// Trust & Security Report

    Vercel, Inc. logo

    Vercel, Inc.

    Vercel Platform (Hobby/Pro/Enterprise hosting and CI-CD), v0 (AI code and design generation), AI Gateway, Vercel Secure Compute

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Vercel has a SOC 2 Type 2 attestation for Security, Confidentiality, and Availability.

    Verify on vercel.com
    ISO 27001:2022
    HELD

    Vercel is ISO 27001:2022 certified. Our certificate is available here (Schellman certificate directory, certificate number 1868222-1).

    Verify on vercel.com
    PCI DSS v4.0
    HELD

    Vercel provides both a Self-Assessment Questionnaire D (SAQ-D) Attestation of Compliance (AOC) for service providers and a Self-Assessment Questionnaire A (SAQ-A) Attestation of Compliance (AOC) for merchants under PCI DSS v4.0.

    Verify on vercel.com
    HIPAA Business Associate
    HELD

    Vercel supports HIPAA compliance as a business associate by committing to: Implementing and maintaining appropriate technical and organizational security measures designed to safeguard a customer's Protected Health Information (PHI); Notifying customers of any data breaches without undue delay; Signing Business Associate Agreements (BAAs) with eligible Pro and Enterprise customers.

    Verify on vercel.com
    GDPR
    HELD

    Vercel supports GDPR compliance, which means that we commit to: Implement and maintain appropriate technical and organizational security measures surrounding customer data; Notify our customers without undue delay of any data breaches; Impose similar data protection obligations on our sub-processors as we do for ourselves.

    Verify on vercel.com
    EU-U.S. Data Privacy Framework (DPF)
    HELD

    Vercel is certified under the EU-U.S. Data Privacy Framework. To view our public listing, visit the Data Privacy Framework website.

    Verify on vercel.com
    TISAX AL2
    HELD

    Vercel has achieved TISAX Assessment Level 2 (AL2), which covers requirements for handling information with a high need for protection.

    Verify on vercel.com
    CCPA/CPRA
    HELD

    Applicable Data Protection Laws means all applicable privacy and data protection laws and regulations including...the California Consumer Privacy Act of 2018 (CCPA).

    Verify on vercel.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Primary US (AWS); customer can select from 20+ global AWS regions for function deployment. No single-region hard geo-fence on Hobby or Pro plans without Secure Compute add-on. Enterprise Secure Compute enables private isolated environments with dedicated IPs.

    Training behavior is plan-dependent and applies to AI products (v0, AI Gateway), not to core hosting. Hobby plan: opted in by default with self-serve opt-out in Team Settings. Pro plan: opted out by default with self-serve opt-in. Enterprise plan: opted out by default with contractual non-training guarantee ('Vercel represents and warrants that it will not use v0 Customer Content to train its or its third-party AI providers' models or to improve the AI Products and Services, except with your consent'). AI Gateway offers team-wide Zero Data Retention (ZDR) for Pro and Enterprise teams. 'Stealth Models' are explicitly excluded from all standard content protections per AI Product Terms.

    // Security controls

    Bug Bounty Program

    HackerOne: two programs. vercel-open-source covers OSS projects (Next.js, Turborepo, Nuxt); vercel_platform_protection covers the Vercel platform. Rewards based on CVSS 4.0 severity and real-world impact. Responsible disclosure email: responsible-disclosure@vercel.com.

    hackerone.com

    Penetration Testing

    Regular third-party penetration testing conducted. Also daily code reviews and static analysis checks.

    vercel.com

    Encryption at Rest

    AES-256

    vercel.com

    Encryption in Transit

    HTTPS/TLS 1.3

    vercel.com

    WAF

    Built-in Vercel WAF with OWASP Top 10 managed rulesets, custom rules, rate limiting, L3/L4 and L7 DDoS mitigation, bot management (including optional block of AI scrapers). Global propagation of rule changes in under 300ms.

    vercel.com

    DDoS Protection

    Automatic L3/L4 and L7 DDoS mitigation included for all plans at no additional cost.

    vercel.com

    Data Backup

    Automated backups every 2 hours, retained 30 days, globally replicated. Backups are not directly accessible to customers and are intended for infrastructure disaster recovery.

    vercel.com

    Access Control

    Role-based access control (all plans). Audit Logs (Enterprise only). Directory Sync and SAML SSO (Enterprise only). Deployment Protection with fine-grained access control.

    vercel.com

    Infrastructure

    AWS with 20+ global regions, Anycast network, AWS Global Accelerator, multi-AZ redundancy by default for Vercel Functions. IAM-controlled production access. IaC-managed change control.

    vercel.com

    SOC 2 Audit Cadence

    At least annually by independent third-party security auditors. Most recent Audit Report available to customers on request under confidentiality controls.

    vercel.com

    // Products & data scope

    Vercel Platform (Hobby)Cloud hosting / CI-CD

    data: Source code, build artifacts, deployment logs, domain data. AI product training opted in by default for AI features; self-serve opt-out available. No BAA, no enterprise security controls.

    Free tier. Not suitable for HIPAA or regulated data. DDoS and WAF protection included.

    Vercel Platform (Pro)Cloud hosting / CI-CD

    data: Same as Hobby plus team collaboration. AI training opted out by default (self-serve opt-in). BAA available for HIPAA workloads. DPA applies.

    Zero Data Retention on AI Gateway available. Team-level security controls. BAA requires contacting Vercel sales.

    Vercel Platform (Enterprise)Cloud hosting / CI-CD

    data: Isolated build infrastructure, full DPA coverage, contractual AI non-training guarantee. BAA, SAML SSO, audit logs, directory sync, Secure Compute available.

    Highest compliance tier. SOC 2, ISO 27001, PCI DSS, HIPAA, TISAX documentation available via trust center. Secure Compute enables private/isolated cloud environments.

    v0AI code and design generation

    data: User prompts, uploaded images, generated code and design outputs. Enterprise: contractual non-training guarantee on customer content. Hobby/Pro: content subject to data license under Terms of Service Section 3 (training possible).

    Enterprise Addendum available. 'Stealth Models' explicitly excluded from standard content protections. Consumer/team product distinct from core platform.

    Vercel AI GatewayAI model routing and inference infrastructure

    data: API requests routed to third-party AI models (Cerebras, Groq, Baseten, etc.). Zero Data Retention (ZDR) available for Pro and Enterprise: no prompt logging or model training. Default tiers may log requests.

    ZDR is a team-wide setting requiring no per-request code changes. Third-party AI provider subprocessors listed at security.vercel.com.

    Vercel Secure ComputePrivate cloud / isolated infrastructure

    data: Enterprise-only. Private isolated cloud environments, dedicated outgoing IPs, VPC peering, VPN support. HIPAA-eligible add-on.

    Required for strict data residency or HIPAA workloads that need network isolation. Built on AWS infrastructure.

    // What to watch

    • AI training opt-in/opt-out behavior differs by plan tier: Hobby is opt-in by default; verify plan before deploying sensitive or proprietary workloads through AI products.
    • HIPAA BAA requires Pro or Enterprise plan and explicit agreement with Vercel; Hobby is not HIPAA-eligible.
    • v0 Stealth Models are explicitly excluded from standard content protections per the AI Product Terms; review before using in regulated contexts.
    • Trust center (security.vercel.com) requires login to download compliance reports (SOC 2 audit report, ISO certificate, PCI AOC); public summary pages are freely accessible.
    • Data residency: no hard geo-fencing on Hobby or Pro plans without Secure Compute; enterprise workloads needing regional isolation must use Secure Compute.

    // At a glance

    Pricing model

    Freemium: Hobby (free), Pro (~$20 per user/month), Enterprise (custom contract). AI Gateway, AI products, Secure Compute, and Sandboxes have separate usage-based pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Vercel, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.vercel.com

    > Browse all vendor trust reports