// Trust & Security Report
Bardeen Inc.
Agentic web scraper for lead research, enrichment, and qualification. Core products: Web Scraper (data extraction), Web Search (AI-powered research), Enrichment (contact validation), and Qualification (AI lead filtering). Offers browser-based automation with cloud instances for scheduled workflows. No persistent data storage on cloud after automation completes.
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on bardeen.ai“As of April 1, 2024, we are proud to announce our compliance with the AICPA SOC 2 Type 2 standards”
Verify on bardeen.ai“Adheres to EU's GDPR compliance checklist for US companies... EU Standard Contractual Clauses for international transfers”
Verify on bardeen.ai“Meets Tier 2 and Tier 3 of the Cloud Application Security Assessment (CASA) based on OWASP Application Security Verification Standard (ASVS)”
> Show 5 unconfirmed / not-held certifications
source: bardeen.aiNo public evidence on vendor domain; claimed by third-party aggregators but not mentioned on Bardeen's own security page
source: bardeen.aiNo public evidence on vendor domain; notably absent despite being industry standard paired with SOC 2 Type II
source: bardeen.aiNo public evidence on vendor domain; claimed by third-party aggregator but not on Bardeen's own security page
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Not specified; US-based company with EU Standard Contractual Clauses for EEA/UK/Swiss data transfers
Explicit pledge: 'Any personal information obtained via any 3rd Party API integration, including, but not limited to Google Drive, Google Mail and others, will only be used for providing and improving automation features of the product. This data will not be used for training of any generalized AI models, internal or external.' Bardeen may use aggregated/derived usage data and trends (non-personal) to improve generative features.
// Security controls
Browser Storage
App data persists only in local browser cache; no third-party or website can access unless device is compromised
bardeen.aiCloud Automation Data Handling
Cloud instances of Bardeen have no storage capabilities; all data is erased after playbook execution completes
bardeen.aiServer-Stored Data
Limited to connected apps and access configurations, custom Playbook and Autobook data only
bardeen.aiAuthentication Methods
Single sign-on (SSO), Okta integration, Google and Microsoft login, two-factor authentication via email and SMS
bardeen.aiCode Review & Vulnerability Scanning
All code changes undergo peer-review; code automatically scanned for known security vulnerabilities with timely patches
bardeen.ai// Products & data scope
data: Extracts public web data; no persistent server storage
Core product for lead sourcing and data collection
data: AI-powered research and lead generation via search providers
Integrates with leading AI and web search providers
data: Validates and enriches contact information
Instant verification of contact data
data: AI-driven lead prioritization based on user criteria
Describes ideal leads for AI to prioritize
data: Scheduled playbooks running in cloud with no data persistence
Enterprise feature; no data stored after execution
// What to watch
- Third-party security aggregator (Nudge Security) claims HIPAA, ISO 27001, PCI, FedRAMP, and CSA STAR that are NOT listed on Bardeen's own security page. This is a potential over-claim or misrepresentation in external sources. Recommend clarification from vendor.
- ISO 27001 and HIPAA are notably absent from vendor's claims despite being industry-standard certifications commonly paired with SOC 2 Type II. This is unusual for a security-focused product and warrants inquiry.
- CASA Tier 2/3 is a less widely recognized standard compared to ISO 27001; clarity on its scope and validation strength would be helpful.
- Data Processing Agreement (DPA) not mentioned in Terms of Service. While GDPR compliance is claimed, explicit DPA availability should be confirmed with vendor.
- Data residency/region not specified on security or privacy pages. Standard Contractual Clauses are mentioned for EU data, but primary storage region remains unclear.
- No self-hosted or on-premise deployment option mentioned; cloud-only architecture.
- Cloud automation feature has zero data persistence (data erased after execution), which is excellent for privacy but may require clarification for compliance audits.
// At a glance
Pricing model
Freemium tier + paid plans (specific tiers not detailed in evidence)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Bardeen Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
bardeen.ai