// Trust & Security Report
Weights & Biases, LLC (a CoreWeave company)
AI developer platform for building, training, and evaluating AI models and agents. Core products: W&B Models (experiment tracking, sweeps, artifacts), W&B Weave (LLM/agent tracing, evaluations, guardrails, online evaluation), W&B Registry (models/datasets/prompts registry), W&B Training/Fine-tuning and Serverless Inference, W&B Core (reports, automations, SDK, Skills/MCP server for agents). Deployment options: multi-tenant SaaS, Dedicated Cloud, and customer-managed/on-prem. Acquired by CoreWeave, Inc. (completed May 2025); trust/compliance portal now lives on coreweave.com.
Certifications held
6
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on wandb.ai“Weights & Biases AI development platform is certified under ISO/IEC 27001:2022, ISO/IEC 27017:2015, and ISO/IEC 27018:2019, and is compliant with SOC 2 and HIPAA standards.”
Verify on wandb.ai“We are certified under ISO/IEC 27001:2022, ISO/IEC 27017:2015, and ISO/IEC 27018:2019, and remain compliant with SOC 2 Type 2 and HIPAA standards.”
Verify on wandb.ai“Certified under ISO/IEC 27001:2022, ISO/IEC 27017:2015, and ISO/IEC 27018:2019.”
Verify on wandb.ai“Certified under ISO/IEC 27001:2022, ISO/IEC 27017:2015, and ISO/IEC 27018:2019.”
Verify on wandb.ai“...remain compliant with SOC 2 Type 2 and HIPAA standards. A BAA (Business Associate Agreement) applies to Enterprise Customers when included in their Order Form.”
Verify on wandb.ai“Applicable Data Protection Laws include European Data Protection Laws, UK GDPR and the CCPA. Weights & Biases processes all Personal Data in conformity with appropriate administrative, technical, physical and procedural security measures; the DPA incorporates EU Standard Contractual Clauses (Module Two Controller-to-Processor and Module Three Processor-to-Processor) and UK IDTA for international transfers.”
> Show 5 unconfirmed / not-held certifications
source: wandb.ai"Our platform also helps customers comply with NIST 800-53" — this is described as a support capability for customers' own compliance, not an independent certification held by W&B. No public evidence of a formal NIST 800-53 authorization or assessment for W&B itself.
source: wandb.aiNo public evidence. The site states W&B "supports customer managed deployments or federal agencies to use the cloud provider of their choice, such as AWS GovCloud," which is a deployment option, not a FedRAMP authorization.
source: wandb.aiNo public evidence of PCI DSS on any wandb.ai or coreweave.com trust/security page (not applicable to this product category, which does not process cardholder data).
source: coreweave.comNo public evidence. Not listed on wandb.ai/site/security or on CoreWeave's trust center (coreweave.com/trust, which lists only SOC 2, ISO 27001, ISO 27017, ISO 27018 badges).
source: wandb.aiNo public evidence of CSA STAR registration or certification on vendor-domain pages.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Default multi-tenant SaaS data is hosted in Google Cloud ('All your data is hosted in our Google Cloud instance' per wandb.ai/site/data/). Dedicated Cloud and customer-managed/on-prem deployments are available for enterprise customers wanting data residency control, including AWS GovCloud for U.S. federal use cases.
W&B's own Terms of Service (Section 4(a)) state: 'Customer grants W&B the right to use Customer Data to (i) provide and improve the W&B Assets, (ii) develop new product offerings, and (iii) for the purposes of providing and improving AI Features.' No opt-out clause was found for this grant in the standard terms. Section 2(f) separately calls out that free and academic tier Customer Data may additionally be used 'for testing and development purposes,' implying paid/Enterprise data is used more narrowly (product provision/improvement and AI Features) but still without an explicit opt-out in the public terms. Enterprise customers should confirm via their Order Form/DPA whether a training-data exclusion or restrictive addendum is available; the public ToS alone does not evidence one. Following the May 2025 CoreWeave acquisition, wandb.ai's privacy policy link now redirects to CoreWeave's general privacy policy, which does not mention Weights & Biases or wandb.ai products by name.
// Security controls
Access control
Role-Based Access Controls (RBAC); private projects hidden from the public internet by default
wandb.aiData deletion
Customer data deleted within 30 days of a deletion request; artifact-level deletions retained 7 days before permanent removal
wandb.aiSubprocessors
Subprocessor list published and updated on the security/subprocessor page referenced by the DPA; customers have objection/termination rights on new subprocessors
wandb.ai// Products & data scope
data: Training metrics, hyperparameters, model artifacts, datasets logged via SDK
Original core product; multi-tenant SaaS by default, Dedicated Cloud and self-hosted/on-prem available.
data: LLM call traces, prompts, agent steps, evaluation datasets
Newer product for GenAI/agentic app development; same account-level compliance posture as Models.
data: Versioned models, datasets, prompts, and metadata
Centralized governance layer across teams.
data: Customer training data and model weights processed on CoreWeave GPU infrastructure
Post-acquisition integration with CoreWeave compute; data handling here is more tightly coupled to CoreWeave's infrastructure and compliance posture than the original SaaS product.
data: Customer-controlled infrastructure; BAA available for HIPAA workloads
Recommended tier for regulated customers (healthcare, finance, government) needing data residency control or HIPAA BAA.
// What to watch
- Trust/compliance portal moved to coreweave.com/trust following CoreWeave's May 2025 acquisition of Weights & Biases; CoreWeave's public trust page lists SOC 2, ISO 27001, ISO 27017, and ISO 27018 badges but does not explicitly name Weights & Biases or wandb.ai in scope, and does not display a HIPAA badge even though wandb.ai's own security page still claims HIPAA compliance. Procurement should request the actual SOC 2 report / HIPAA attestation and confirm wandb.ai/Weave/Models are explicitly in the audit scope, not just CoreWeave's core GPU cloud.
- wandb.ai's privacy policy link now redirects to CoreWeave's general privacy policy, which never mentions Weights & Biases or wandb.ai by name — a legacy-page vs current-owner contradiction worth flagging for identity/scope clarity.
- No explicit customer-data AI-training opt-out found in the public Terms of Service; Section 4(a) grants W&B broad rights to use Customer Data to improve AI Features and develop new offerings with no stated exclusion, and free/academic tier data is explicitly used for 'testing and development purposes.' Enterprise buyers with training-data sensitivity should negotiate this in their Order Form/DPA rather than relying on the public ToS.
- NIST 800-53 and AWS GovCommon/GovCloud claims describe support for customers' own compliance, not an independent FedRAMP/NIST authorization held by W&B itself; do not list these as vendor certifications.
// At a glance
Pricing model
Freemium (free/academic tiers) plus paid Team/Enterprise plans; contact sales for Enterprise/Dedicated pricing
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Weights & Biases, LLC (a CoreWeave company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
coreweave.com