// Trust & Security Report
Vercel Inc.
AI-powered prompt-to-app builder that generates full-stack web apps, UI components, and design systems from natural language, with one-click deploy to Vercel. Sub-products: v0 Hobby (free), v0 Pro/Team, v0 Enterprise, v0 API (model access via AI Gateway), and v0 for Students. v0 is a first-party Vercel product, not a separately incorporated company.
Certifications held
5
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on v0.app“v0 is included in Vercel's SOC 2 Type 2 attestation for Security, Confidentiality, and Availability”
Verify on vercel.com“Vercel is ISO 27001:2022 certified. Our certificate is available here.”
Verify on vercel.com“Vercel supports GDPR compliance, which means that we commit to the following: Implement and maintain appropriate technical and organizational security measures surrounding customer data ... Rely on the EU Standard Contractual Clauses and the UK Addendum as valid data transfer mechanisms when transferring personal data outside the EEA”
Verify on vercel.com“Vercel is certified under the EU-U.S. Data Privacy Framework. To view our public listing, visit the Data Privacy Framework website.”
Verify on vercel.com“Vercel has achieved TISAX Assessment Level 2 (AL2), which covers requirements for handling information with a high need for protection.”
> Show 6 unconfirmed / not-held certifications
source: vercel.comVercel supports HIPAA compliance as a business associate ... Signing Business Associate Agreements (BAAs) with eligible Pro and Enterprise customers. This is stated at the parent-platform level (vercel.com/docs/security/compliance); v0's own security page (v0.app/docs/security) does not mention HIPAA, BAAs, or PHI handling at all, so HIPAA coverage for v0 specifically is not confirmed.
source: vercel.comVercel serves as a service provider to customers who process payment and cardholder data ... Customers should select an appropriate payment gateway provider to integrate an iframe into their application. PCI DSS at Vercel concerns payment-processing traffic hosted on the platform; v0 itself (an AI code-generation chat product) does not process cardholder data, so PCI DSS is not applicable to v0's own product surface.
source: security.vercel.comNo public evidence; not listed among Vercel's certifications on its own compliance page or trust center as of verification.
source: security.vercel.comNo public evidence; not listed on Vercel's Trust Center or compliance page as of verification.
source: security.vercel.comNo public evidence; not listed on Vercel's Trust Center as of verification.
source: security.vercel.comNo public evidence; not listed on Vercel's Trust Center or compliance page as of verification.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Vercel's default function region is the U.S. with dozens of additional regions available for customer-deployed apps; this describes the general Vercel platform, not v0 chat/session data specifically, which is not separately documented for regional residency. Data may be transferred to/processed in the U.S. and other countries where Vercel or its sub-processors operate, per the DPA.
Training posture is tier-dependent and changed with Vercel's AI Policy (v0.app/policy) plus the v0 Enterprise Addendum. Hobby and trial-Pro users are trained on BY DEFAULT unless they opt out ('on a Hobby plan or a trial Pro plan, and have opted out of Model Training ... we will not use or share the content'). Paid Pro users are the opposite: NOT trained on by default unless they actively opt in ('on a paid Pro plan and have not opted in to Model Training ... we will not use or share the content'). Enterprise customers are never trained on: 'we do not use or share data from Enterprise plan customers for Model Training,' reinforced contractually in the v0 Enterprise Addendum ('Vercel represents and warrants that it shall not use Customer Content to train its or third party LLM providers' models for the AI Solution, except with Customer's consent'). AIFOXX listing should surface the Hobby/trial-Pro default-in vs paid-Pro default-out distinction; it is easy for a user to assume all paid usage is training-free when only Enterprise guarantees that unconditionally.
// Security controls
Code execution isolation
v0-generated code is treated as potentially incorrect or adversarial; runs in sandboxed, isolated containers with resource limits and controlled network access when deployed on Vercel Functions
v0.appEnterprise access controls
SAML-based SSO, role-based access control, and comprehensive audit logging available on v0 Enterprise
v0.appData isolation (Enterprise)
Enterprise customer data is isolated on separate infrastructure with no cross-contamination between customers
v0.appBackups
Customer data backed up every 2 hours, retained 30 days, globally replicated; backups are for Vercel's own disaster recovery and not customer-restorable
vercel.comPenetration testing
Regular third-party penetration testing plus daily code reviews and static analysis checks
vercel.com// Products & data scope
data: Prompts, generated code, uploaded files/attachments
Trained on by default for Model Training unless the user opts out; no SSO, no BAA, no dedicated compliance guarantees
data: Same as Hobby plus team workspace content
Default is NOT trained on unless the user opts in; included in Vercel's SOC 2 Type II scope; HIPAA/BAA not documented at this tier
data: Same as Pro plus SSO/audit-log metadata
Never trained on (contractual warranty); SSO, RBAC, audit logs, isolated infrastructure; HIPAA BAA not explicitly documented for v0 (unlike core Vercel platform, which does offer BAAs to eligible Pro/Enterprise customers)
data: API prompts/completions routed through AI Gateway
AI Gateway offers 'Disallow Prompt Training' and Zero Data Retention (ZDR) routing options; does not apply to BYOK (Bring Your Own Key) requests
data: Same as Hobby
No distinct compliance posture documented beyond Hobby-tier defaults
// What to watch
- HIPAA ambiguity: Vercel's core platform compliance page documents BAAs for eligible Pro/Enterprise customers, but v0's own security page (v0.app/docs/security) makes no mention of HIPAA, PHI, or BAAs at all. Do not list HIPAA as covering v0 without a direct vendor confirmation for the v0 product specifically.
- Model-training default flips by tier and is easy to misread: Hobby/trial-Pro is opt-OUT (trained on by default), paid Pro is opt-IN (not trained on by default), Enterprise is never trained on. A listing that simply says 'no training on customer data' would overstate protection for Hobby and default paid-Pro users who have not changed their setting.
- ISO 27001:2022 and SOC 2 Type II certifications are issued at the Vercel company/platform level; only the SOC 2 attestation is explicitly confirmed by name to include v0 ('v0 is included in Vercel's SOC 2 Type 2 attestation'). The ISO 27001 page does not separately name v0, though it is reasonable to treat it as covering the same shared infrastructure v0 runs on.
- PCI DSS and FedRAMP appear on Vercel's general compliance materials/trust center in the context of the hosting platform and payment iframe integrations for customer-deployed apps; neither is applicable to v0's own AI chat/build product surface and should not be shown as a v0-specific credential.
// At a glance
Pricing model
Freemium (Hobby) + paid subscription (Pro/Team) + custom-quoted Enterprise + usage-based credits for v0 API
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Vercel Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.vercel.com