The standard in data privacy and security

At Labelbox, the security and privacy of our customers’ data is a top priority. Our ever-expanding privacy and security program is rooted in the principles of Privacy by Design and informed by both industry standards (i.e SOC 2, ISO 27001, GDPR, etc) and customer needs across a multitude of industries. As a result, our customers can rely on Labelbox’s enterprise-grade security to support and enable breakthroughs for their machine-learning teams and AI applications.

The standard in data privacy and security

Privacy policy

To understand the intricacies of our policy and your rights, please refer to our detailed privacy notice on our website.

Privacy policy

Protection of customer data

Labelbox considers all customer data submitted to our offering as confidential. The Labelbox application ensures that access is administered only to authorized users through data encryption both at rest and in transit, as well as through access control management and monitoring.

All labeled data, metadata and private user information hosted by Labelbox are encrypted at rest using AES-256. Labelbox uses Google Cloud for cloud storage, which means that your data will be encrypted on the server-side using GCP’s default encryption keys. Data is automatically decrypted when read by an authorized user using KMS-based protections. To ensure that privacy-sensitive data does not get compromised, Labelbox uses Auth0 for authentication. 

Data is encrypted via Transport Layer Security (TLSv1.2+) when in transit between customers and Labelbox servers. Once data is within Labelbox's internal network, port restrictions ensure data is transmitted over protected channels such as HTTPS and SSH. Customers have a choice for hosting their assets. Customers who elect to host their assets by uploading them to Labelbox, will find the same data protection that is applied for “labeled data” above.  

In order to apply best security practices, most Labelbox customers opt to host assets themselves on their choice of cloud platform using a variety of options including signed urls or delegated access.  This option provides customers a variety of options for extending their existing Cloud Platform security and access control policies through to the Labelbox platform. For more information about our Cloud Provider capabilities, please refer to our online documentation

At Labelbox, we have implemented a variety of access controls when provisioning administrative roles and associated privileges. We approach customer data under least privilege and need-to-know bases as well as log access to environments in our cloud infrastructure for monitoring and security purposes.

Procedural trust

Our compliance programs include a standardized set of policies and procedures that cover core areas of security and privacy including access control, change management, data retention & destruction risk management, vendor management, vulnerability management and more. The full list of Labelbox’s security & privacy policies can be found below. 

  • Acceptable Use Policy
  • Access Control Policy
  • Asset Management Policy
  • Backup Policy
  • Breach Notification Policy & Procedure
  • Business Continuity Plan
  • Code of Conduct
  • Corporate Information Security Policy
  • Data Classification Policy
  • Data Deletion Policy
  • Data Protection Policy
  • Data Subject Request Policy
  • Disaster Recovery Plan
  • Employee Handbook
  • Encryption Policy
  • HIPAA Privacy Policy
  • HIPAA Privacy Procedure
  • HIPAA Security Policy
  • HIPAA Security Procedure
  • Incident Response Plan
  • Information Security Policy
  • Password Policy
  • Physical Security Policy
  • Responsible Disclosure Policy
  • Risk Assessment Policy
  • Software Development Life Cycle Policy
  • Standards of Business Conduct for the United States Government Marketplace
  • System Access Control Policy
  • Vendor Management Policy & Procedure
  • Vulnerability Management Policy

Frequently asked questions

  • Privacy program

    Labelbox is fully committed to protecting the personal data that we collect, use, and process. Our comprehensive privacy program helps us meet our obligations under applicable privacy and security laws and regulations, and to safeguard the personal data of our employees and customers.

  • Privacy notice

    Labelbox understands and respects our users’ need for privacy. The Labelbox Privacy Notice describes the types of personal data that we collect, the purposes for which it is used, and the choices you have with respect to its use. Read our [Privacy Notice here].

  • Cookie notice

    Labelbox.com uses cookies and other tracking technologies to enhance your experience on our website. Please read this [Cookie Notice] for more information on how we use and manage cookies.

  • Access requests

    As part of our privacy program, individuals can request to access, obtain a copy, delete, and update the personal data that Labelbox holds. Individuals that wish to make such a request must first complete an intake form, which can be found [here].

    Completing the intake form allows us to verify your identity and complete your request. Depending on where you reside, we will respond to you within 30-45 calendar days of receipt​.

  • Regulatory compliance

    Labelbox maintains SOC2 Type II certification.

  • HIPAA Compliance

    Labelbox maintains HIPAA compliance through our robust HIPAA compliance program.

  • How We Comply with the General Data Protection Regulation (“GDPR”)

    The GDPR is a European privacy law governs the collection, use, and processing of EU citizen personal data. Below are several changes we have implemented to meet our GDPR requirements:

    1. We train our staff to handle Labelbox personal data in accordance with our privacy policies and procedures;

    2. We ensure that our third party vendors that handle Labelbox personal data adopt industry privacy and security standards;

    3. We conduct data protection impact assessments for projects and engagements that involve personal data;

    4. We created procedures for handling requests from individuals who wish to access, change, or delete their personal data; and

    5. We maintain a personal data inventory that reflects how we collect, store, use, retain, and protect personal data.

  • How We Comply with the California Consumer Privacy Act (“CCPA”)

    We are updating our privacy program to meet our responsibilities under the CCPA. The CCPA, effective January 1, 2020, imposes new requirements on companies that collect and use personal data from California residents. Our new compliance steps include:

    1. Creating a CCPA Privacy Notice describing our California resident personal data collection and use practices, which supplements our website Privacy Notice.

    2. Updating our personal data inventory to reflect how we collect, store, use, and retain personal data from California consumers.

    3. Ensuring that our third party vendor agreements include CCPA privacy and security provisions relating to the handling of Labelbox customer personal data.

    4. Updating our internal privacy and data governance policies to reflect the new CCPA requirements.

    5. Updating our procedures for handling requests from consumers who wish to access, change, or delete their personal data.

    Do Not Sell Labelbox does not sell customer or end-user personal data. We share personal data with our third party service providers for our business purposes, but we do not share this information for monetary value or other valuable consideration.

  • Terms of service

    For more information regarding the Terms of Service agreements for Labelbox products, [click here].


Labelbox is committed to offering world class-security through constant innovation and cutting-edge security programs. If you have any questions regarding our security practices or compliance programs, please reach out to security@labelbox.com