// Trust & Security Report
Agorapulse SAS
Social media management SaaS platform: Publishing, Inbox, Listening, Reporting, ROI tracking, and AI Social Media Sidekick (writing assistant, sentiment analysis, hashtag suggestions, best-time-to-publish, alt-text generator)
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.agorapulse.com“Trust center lists 'Agorapulse SOC 2 Type II Report (December 2025)'; Microsoft 365 App Certification (self-attestation) confirms 'SOC 2: Yes, type2, most recent certification date 2024-12-01'; dedicated SOC 2 page states 'passed a series of on-site audits to prove that our internal information systems and controls met the strict SOC 2 compliance requirements'”
Verify on trust.agorapulse.com“Trust center lists 'ISO 27001:2022 Certificate - Agorapulse - 2025.pdf' and 'ISO 27001:2022 Audit Report - Agorapulse - 2025.pdf'; Microsoft 365 App Certification (self-attestation) confirms 'Is the app ISO 27001 certified? Yes'”
Verify on agorapulse.com“GDPR page states 'we carry out all processing operations in strict compliance with European data protection regulations'; DPA available on request via legal@agorapulse.com; ToS states 'As a matter of principle, we do not transfer personal data processed outside the European Union'; Microsoft attestation confirms GDPR obligations”
> Show 7 unconfirmed / not-held certifications
source: trust.agorapulse.comTrust center lists 'ISO 42001 Engagement Letter - Agorapulse - 2026.pdf' — an engagement letter signals pursuit of certification, not a certificate itself. No certificate or audit report exists in the trust center as of June 2026.
source: learn.microsoft.comMicrosoft 365 App Certification self-attestation states 'Does the app comply with HIPAA? N/A'. No mention of HIPAA on trust center, security page, or privacy policy.
source: agorapulse.comMicrosoft attestation states 'Do you carry out annual PCI DSS assessments? N/A'. The Agorapulse security page references PCI DSS Level 1 only as an AWS-infrastructure certification, not as Agorapulse's own. Agorapulse is not a payment processor.
source: learn.microsoft.comMicrosoft 365 App Certification states 'Has the app been Cloud Security Alliance (CSA) Star certified? No'.
source: learn.microsoft.comMicrosoft 365 App Certification states 'Is the app FedRAMP compliant? No'.
source: learn.microsoft.comMicrosoft 365 App Certification states 'Does the app comply with ISO 27017? No'. AWS as cloud host holds ISO 27017 but that is the host's certification, not Agorapulse's.
source: learn.microsoft.comMicrosoft 365 App Certification states 'Does the app comply with ISO 27018? No'. AWS as cloud host holds ISO 27018 but that is the host's certification, not Agorapulse's.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
EU (AWS Ireland as primary cloud provider; ToS states 'as a matter of principle, we do not transfer personal data processed outside the European Union')
AI features are described as fully opt-in. The ToS explicitly states 'Agorapulse shall not modify, copy, distribute, display, perform, reproduce, publish, license, frame, create derivative works from, transfer, or otherwise use in any other way for commercial or public purposes...any of your Data'. Trust center lists a separate 'AI trust and privacy practices - March 2026' document available on request. No public statement explicitly says AI models are not trained on customer data, but the ToS commercial-use prohibition covers this implicitly. No contradictions found between ToS and AI features page.
// Security controls
Encryption in transit
TLS — 'All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS)'
agorapulse.comEncryption at rest
Database-level encryption — 'All our user data (including passwords and access tokens) is encrypted using battled-proofed encryption algorithms in the database'
agorapulse.comNetwork isolation
Virtual Private Cloud (VPC) with bastion host/VPN; network ACLs with no public IPs; IP address filtering
agorapulse.comIntrusion detection
IDS/IPS systems deployed at network perimeter (confirmed in Microsoft attestation)
agorapulse.comMulti-factor authentication
2FA available via Google Authenticator and Authy; MFA enforced for DNS management, code repositories, and credentials
agorapulse.comAccess control
Role-based access control (RBAC); production access restricted; unique production database authentication enforced
agorapulse.comPenetration testing
Annual penetration testing performed (Agorapulse 2026 Pentest Attestation listed in trust center)
trust.agorapulse.comBusiness continuity
Documented disaster recovery plan with backup and restore strategy; continuity plans established and tested; cybersecurity insurance maintained
trust.agorapulse.comVulnerability management
Quarterly vulnerability scanning; OWASP Top 10 considered in secure coding practices; formal security risk management process established
learn.microsoft.comCloud provider
Amazon Web Services (AWS) — EU (Ireland) region listed as primary; 'Amazon Web Services - Cloud provider - EU (Ireland)' in trust center subprocessors
trust.agorapulse.com// Products & data scope
data: Social media account tokens (OAuth), published content, inbox messages, follower interactions, analytics data
Free plan (1 user, 3 profiles, 10 scheduled posts); paid tiers (Standard, Professional, Advanced, Custom) add users, profiles, and features. Social platform data accessed via API under OAuth.
data: Post content, brand voice, social media interaction history used for reply suggestions and sentiment analysis
All AI features are opt-in. Integrates ChatGPT and Claude as optional writing tools. Native AI features include writing assistant, hashtag suggestions, best-time-to-publish, alt-text generator, AI report summary, and sentiment analysis.
data: Social post data linked to web analytics (traffic, leads, sales) via UTM parameters
Unique to Agorapulse among social management tools per their marketing; requires GA/analytics integration.
// What to watch
- ISO 42001 ENGAGEMENT LETTER ONLY: The trust center lists 'ISO 42001 Engagement Letter - Agorapulse - 2026.pdf' alongside completed certifications, which could create a misleading impression that the AI governance cert is held. It is NOT — an engagement letter means the audit process has been initiated, not completed. AIFOXX must not list ISO 42001 as held.
- AWS CERT CONFLATION RISK: The Agorapulse security page lists CSA STAR Level 2, ISO 27017, ISO 27018, PCI DSS Level 1 as AWS infrastructure certifications. These belong to AWS, not to Agorapulse. Microsoft attestation confirms Agorapulse itself holds none of these. Do not attribute host certs to the vendor.
- BREACH NOTIFICATION DISCREPANCY: Microsoft 365 App Certification self-attestation states 'Do you report data breaches to supervisory authorities and individuals within 72 hours? No'. This appears to contradict their stated GDPR compliance, which mandates 72-hour supervisory authority notification. Could be a form error or a genuine gap; Agorapulse should clarify.
- LOG REVIEW GAP: Microsoft attestation states 'Are all logs reviewed on a regular cadence by human or automated tooling? No'. This is a minor operational security gap for a SOC 2 Type 2 certified vendor and may have been corrected since the August 2025 attestation submission.
- AI TRAINING: No explicit public statement confirming AI models are never trained on customer data. Protection currently derives from the ToS commercial-use prohibition. The 'AI trust and privacy practices - March 2026' document in the trust center is access-gated and was not reviewed. AIFOXX should note 'no public explicit opt-out; opt-in features only' pending review of that document.
// At a glance
Pricing model
Freemium + subscription tiers (Free; paid plans starting ~$79/mo billed annually); per-user and per-profile scaling
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Agorapulse SAS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.agorapulse.com