AI Vendor Security & Compliance Brief
Tabnine
Independent due-diligence summary · every fact links to the vendor's official source
78/100
AI Governance Readiness
Enterprise-Ready
This vendor is rated Enterprise-Ready with a score of 78 out of 100. Strong evidence includes confirmed SOC 2 Type 2 and ISO 27001 certifications available via their trust portal, and the vendor does not train on customer data under enterprise terms. A key gap is the absence of a publicly available Data Processing Agreement. The buyer should request a Data Processing Agreement during procurement.
Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement No public DPA located — request one during procurement.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy No security.txt vulnerability disclosure policy found.
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 7 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items
are shown but never silently counted against the vendor.
Ask This in Your Security Review 3 open items
- Data Processing AgreementRequest the Data Processing Agreement (DPA) and current sub-processor list.
- Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).
- Vulnerability Disclosure PolicyConfirm a coordinated vulnerability disclosure / security.txt contact.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| GDPR | Stated by vendor | https://trust.tabnine.com/ |
| ISO 27001 | Stated by vendor | https://trust.tabnine.com/ |
| SOC 2 | Stated by vendor | https://trust.tabnine.com/ |
| HIPAA | Not publicly verified | — |
| BAA Available (HIPAA) | Not publicly verified | — |
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Trains on Customer Data key clause |
Free / Pro:
does not train
No-train, no-retain on every plan: your code is never used to train Tabnine's models and is held only in memory during inference, then deleted. Operational metrics/logs (no code/PII) retained ~1 week.
cited →
Enterprise:
does not train
Tabnine's own models train only on permissively-licensed open-source code. Deploy as SaaS, VPC, on-prem or fully air-gapped. SOC 2 Type 2, GDPR, ISO 9001.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Known Vulnerabilities (CVE / CISA KEV)
Not applicable
No CVE/CPE software identity is mapped to this hosted service; known-vulnerability tracking does not apply to the service identity assessed here.
Vulnerability Disclosure Policy (security.txt)
None found
Queried the authoritative source; no records.
Email Spoofing Protection (DMARC)
Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate
Valid
Data Breach History
None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard)
Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening
None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05)
Not applicable
Privately held — not a US-listed public company, so no SEC 8-K cyber-incident reporting obligation applies.
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://trust.tabnine.com/ |
| SOC2 TYPE2 | Available via Trust Center | https://trust.tabnine.com/ |
An independent audit report exists but is gated behind an NDA or trust-center registration. Request it directly via the vendor's trust center. These count as partial assurance — stronger than a vendor claim, but not an open third-party attestation.
Vendor-Claimed, Not Independently Verified treat as unconfirmed
| PEN TEST | Claimed — not independently verified | https://trust.tabnine.com |
These appear on the vendor's site but we could not confirm an independent audit report. Request the underlying attestation before relying on them.
Tracked Legal & Policy Documents
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Data Processing Addendum (DPA) | Trust portal (gated) | Tabnine hosts its DPA in its SafeBase trust center rather than at a public URL. Request access through the trust center to view and accept it. Trust center → |
| Sub-processor List | Trust portal (gated) | Tabnine's sub-processor list is published inside its SafeBase trust center behind an access request. Request access through the trust center to view it. Trust center → |
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
4 legal & policy documents under change-monitoring since 2026-05-31. Baseline captured — future revisions will be flagged.
CookieMsaPrivacyTos
Ask the Legal Documents grounded · cited
Ask a question about Tabnine's captured Terms, DPA, Privacy Policy or sub-processor list. Answers are read only from the actual document text and always shown with the exact clause. If the documents don't cover it, we say so — we never guess.
The summary only restates the clauses below it and is verified against them — the verbatim clause is always the source of truth.
Monitor Tabnine — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Tabnine changes something that affects your risk. Built for procurement & security teams.
Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal
pages and links to its source. This brief contains no scraped sentiment, forum chatter, or
AI-inferred opinion — only verifiable, deterministic facts. Verify each source before
procurement decisions.