// Trust & Security Report

    Determinist Ltd (trading as AutoGPT) logo

    Determinist Ltd (trading as AutoGPT)

    AutoGPT is an AI agent platform enabling users to build, deploy, and manage autonomous agents through chat, visual builder, or code. Products include: AutoGPT Platform (cloud SaaS with Pro/Max/Team tiers), AutoGPT Classic (open-source, self-hostable), and Forge (visual builder).

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 11 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence of SOC 2 Type 1 certification. Extensive site:agpt.co search and vendor domain search returned no trust center, security certifications page, or SOC 2 claims.

    source: agpt.co
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of SOC 2 Type 2 certification. Site search and vendor documentation do not mention SOC 2.

    source: agpt.co
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification. Privacy policy and terms of use do not mention ISO 27001 or any ISMS certification.

    source: agpt.co
    ISO 27017
    NOT CONFIRMED

    No public evidence. Vendor documentation does not reference cloud-specific ISO 27017 certification.

    source: agpt.co
    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 (PII in cloud) certification.

    source: agpt.co
    GDPR Compliance
    NOT CONFIRMED

    Privacy policy states 'subject to the UK General Data Protection Regulation (GDPR)' and references compliance mechanisms, but no GDPR certification or audit mentioned. GDPR is regulatory requirement, not certification.

    source: agpt.co
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or certification. Privacy policy and terms make no reference to HIPAA, BAA, or healthcare-specific controls.

    source: agpt.co
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification. Payment handling (credits system) mentioned in pricing but no PCI compliance documentation found.

    source: agpt.co
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization.

    source: agpt.co
    ISO 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 or equivalent AI governance certification despite AI-first positioning.

    source: agpt.co
    CSA STAR
    NOT CONFIRMED

    No public evidence of Cloud Security Alliance STAR certification.

    source: agpt.co

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Data transfers to service providers outside UK; specific regional storage not disclosed. Users must contact vendor for data residency guarantees.

    Privacy policy explicitly prohibits using data from Google Workspace APIs 'to train, develop or improve generalised artificial intelligence or machine learning models.' Data is used only for 'user-requested services.' Standard contractual clauses used for international data transfers under GDPR Article 46(2).

    // Security controls

    Encryption in Transit

    Not explicitly documented in available policies or docs.

    agpt.co

    Encryption at Rest

    Not explicitly documented in available policies or docs.

    agpt.co

    Vulnerability Disclosure

    Responsible disclosure policy: private reports only, 14-day acknowledgment SLA, 90-day remediation window before public disclosure.

    agpt.co

    Security Automation

    Uses GitHub dependabot, CodeQL, and Snyk for continuous codebase and container scanning as of March 2025.

    agpt.co

    Open Source Security Program

    Member of GitHub Secure Open Source Fund (SOSF) as of March 2025; participated in upskilling sessions.

    agpt.co

    Known Vulnerabilities

    Critical SSRF vulnerability (CVE-2025-62615) documented in 2025.

    cvedetails.com

    // Products & data scope

    AutoGPT Platform (Cloud SaaS)AI Agent Platform / Automation

    data: Processes user inputs, agent configurations, execution logs, integrations. Subject to UK GDPR and standard contractual clauses for international transfers.

    Subscription pricing: Pro ($42.50/mo), Max ($272/mo), Team tier coming soon. Includes access to 45+ integrated AI models and platforms. Credits-based usage model. File-aware agents. Event/schedule triggers. Visual builder and chat-based agent creation. Non-personal data may be used freely per ToS Section 7.2.

    AutoGPT Classic (Open Source)AI Agent Framework / Self-Hosted

    data: Self-hosted; data processing depends on deployment infrastructure. Licensed under custom AutoGPT license.

    Available on GitHub (Significant-Gravitas/AutoGPT). Self-hostable on-premises option. Forge visual builder included. Community-driven development. No cloud data transmission if self-hosted.

    // What to watch

    • VULNERABILITY: CVE-2025-62615 (critical SSRF in ReadRSSFeedBlock, CVSS 9.3) disclosed via GitHub Security Advisory GHSA-r55v-q5pc-j57f in 2025 and fixed in release autogpt-platform-beta-v0.6.34. Self-hosted deployments on older versions remain exposed until updated.
    • NO CERTIFICATIONS: Despite $12M in funding (Oct 2023), zero SOC 2, ISO 27001, or equivalent compliance certifications. Growth-stage company with no enterprise compliance roadmap evident.
    • AI WARRANTY DISCLAIMER: Terms of Use Section 9.1 states AI features are provided 'as is' without warranties of accuracy. Users bear all responsibility for interpreting outputs. Contrast with marketing claim 'AI agents that finish the work.'
    • CONFIDENTIALITY MONITORING: Terms Section 7.1 states 'We do not actively monitor or check whether information supplied to us through the Platform is confidential.' Customers using AutoGPT for sensitive workflows assume risk of accidental data exposure.
    • NON-PERSONAL DATA REUSE: Terms Section 7.2 permits unrestricted, royalty-free reuse of non-personal information submitted to platform. Vendors using AutoGPT must assume workflow patterns, query structures, or anonymized execution logs may be reused for product improvement.
    • DATA PROCESSING AGREEMENT: Privacy policy does not explicitly mention Data Processing Agreement (DPA) availability. Required for GDPR compliance in B2B enterprise contexts.
    • SMALL TEAM: ~8-person organization per search results. Limited support capacity for incident response or compliance escalations compared to enterprise vendors.
    • DATA RESIDENCY UNKNOWN: Privacy policy confirms data transfers 'to service providers located outside the UK' but does not disclose which regions, cloud providers, or data centers.
    • TRAINING DATA CLARITY: Policy prohibits training on Google Workspace data, but third-party tool integrations (45+ models) may have independent training policies. Vendor provides no attestation that third-party API calls are isolated from model training.

    // At a glance

    Pricing model

    Subscription (Pro/Max/Team) with credits per agent run. Usage-based metering. Self-hosting option available for open-source Classic version.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Determinist Ltd (trading as AutoGPT)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    agpt.co

    > Browse all vendor trust reports