Ship securely without compromise

ISO 42001:2023 is a globally recognized standard for the establishment and certification of an Artificial Intelligence Management System (AIMS). The standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented AIMS within the context of the organization’s overall business, technological and societal risks. It sets forth a risk-based and ethical approach that focuses on adequate and proportionate governance, transparency, fairness, accountability and security controls that manage AI systems and give confidence to interested parties. dbt Labs received its initial ISO 42001:2023 certification on November 21, 2025. This certificate can be viewed by visiting our trust page here.

ISO 27001:2022 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). The standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It sets forth a risk-based approach that focuses on adequate and proportionate security controls that protect information assets and give confidence to interested parties. dbt Labs received its initial ISO 27001:2022 certification on December 9, 2021. dbt Labs completed its most recent surveillance audit on November 21, 2025. The certificate can be viewed by visiting our trust page here.

ISO 27701:2019 specifies requirements and guidelines to establish and continuously improve a Privacy Information Management System (PIMS), including processing of Personally Identifiable Information (PII), and is an extension of the ISO/IEC 27001 and ISO/IEC 27002 standards for information security management. It provides a set of additional controls and associated guidance that is intended to address public cloud PIMS and PII management requirements that aren’t addressed by the existing ISO/IEC 27002 control set, for both processors and controllers. dbt Labs is noted as a Processor. We have been assessed our conformity with the ISO/IEC 27701:2019 standard over our privacy information system and is combined with our ISO 27001 certificate here.

ISO 27017:2015 is an internationally recognized standard that provides guidelines for information security controls applicable to the provision and use of cloud services. It supplements ISO 27001 and ISO 27002 by specifying additional cloud-specific controls and implementation guidance designed to protect cloud service customers and providers. The standard establishes a framework to manage risks associated with cloud environments, ensuring confidentiality, integrity, and availability of data processed in the cloud. dbt Labs received its initial ISO 27017:2015 certification on November 21, 2025, and completed its most recent surveillance audit in line with ISO 27001. The certificate can be viewed by visiting our trust page here.

ISO 27018:2025 is a globally recognized standard that focuses on protecting personally identifiable information (PII) in cloud computing environments. It builds upon ISO 27002 by providing specific guidance to cloud service providers acting as PII processors, emphasizing principles of transparency, consent, accountability, and data subject rights. The standard helps organizations demonstrate compliance with privacy obligations and assures customers that their personal data is handled securely. dbt Labs received its initial ISO 27018:2025 certification on November 21, 2025, and completed its most recent surveillance audit in line with ISO 27001. The certificate can be viewed by visiting our trust page here.

A SOC 2 examination, performed by an independent, certified public accounting (CPA) firm, is an assessment of a service provider’s security control environment against the trust services principles and criteria set forth by the American Institute of Certified Public Accountants (AICPA). The result of the examination is a report which contains the service auditor’s opinion, a description of the system that was examined, management’s assertion regarding the description, and the testing procedures performed by the auditor. dbt completed a SOC 2 Type II examination, which means its controls were assessed based on their operating effectiveness over the reporting period of October 1, 2024 to September 30, 2025. Our SOC2 Type II is available for review under MNDA upon request.

dbt is fully GDPR compliant. dbt’s Terms of Service includes a Data Processing Addendum that enacts standard contractual clauses set forth by the European Commission to establish a legal basis for cross-border data transfers from the EU.

Before granting dbt access to data subject to PCI requirements, please contact support at support@getdbt.com.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. dbt has been assessed against relevant HIPAA Security criteria as part of our SOC2 Type II Report over the reporting period of October 1, 2024 to September 30, 2025. Our SOC2 Type II is available for review under MNDA upon request.