// Trust & Security Report

    Vercel Inc. logo

    Vercel Inc.

    AI-powered prompt-to-app builder that generates full-stack web apps, UI components, and design systems from natural language, with one-click deploy to Vercel. Sub-products: v0 Hobby (free), v0 Pro/Team, v0 Enterprise, v0 API (model access via AI Gateway), and v0 for Students. v0 is a first-party Vercel product, not a separately incorporated company.

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    v0 is included in Vercel's SOC 2 Type 2 attestation for Security, Confidentiality, and Availability

    Verify on v0.app
    ISO 27001:2022
    HELD

    Vercel is ISO 27001:2022 certified. Our certificate is available here.

    Verify on vercel.com
    GDPR (compliance posture)
    HELD

    Vercel supports GDPR compliance, which means that we commit to the following: Implement and maintain appropriate technical and organizational security measures surrounding customer data ... Rely on the EU Standard Contractual Clauses and the UK Addendum as valid data transfer mechanisms when transferring personal data outside the EEA

    Verify on vercel.com
    EU-U.S. Data Privacy Framework
    HELD

    Vercel is certified under the EU-U.S. Data Privacy Framework. To view our public listing, visit the Data Privacy Framework website.

    Verify on vercel.com
    TISAX (AL2)
    HELD

    Vercel has achieved TISAX Assessment Level 2 (AL2), which covers requirements for handling information with a high need for protection.

    Verify on vercel.com
    > Show 6 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Vercel supports HIPAA compliance as a business associate ... Signing Business Associate Agreements (BAAs) with eligible Pro and Enterprise customers. This is stated at the parent-platform level (vercel.com/docs/security/compliance); v0's own security page (v0.app/docs/security) does not mention HIPAA, BAAs, or PHI handling at all, so HIPAA coverage for v0 specifically is not confirmed.

    source: vercel.com
    PCI DSS
    NOT CONFIRMED

    Vercel serves as a service provider to customers who process payment and cardholder data ... Customers should select an appropriate payment gateway provider to integrate an iframe into their application. PCI DSS at Vercel concerns payment-processing traffic hosted on the platform; v0 itself (an AI code-generation chat product) does not process cardholder data, so PCI DSS is not applicable to v0's own product surface.

    source: vercel.com
    ISO/IEC 27701
    NOT CONFIRMED

    No public evidence; not listed among Vercel's certifications on its own compliance page or trust center as of verification.

    source: security.vercel.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence; not listed on Vercel's Trust Center or compliance page as of verification.

    source: security.vercel.com
    CSA STAR
    NOT CONFIRMED

    No public evidence; not listed on Vercel's Trust Center as of verification.

    source: security.vercel.com
    FedRAMP
    NOT CONFIRMED

    No public evidence; not listed on Vercel's Trust Center or compliance page as of verification.

    source: security.vercel.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Vercel's default function region is the U.S. with dozens of additional regions available for customer-deployed apps; this describes the general Vercel platform, not v0 chat/session data specifically, which is not separately documented for regional residency. Data may be transferred to/processed in the U.S. and other countries where Vercel or its sub-processors operate, per the DPA.

    Training posture is tier-dependent and changed with Vercel's AI Policy (v0.app/policy) plus the v0 Enterprise Addendum. Hobby and trial-Pro users are trained on BY DEFAULT unless they opt out ('on a Hobby plan or a trial Pro plan, and have opted out of Model Training ... we will not use or share the content'). Paid Pro users are the opposite: NOT trained on by default unless they actively opt in ('on a paid Pro plan and have not opted in to Model Training ... we will not use or share the content'). Enterprise customers are never trained on: 'we do not use or share data from Enterprise plan customers for Model Training,' reinforced contractually in the v0 Enterprise Addendum ('Vercel represents and warrants that it shall not use Customer Content to train its or third party LLM providers' models for the AI Solution, except with Customer's consent'). AIFOXX listing should surface the Hobby/trial-Pro default-in vs paid-Pro default-out distinction; it is easy for a user to assume all paid usage is training-free when only Enterprise guarantees that unconditionally.

    // Security controls

    Encryption in transit

    HTTPS/TLS 1.3

    vercel.com

    Encryption at rest

    AES-256 for data at rest

    vercel.com

    Code execution isolation

    v0-generated code is treated as potentially incorrect or adversarial; runs in sandboxed, isolated containers with resource limits and controlled network access when deployed on Vercel Functions

    v0.app

    Enterprise access controls

    SAML-based SSO, role-based access control, and comprehensive audit logging available on v0 Enterprise

    v0.app

    Data isolation (Enterprise)

    Enterprise customer data is isolated on separate infrastructure with no cross-contamination between customers

    v0.app

    Backups

    Customer data backed up every 2 hours, retained 30 days, globally replicated; backups are for Vercel's own disaster recovery and not customer-restorable

    vercel.com

    Penetration testing

    Regular third-party penetration testing plus daily code reviews and static analysis checks

    vercel.com

    Vulnerability disclosure

    Security issues reportable to security@vercel.com

    v0.app

    // Products & data scope

    v0 Hobby (Free)Consumer / individual AI app builder

    data: Prompts, generated code, uploaded files/attachments

    Trained on by default for Model Training unless the user opts out; no SSO, no BAA, no dedicated compliance guarantees

    v0 Pro / TeamPaid AI app builder for individuals and small teams

    data: Same as Hobby plus team workspace content

    Default is NOT trained on unless the user opts in; included in Vercel's SOC 2 Type II scope; HIPAA/BAA not documented at this tier

    v0 EnterpriseEnterprise AI app builder

    data: Same as Pro plus SSO/audit-log metadata

    Never trained on (contractual warranty); SSO, RBAC, audit logs, isolated infrastructure; HIPAA BAA not explicitly documented for v0 (unlike core Vercel platform, which does offer BAAs to eligible Pro/Enterprise customers)

    v0 APIProgrammatic model access via Vercel AI Gateway

    data: API prompts/completions routed through AI Gateway

    AI Gateway offers 'Disallow Prompt Training' and Zero Data Retention (ZDR) routing options; does not apply to BYOK (Bring Your Own Key) requests

    v0 for StudentsFree/discounted tier for students

    data: Same as Hobby

    No distinct compliance posture documented beyond Hobby-tier defaults

    // What to watch

    • HIPAA ambiguity: Vercel's core platform compliance page documents BAAs for eligible Pro/Enterprise customers, but v0's own security page (v0.app/docs/security) makes no mention of HIPAA, PHI, or BAAs at all. Do not list HIPAA as covering v0 without a direct vendor confirmation for the v0 product specifically.
    • Model-training default flips by tier and is easy to misread: Hobby/trial-Pro is opt-OUT (trained on by default), paid Pro is opt-IN (not trained on by default), Enterprise is never trained on. A listing that simply says 'no training on customer data' would overstate protection for Hobby and default paid-Pro users who have not changed their setting.
    • ISO 27001:2022 and SOC 2 Type II certifications are issued at the Vercel company/platform level; only the SOC 2 attestation is explicitly confirmed by name to include v0 ('v0 is included in Vercel's SOC 2 Type 2 attestation'). The ISO 27001 page does not separately name v0, though it is reasonable to treat it as covering the same shared infrastructure v0 runs on.
    • PCI DSS and FedRAMP appear on Vercel's general compliance materials/trust center in the context of the hosting platform and payment iframe integrations for customer-deployed apps; neither is applicable to v0's own AI chat/build product surface and should not be shown as a v0-specific credential.

    // At a glance

    Pricing model

    Freemium (Hobby) + paid subscription (Pro/Team) + custom-quoted Enterprise + usage-based credits for v0 API

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Vercel Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.vercel.com

    > Browse all vendor trust reports