Security, Compliance, and Trust at BotPenguin
BotPenguin helps teams deploy AI automation with enterprise-ready privacy controls, secure infrastructure, and visible compliance proof across regulated and high-trust use cases.
Certifications & Regulatory Compliance
We undergo independent third-party audits to maintain our compliance certifications. Below is a summary of each framework and what it means for your business.
GDPR: General Data Protection Regulation
BotPenguin complies with the EU General Data Protection Regulation. We act as a data processor under GDPR, and our Data Processing Agreement (DPA) is available to all customers upon request. EU users retain full rights to access, rectify, and erase their personal data.
Relevant for: Any business operating in the EU or processing EU residents' data.
HIPAA: Health Insurance Portability and Accountability Act
BotPenguin is HIPAA compliant and supports healthcare organizations that handle Protected Health Information (PHI). We offer Business Associate Agreements (BAA) for qualifying healthcare deployments.
CCPA: California Consumer Privacy Act
BotPenguin meets CCPA requirements for California residents. Consumers can exercise their rights to know, delete, and opt out of the sale of personal information through the controls provided in our platform.
Relevant for: Businesses serving California consumers.
ISO 27001: Information Security Management
BotPenguin holds ISO 27001 certification, the international gold standard for information security management systems (ISMS). Our certification is maintained through annual surveillance audits by an accredited third-party body.
SOC 2: Security, Availability and Confidentiality
BotPenguin maintains SOC 2 compliance, demonstrating our commitment to security, availability, and confidentiality controls as defined by the AICPA Trust Services Criteria. Audit reports are available to qualified prospects via our Trust Vault.
How We Handle Your Data
Our data handling practices are designed to give your business full control and visibility at every layer.
Encryption
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Conversation data, customer records, and credentials are protected at every layer.
Data Residency
BotPenguin offers data residency options for enterprise and white-label accounts.
No Training on Your Data
BotPenguin does not use customer conversation data to train shared AI models. Your data belongs to you.
Subprocessors
We maintain a published list of subprocessors (third-party services with access to customer data). Access it via our Trust Vault.
Access Controls
Role-based access control (RBAC), SSO support, and audit logs are available on applicable plan tiers.
Data Retention
Conversation and account data retention periods are configurable. Upon account termination, customer data is purged as per compliance requirement.
Infrastructure & Operational Security
Our security programme goes beyond certifications. It is built into how we operate daily.
Security for White-Label Chatbot Partners
Your platform inherits enterprise-grade certifications, without you having to achieve them independently.
When you build a branded SaaS product on top of BotPenguin's white-label chatbot platform, your platform inherits BotPenguin's underlying security infrastructure. That means your enterprise clients benefit from the same certifications (GDPR, HIPAA, CCPA, ISO 27001, and SOC 2), without you having to achieve them independently.
This dramatically simplifies your sales process. When a prospective enterprise client sends you a vendor security questionnaire, you can reference our compliance posture and certification stack as the foundation of your platform.
White-label partners can access detailed compliance documentation, sub-processor lists, and audit reports via our Trust Vault, available upon NDA request.
Close enterprise deals faster. Your platform inherits BotPenguin's full compliance stack, so you walk into every vendor review already certified.
Access Compliance Documentation
Need the full picture? Our Trust Vault gives procurement teams, IT evaluators, and compliance officers direct access to BotPenguin's audit reports, certifications, and subprocessor list, with NDA-backed gated access for detailed documentation.
Security FAQs
Common questions from procurement teams, IT evaluators, and enterprise buyers.
Is BotPenguin GDPR compliant?
Yes. BotPenguin is GDPR compliant and acts as a data processor under the regulation. We provide a Data Processing Agreement (DPA) and support all data subject rights including access, rectification, and erasure. Our processing activities are documented in our subprocessor list, available via Trust Vault.
Is BotPenguin HIPAA compliant?
Yes. BotPenguin meets HIPAA requirements for the handling of Protected Health Information (PHI). Healthcare organizations can request a Business Associate Agreement (BAA) by contacting our team.
Where can I access BotPenguin's SOC 2 report or audit documents?
All compliance documents, including certification attestations, audit reports, and the subprocessor list, are available via our Security page. Some documents require signing an NDA before download.
Is BotPenguin safe for enterprise use?
Yes. BotPenguin is certified for GDPR, HIPAA, CCPA, ISO 27001, and SOC 2. Enterprise accounts have access to RBAC, SSO, audit logs, configurable data retention, and dedicated support. Contact us to start an enterprise security review.
Does BotPenguin use my data to train AI models?
No. BotPenguin does not use customer conversation data to train shared AI models. Your data remains private to your account and is never used to improve models deployed for other customers.
Can white-label partners use BotPenguin's compliance certifications?
Yes. White-label partners building a SaaS product on BotPenguin's infrastructure inherit our underlying security posture. Partners can reference our certifications in their own security questionnaires and sales processes, and access detailed documentation via Trust Vault.