infrastructure

    All application services hosted on AWS within a private virtual network (VPC); stateless, short-lived, immutable systems architecture.

    unbounce.com

    Authentication

    Two-factor authentication (2FA) available on every plan; single sign-on (SSO) offered; auto session timeouts and password security controls.

    unbounce.com

    Access control

    Policies restrict customer-data access to authorized employees only, granted case-by-case based on business need.

    unbounce.com

    Logging & monitoring

    Centralized, write-only logging retained 1 year per PCI policy; external third-party penetration testing performed; protections against SQL injection, XSS, CSRF.

    unbounce.com

    Backups

    Daily customer data backups with regular restoration testing; soft-delete retains deleted data in backups for approximately 2 weeks.

    unbounce.com

    Payment data handling

    Full credit card data passes directly between customer browser and a Level 1 PCI-DSS compliant payment processor; never sent to or accessible by Unbounce.

    unbounce.com

    Uptime

    99.96% uptime guarantee, backed by geographically distributed servers.

    unbounce.com

    Sub-processor transparency

    Published sub-processor list available as a PDF; DPAs signed with sub-processors.

    unbounce.com

    // Products & data scope

    Unbounce (landing page builder / CRO platform)Marketing / landing page builder with AI copywriting and AI traffic optimization

    data: Landing page content, visitor/lead form data (names, emails, custom fields), A/B test analytics, integration data with connected marketing/CRM tools.

    Primary product assessed in this file. Lead data is EU-hosted (Frankfurt) specifically for GDPR posture; broader account data may be processed globally. AI features (Smart Copy, Smart Traffic) exist but no explicit customer-data-training policy is published.

    Insightly (CRM, acquired by Unbounce July 2024)CRM / sales pipeline management

    data: Full customer/contact records, sales pipeline, project data.

    Operates as a distinct brand ('Insightly, an Unbounce company') with its own marketing claims, including a HIPAA-compliance claim on Insightly's own channels. That claim is specific to Insightly and should NOT be applied to the core Unbounce landing-page product without independent verification against Insightly's own trust/security pages.

    // What to watch

    • Direct contradiction on unbounce.com's own domain: /product/security/ claims 'SOC 2 Type 1 certified' while the more detailed /security/ page omits SOC 2 entirely and states any certification not listed there should be assumed absent. No independent SOC 2 report, auditor, or trust-center evidence was found to resolve this. Recommend NOT displaying SOC 2 as held until the vendor confirms/produces a report.
    • Identity-conflation risk: a HIPAA-compliance claim found in search results belongs to 'Insightly, an Unbounce company' (a CRM Unbounce acquired in July 2024), not to the core Unbounce landing-page product. Do not apply Insightly's compliance claims to Unbounce's listing.
    • No public evidence of ISO 27001, HIPAA, ISO 42001, CSA STAR, or FedRAMP; vendor's own security page explicitly disclaims any certification not listed there, which supports treating these as genuinely absent rather than an evidence-capture gap.
    • No clear, published statement on whether customer content/data is used to train Unbounce's AI features (Smart Copy, Smart Traffic) or third-party AI providers behind them, and no AI-specific opt-out was found.
    • DPA is available on request via email rather than self-serve download, and the sub-processor list is a static PDF (dated Sep 26, 2024) rather than a live, continuously updated trust center.

    // At a glance

    Pricing model

    Tiered SaaS subscription (Build / Launch / more advanced agency and enterprise plans), with feature gating (e.g., audit logs, SSO reserved for higher/Enterprise tiers).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Unbounce Marketing Solutions Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    unbounce.com

    > Browse all vendor trust reports