// Trust & Security Report

    Agorapulse SAS logo

    Agorapulse SAS

    Social media management SaaS platform: Publishing, Inbox, Listening, Reporting, ROI tracking, and AI Social Media Sidekick (writing assistant, sentiment analysis, hashtag suggestions, best-time-to-publish, alt-text generator)

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Trust center lists 'Agorapulse SOC 2 Type II Report (December 2025)'; Microsoft 365 App Certification (self-attestation) confirms 'SOC 2: Yes, type2, most recent certification date 2024-12-01'; dedicated SOC 2 page states 'passed a series of on-site audits to prove that our internal information systems and controls met the strict SOC 2 compliance requirements'

    Verify on trust.agorapulse.com
    ISO 27001:2022
    HELD

    Trust center lists 'ISO 27001:2022 Certificate - Agorapulse - 2025.pdf' and 'ISO 27001:2022 Audit Report - Agorapulse - 2025.pdf'; Microsoft 365 App Certification (self-attestation) confirms 'Is the app ISO 27001 certified? Yes'

    Verify on trust.agorapulse.com
    GDPR (compliance posture)
    HELD

    GDPR page states 'we carry out all processing operations in strict compliance with European data protection regulations'; DPA available on request via legal@agorapulse.com; ToS states 'As a matter of principle, we do not transfer personal data processed outside the European Union'; Microsoft attestation confirms GDPR obligations

    Verify on agorapulse.com
    > Show 7 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    Trust center lists 'ISO 42001 Engagement Letter - Agorapulse - 2026.pdf' — an engagement letter signals pursuit of certification, not a certificate itself. No certificate or audit report exists in the trust center as of June 2026.

    source: trust.agorapulse.com
    HIPAA
    NOT CONFIRMED

    Microsoft 365 App Certification self-attestation states 'Does the app comply with HIPAA? N/A'. No mention of HIPAA on trust center, security page, or privacy policy.

    source: learn.microsoft.com
    PCI DSS
    NOT CONFIRMED

    Microsoft attestation states 'Do you carry out annual PCI DSS assessments? N/A'. The Agorapulse security page references PCI DSS Level 1 only as an AWS-infrastructure certification, not as Agorapulse's own. Agorapulse is not a payment processor.

    source: agorapulse.com
    CSA STAR
    NOT CONFIRMED

    Microsoft 365 App Certification states 'Has the app been Cloud Security Alliance (CSA) Star certified? No'.

    source: learn.microsoft.com
    FedRAMP
    NOT CONFIRMED

    Microsoft 365 App Certification states 'Is the app FedRAMP compliant? No'.

    source: learn.microsoft.com
    ISO 27017 (cloud security controls)
    NOT CONFIRMED

    Microsoft 365 App Certification states 'Does the app comply with ISO 27017? No'. AWS as cloud host holds ISO 27017 but that is the host's certification, not Agorapulse's.

    source: learn.microsoft.com
    ISO 27018 (PII in cloud)
    NOT CONFIRMED

    Microsoft 365 App Certification states 'Does the app comply with ISO 27018? No'. AWS as cloud host holds ISO 27018 but that is the host's certification, not Agorapulse's.

    source: learn.microsoft.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    EU (AWS Ireland as primary cloud provider; ToS states 'as a matter of principle, we do not transfer personal data processed outside the European Union')

    AI features are described as fully opt-in. The ToS explicitly states 'Agorapulse shall not modify, copy, distribute, display, perform, reproduce, publish, license, frame, create derivative works from, transfer, or otherwise use in any other way for commercial or public purposes...any of your Data'. Trust center lists a separate 'AI trust and privacy practices - March 2026' document available on request. No public statement explicitly says AI models are not trained on customer data, but the ToS commercial-use prohibition covers this implicitly. No contradictions found between ToS and AI features page.

    // Security controls

    Encryption in transit

    TLS — 'All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS)'

    agorapulse.com

    Encryption at rest

    Database-level encryption — 'All our user data (including passwords and access tokens) is encrypted using battled-proofed encryption algorithms in the database'

    agorapulse.com

    Network isolation

    Virtual Private Cloud (VPC) with bastion host/VPN; network ACLs with no public IPs; IP address filtering

    agorapulse.com

    Intrusion detection

    IDS/IPS systems deployed at network perimeter (confirmed in Microsoft attestation)

    agorapulse.com

    Multi-factor authentication

    2FA available via Google Authenticator and Authy; MFA enforced for DNS management, code repositories, and credentials

    agorapulse.com

    Access control

    Role-based access control (RBAC); production access restricted; unique production database authentication enforced

    agorapulse.com

    Penetration testing

    Annual penetration testing performed (Agorapulse 2026 Pentest Attestation listed in trust center)

    trust.agorapulse.com

    Business continuity

    Documented disaster recovery plan with backup and restore strategy; continuity plans established and tested; cybersecurity insurance maintained

    trust.agorapulse.com

    Vulnerability management

    Quarterly vulnerability scanning; OWASP Top 10 considered in secure coding practices; formal security risk management process established

    learn.microsoft.com

    Uptime SLA

    99.9% target uptime; full redundancy architecture; encrypted backups

    agorapulse.com

    Cloud provider

    Amazon Web Services (AWS) — EU (Ireland) region listed as primary; 'Amazon Web Services - Cloud provider - EU (Ireland)' in trust center subprocessors

    trust.agorapulse.com

    // Products & data scope

    Agorapulse CoreSocial Media Management

    data: Social media account tokens (OAuth), published content, inbox messages, follower interactions, analytics data

    Free plan (1 user, 3 profiles, 10 scheduled posts); paid tiers (Standard, Professional, Advanced, Custom) add users, profiles, and features. Social platform data accessed via API under OAuth.

    AI Social Media SidekickAI Writing / Content Assistance

    data: Post content, brand voice, social media interaction history used for reply suggestions and sentiment analysis

    All AI features are opt-in. Integrates ChatGPT and Claude as optional writing tools. Native AI features include writing assistant, hashtag suggestions, best-time-to-publish, alt-text generator, AI report summary, and sentiment analysis.

    Social ROIAnalytics / Attribution

    data: Social post data linked to web analytics (traffic, leads, sales) via UTM parameters

    Unique to Agorapulse among social management tools per their marketing; requires GA/analytics integration.

    // What to watch

    • ISO 42001 ENGAGEMENT LETTER ONLY: The trust center lists 'ISO 42001 Engagement Letter - Agorapulse - 2026.pdf' alongside completed certifications, which could create a misleading impression that the AI governance cert is held. It is NOT — an engagement letter means the audit process has been initiated, not completed. AIFOXX must not list ISO 42001 as held.
    • AWS CERT CONFLATION RISK: The Agorapulse security page lists CSA STAR Level 2, ISO 27017, ISO 27018, PCI DSS Level 1 as AWS infrastructure certifications. These belong to AWS, not to Agorapulse. Microsoft attestation confirms Agorapulse itself holds none of these. Do not attribute host certs to the vendor.
    • BREACH NOTIFICATION DISCREPANCY: Microsoft 365 App Certification self-attestation states 'Do you report data breaches to supervisory authorities and individuals within 72 hours? No'. This appears to contradict their stated GDPR compliance, which mandates 72-hour supervisory authority notification. Could be a form error or a genuine gap; Agorapulse should clarify.
    • LOG REVIEW GAP: Microsoft attestation states 'Are all logs reviewed on a regular cadence by human or automated tooling? No'. This is a minor operational security gap for a SOC 2 Type 2 certified vendor and may have been corrected since the August 2025 attestation submission.
    • AI TRAINING: No explicit public statement confirming AI models are never trained on customer data. Protection currently derives from the ToS commercial-use prohibition. The 'AI trust and privacy practices - March 2026' document in the trust center is access-gated and was not reviewed. AIFOXX should note 'no public explicit opt-out; opt-in features only' pending review of that document.

    // At a glance

    Pricing model

    Freemium + subscription tiers (Free; paid plans starting ~$79/mo billed annually); per-user and per-profile scaling

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Agorapulse SAS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.agorapulse.com

    > Browse all vendor trust reports