// Trust & Security Report
Yoast B.V. (a Newfold Digital, Inc. brand)
Yoast SEO WordPress plugin (free + Premium), Yoast SEO for Shopify, Yoast WooCommerce SEO bundle, and Yoast SEO AI+ (adds AI brand-visibility monitoring across ChatGPT, Gemini, Perplexity). All are on-page/technical SEO tools; content analysis for the WordPress plugin runs client-side on the customer's own site.
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on yoast.com“'Our plugin itself stores no personal data, only website data.' and 'All our websites are secured using SSL/https' and 'monitoring site security and security certificates to make sure your data is as safe and secure as possible.' Yoast documents a formal GDPR position including data-subject rights and controller/processor roles.”
> Show 8 unconfirmed / not-held certifications
source: yoast.comNo public evidence. Not mentioned on yoast.com's security program page, GDPR help page, or on parent Newfold Digital's privacy-center / information-security-policy pages, which are the only vendor-domain pages discussing security controls.
source: newfold.comNo public evidence. Not referenced on any yoast.com or newfold.com page reviewed, including Newfold's Information Security Policy which is the most detailed vendor-side security document found.
source: yoast.comNo public evidence. Yoast's AI features page and AI FAQ describe using the OpenAI API but make no certification claims; no AI-governance certification is mentioned anywhere on yoast.com or newfold.com.
source: newfold.comParent company Newfold Digital states on its own security policy page: 'As part of Newfold's compliance with the Payment Card Industry - Data Security Standard, regular security reviews are conducted on an ongoing basis.' This is Newfold's corporate/hosting-business PCI posture; the document makes no mention of Yoast by name and Yoast's own privacy notice (which redirects to Newfold's privacy center) does not separately confirm this applies to Yoast SEO purchase flows, so it is graded held=false at the product level pending explicit confirmation.
source: yoast.comNo public evidence. Yoast SEO is an SEO/content-optimization tool with no healthcare-data use case; no HIPAA mention on any vendor page reviewed.
source: yoast.comNo public evidence found; not applicable to this consumer/SMB SEO product line.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Newfold Digital's privacy notice (which yoast.com/privacy-notice/ redirects to) states personal information is transferred to, stored at, and processed in jurisdictions other than where the user lives, including the United States, and may be processed by staff in India and the Philippines.
For the WordPress plugin's core SEO analysis, Yoast states content analysis runs on the customer's own site and 'none of your content is used by Yoast off-site,' which is why Yoast says no DPA is needed for standard purchases. For the newer AI title/description generator (uses the OpenAI API), Yoast's FAQ says data is 'handled carefully following OpenAI's API data privacy and data usage policies' and explicitly advises against entering personal or confidential information; it does not itself state whether OpenAI trains on the submitted data, and does not describe an opt-out beyond disabling the AI feature entirely (Settings > Site features, or 'Revoke Consent' in the user profile). Parent Newfold's privacy notice separately states personal information via Google Workspace APIs is not used to train generalized AI/ML models, but that clause is scoped to Google Workspace integrations, not the Yoast AI feature. Net: no explicit vendor statement that Yoast/OpenAI trains models on customer content; treat as unconfirmed rather than an outright no.
// Security controls
Encryption in transit
Yoast states 'All our websites are secured using SSL/https' for GDPR and SEO reasons.
yoast.comVulnerability disclosure / bug bounty
Yoast runs a public security program: reports to security@yoast.com with reproducible steps and a CVSS score; stated response time of 3 business days to first response, 10 business days to triage, tiered bounties from $150 (Low) to $2,000 (Critical).
yoast.comContent/data processing model
The WordPress plugin's SEO content analysis runs locally on the customer's own site; Yoast states none of the analyzed content is sent to or used by Yoast off-site.
yoast.comData retention
Parent Newfold Digital's privacy notice: personal information is retained 'for no more than seven years following the date on which you terminate your use of the Services,' unless law requires longer (Yoast separately notes invoices are kept 7 years for tax purposes).
newfold.comCorporate network/infra security (parent company, general)
Newfold Digital's Information Security Policy describes firewalls, intrusion detection/prevention, DDoS mitigation, restricted data-center access, and encryption/pseudonymization requirements at the corporate level; the document does not name Yoast specifically.
newfold.com// Products & data scope
data: Runs entirely within the customer's own WordPress install; content analysis is local, no customer content sent to Yoast servers per vendor statement.
Base product with 13M+ users per yoast.com. No account/billing data involved for the free tier.
data: Adds account, billing, and license data (name, email, payment info) collected via Newfold/Yoast checkout; SEO analysis remains local to the site.
AI-powered title/description suggestions route data to OpenAI's API per Yoast's AI FAQ.
data: Separate privacy policy from the WordPress plugin (yoast.com/yoast-seo-docs-addon-privacy-policy/); collects account info, IP/device data, and usage analytics.
Different data-collection footprint than the WordPress plugin; treat as a distinct product for compliance purposes.
data: Monitors and reports on brand mentions/sentiment across third-party AI platforms (ChatGPT, Gemini, Perplexity); broader external data footprint than the core plugin.
Newest, least-documented product from a compliance standpoint; no dedicated privacy/security page found distinct from the general Yoast/Newfold privacy notice.
// What to watch
- No trust center, and no SOC 2, ISO 27001, or other formal third-party certification found on any vendor-controlled domain (yoast.com or newfold.com), despite a large user base (13M+ per vendor's own homepage) and a third-party site (Nudge Security) that describes Yoast as 'SOC 2, GDPR, and ISO 27001 Compliant' with no vendor-domain proof to back that claim. Do NOT surface those cert claims to AIFOXX listing users; they could not be verified on Yoast's or Newfold's own site and read as an over-claim by a third party.
- Entity/identity nuance: yoast.com's own privacy notice URL 301-redirects to newfold.com/privacy-center/privacy, meaning Yoast's product privacy posture is now governed by parent Newfold Digital, Inc.'s corporate policy rather than a Yoast-specific document. Newfold's security/PCI DSS language does not name Yoast, so it should be treated as parent-company posture, not a confirmed Yoast-product-level control.
- AI training posture on the newer AI title/description generator (OpenAI-backed) is not fully spelled out by Yoast; the vendor page defers to OpenAI's API data policies without independently stating whether prompts are used for model training, and the only explicit 'not used for AI training' clause found (Newfold's Google Workspace API clause) is scoped to a different integration, not this feature.
- PCI DSS is referenced only at the Newfold parent-company level for its broader hosting business; it is not confirmed to specifically cover Yoast SEO's checkout/billing flow, so it is graded held=false rather than assumed inherited.
// At a glance
Pricing model
Freemium: free WordPress plugin, paid Premium/WooCommerce SEO/AI+ tiers (EUR 9.90-29.90/month billed annually), separate Shopify app pricing ($19/30 days).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Yoast B.V. (a Newfold Digital, Inc. brand)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
newfold.com