// Trust & Security Report

    Yotpo Ltd. logo

    Yotpo Ltd.

    Ecommerce marketing platform for online retailers. Core products: Reviews & UGC (review collection/display, on-site galleries), Loyalty & Referrals (rewards, SMS/email retention), and Yotpo Discover (early-access 'AI Visibility' product that tracks/optimizes how brands appear in ChatGPT, Gemini and other AI answer engines). Also offers SMS & Email marketing and a first-party AI chat/shopping feature ('Ask Ben').

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Yotpo maintains three key security certifications: "ISO 27001, ISO 27701 and SOC 2 Type 2 certifications."

    Verify on yotpo.com
    ISO/IEC 27001
    HELD

    "Yotpo's ISO/EIC compliance certification is a confirmation that privacy and security are of the utmost importance when it comes to our customers and partners." (Eyal Sasson, CISO, Yotpo) — article confirms ISO/IEC 27001:2013 achieved; also listed as 'ISO/IEC 27001' and 'ISO/IEC 27001 Statement of Applicability' documents on the Trust Center.

    Verify on yotpo.com
    ISO/IEC 27701 (Privacy Information Management)
    HELD

    ISO/IEC 27701:2019 certification confirmed in the same announcement as ISO 27001 ('Yotpo Achieves ISO 27001 & IEC 27701 Certifications'); also listed as an available document ('ISO/IEC 27701') on the Trust Center.

    Verify on yotpo.com
    ISO/IEC 27017:2015 (Cloud Security)
    HELD

    'ISO/IEC 27017:2015' listed as an available compliance document on the vendor's own Trust Center.

    Verify on trust.yotpo.com
    ISO/IEC 27018:2019 (Cloud PII Protection)
    HELD

    'ISO/IEC 27018:2019' listed as an available compliance document on the vendor's own Trust Center.

    Verify on trust.yotpo.com
    CSA STAR (Level 1)
    HELD

    'CSA STAR Level 1' listed as an available compliance document on the vendor's own Trust Center.

    Verify on trust.yotpo.com
    GDPR (compliance posture, not a certification)
    HELD

    DPA references processing in the 'EEA (EU Member States, Norway, Liechtenstein, Iceland)' and uses 'the standard contractual clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914'; Trust Center separately lists 'GDPR' and 'EU-US Data Privacy Framework (DPF)' among its compliance documents.

    Verify on yotpo.com
    > Show 4 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No ISO 42001 certificate is listed on the Trust Center. The Trust Center does reference AI-governance documents by title only ('AI Policy', 'AI Training Data and Bias', 'AI Systems Inventory'), but these are not a formal ISO/IEC 42001 (or equivalent) certification and no certificate text/auditor is shown.

    source: trust.yotpo.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of a PCI DSS attestation on the Trust Center, security-measures page, or security page. Yotpo is a reviews/loyalty/marketing platform, not a payment processor.

    source: yotpo.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or BAA support anywhere on Yotpo's Trust Center, security pages, or legal pages. Yotpo is an ecommerce marketing platform, not a healthcare product; HIPAA appears out of scope.

    source: yotpo.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on any vendor-domain page reviewed.

    source: trust.yotpo.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Primarily AWS-hosted (per security-measures page); DPA covers processing in the EEA, UK, Switzerland, US, Canada and Israel, with Standard Contractual Clauses (2021/914) and a UK IDTA used for cross-border transfers; adequacy decisions applied where available. Specific data-center locations are not published.

    Yotpo's Terms of Service grant Yotpo a license 'to analyze, improve (including by training Yotpo's first-party AI models), develop, update and support Yotpo's products and services' using Client Content, and separately allow use of 'Usage Data and Client Content to operate, analyze, improve, develop, update, create and support' its products. No customer-facing opt-out for this training use was found in the Terms of Service. The Trust Center lists an 'AI Policy' and 'AI Training Data and Bias' document by title, but the full text was not accessible to confirm whether an opt-out exists there. For the separate 'Ask Ben' AI shopping feature, the Terms grant an even broader 'worldwide, transferable, non-exclusive, irrevocable, royalty-free license' to related content. This is a material privacy consideration for prospective enterprise/regulated customers.

    // Security controls

    Encryption at rest

    AES 256 encryption via file system encryption, per Yotpo's own security page.

    yotpo.com

    Encryption in transit

    Not confirmed with a direct vendor-domain quote in this review; not stated as 'n/a', simply unverified from the pages fetched.

    yotpo.com

    Infrastructure

    Hosted on Amazon Web Services (AWS); anti-DDoS protection, Web Application Firewall (WAF), intrusion detection/threat detection, and public status monitoring.

    trust.yotpo.com

    Backups & redundancy

    Real-time database replication for redundant, geographically dispersed, physically separated backup systems; Recovery Time Objective of 1 hour listed on the Trust Center.

    yotpo.com

    Application security

    Penetration testing conducted, a responsible disclosure program, and SDLC security controls, per the Trust Center.

    trust.yotpo.com

    Endpoint security

    Mobile Device Management, EDR/anti-malware, and disk encryption on managed devices, per the Trust Center.

    trust.yotpo.com

    Accessibility

    WCAG 2.2 AA conformance document listed on the Trust Center.

    trust.yotpo.com

    // Products & data scope

    Reviews & UGCCustomer reviews / user-generated content

    data: Collects and displays customer reviews, photos, and Q&A; uses AI to summarize review themes.

    Yotpo's original flagship product; broad Shopify/BigCommerce ecosystem integration.

    Loyalty & ReferralsRetention / loyalty marketing

    data: Processes purchase history and customer identity to run points, rewards, and referral programs; sends SMS/email.

    Includes 'RevRewards'-style loyalty tiers referenced in customer case studies.

    Yotpo Discover (AI Visibility)AI answer-engine optimization

    data: Tracks how a brand's products are represented and recommended across ChatGPT, Gemini and other AI engines; activates review/UGC content to influence AI answers.

    Marked 'Early Access' on the vendor's own homepage as of this review; less mature than Reviews/Loyalty products.

    SMS & EmailMarketing automation / messaging

    data: Processes customer contact data (phone/email) for campaign and lifecycle messaging; subject to TCPA/GDPR consent handling per support docs.

    Integrated with Loyalty and Reviews for triggered messaging.

    Ask Ben (AI shopping agent)Conversational AI / first-party AI model feature

    data: Processes content submitted to the feature under a broader, irrevocable content license than the base Terms of Service.

    Broader IP/training license than standard Client Content terms; worth flagging to customers separately.

    // What to watch

    • AI training over-claim risk: Yotpo's Terms of Service grant it a license to train its 'first-party AI models' on Client Content with no visible customer opt-out in the Terms themselves; the Trust Center references an 'AI Policy' and 'AI Training Data and Bias' document by title only, so it could not be confirmed whether an opt-out is offered there. Listing should flag this for privacy-sensitive buyers.
    • Third-party trust-center platform: the Trust Center is hosted at trust.yotpo.com and is 'Powered by SafeBase,' a common enterprise trust-center-as-a-service tool. Content there is vendor-controlled and on the vendor's own subdomain, so it is treated as first-party evidence, but full underlying audit reports (SOC 2 report itself, ISO certificates) were not directly downloadable/verifiable in this review.
    • ISO 27001/27701 achievement announcement (blog post) is dated 2023 (last updated Jan 2026 per fetch) and the standalone security-measures page states it was 'last updated June 23, 2022' — current validity/renewal dates for the certifications were not independently confirmed (e.g. no certificate expiry date located).
    • Ask Ben conversational AI feature carries a broader, irrevocable content license than the base product Terms; this distinction should be called out separately from the core Reviews/Loyalty products.
    • No public evidence found for HIPAA or PCI DSS; reasonable given Yotpo does not process payments or health data directly, but should be listed as 'not applicable / no evidence' rather than omitted.

    // At a glance

    Pricing model

    SaaS subscription, tiered by product (Reviews, Loyalty) and usage; enterprise custom pricing available; exact tiers not published on marketing pages reviewed.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Yotpo Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.yotpo.com

    > Browse all vendor trust reports