Legal & Compliance

Find the CARTO Platform Terms and Conditions, SLA, and other product and service terms here.

Note that some of these documents are specific to CARTO's Cloud deployment. The CARTO Cloud platform is a fully managed, subscription-based, multi-tenant platform for Spatial Analytics.

CARTO is currently hosted on Google Cloud Platform and available in four regions: the European Economic Area, North America, Australia and Japan; inheriting all managed data governance rules and regulations from GCP.

Privacy Notice

Our Privacy Notice is fully available here.

Security policies

Learn more about security policies at CARTO here.

API rate limits

Learn more about API rate limits at CARTO here.



HIPAA is a 1996 U.S. law that required the codification and enactment of federal-level privacy rules and regulations concerning consumers' personal health information (PHI). Pursuant to HIPAA’s mandate, the U.S. Department of Health and Human Services (HHS) created national standards for safeguarding PHI in 2002, and these took effect in 2003.

Compliance with these standards must be achieved not only by “covered entities” like physicians, hospitals, private health insurance companies, and health care clearinghouses, but also by vendors — including software providers, cloud service providers, cloud platforms, document storage companies, etc. — which provide support to covered entities and health plans, and whose services involve the use or disclosure of PHI.

HHS does not mandate, endorse, or recognize HIPAA accreditations — or certify any products or services as "HIPAA compliant." But entities subject to HIPAA rules can harness the power of CARTO via customer-managed deployments on Google Cloud Platform, AWS, or Azure, which each support HIPAA compliance within the scope of a Business Associate Agreement (BAA).


The Federal Risk and Authorization Management Program (“FedRAMP”) furnishes the U.S. federal government with a risk-based, standardized approach to security assessments, allowing U.S. government entities to adopt and use those cloud services which meet the requirements of its common security framework.

While CARTO itself is not FedRAMP-authorized, the three major cloud platforms — AWS, Azure, and GCP — on which the CARTO Platform can be deployed have each achieved FedRAMP authorization, allowing our customers to purchase subscriptions to SaaS or customer-managed deployments on Google Cloud Platform, or customer-managed deployment options on AWS or Azure.

CARTO's SaaS offering is deployed on a GCP cloud region which has received both FedRAMP "High" provisional authority to operate (P-ATO), as well as "Moderate" (P-ATO).

Last updated