// Trust & Security Report

    Botpress Inc. logo

    Botpress Inc.

    Enterprise-grade AI agent platform for customer support; sub-products include Agent Studio, Autonomous Engine, AI-native Helpdesk, Knowledge Bases, Tables, Hub/Integrations, and a self-hostable open-source community edition

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC2 Type II Report and SOC2 Type II Attestation Confirmation listed as compliance documents in the Botpress Drata trust center. Homepage states: 'SOC II certified, GDPR compliant, and penetration tested by KPMG.'

    Verify on app.drata.com
    GDPR (compliance posture)
    HELD

    Homepage states 'GDPR compliant.' GDPR listed in Drata trust center. A Data Processing Agreement is published at botpress.com/legal/data-processing-agreement. Botpress is self-certified under the EU-US, UK-US, and Swiss-US Data Privacy Framework. DPO appointed.

    Verify on botpress.com
    EU-US Data Privacy Framework
    HELD

    Botpress relies on the EU-US, UK-US and/or Swiss-US Data Privacy Framework self-certification program operated by the US Department of Commerce for international data transfers.

    Verify on botpress.com
    Penetration Testing (KPMG)
    HELD

    Homepage states 'penetration tested by KPMG.' Drata trust center lists 'Annual Penetration Test' under App Security controls.

    Verify on botpress.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Not listed in the Botpress Drata trust center or on botpress.com. A 2023 Discord community thread indicated Botpress was working toward ISO 27001 but had not yet obtained it. Third-party aggregator Nudge Security lists it but without vendor-domain proof. No public evidence on vendor-owned domain.

    source: app.drata.com
    HIPAA
    NOT CONFIRMED

    HIPAA is listed as a compliance category in the Botpress Drata trust center, but third-party healthcare compliance analysis (nirmitee.io) states 'The Botpress cloud service is not HIPAA compliant and does not sign BAAs.' Enterprise plan may offer BAA via negotiation. Listing HIPAA in the trust center without confirming BAA availability for standard cloud customers is a potential over-claim. Graded held=false for the standard cloud offering.

    source: app.drata.com
    PCI DSS
    NOT CONFIRMED

    Not listed in the Botpress Drata trust center or on botpress.com. Listed by Nudge Security aggregator but that is a third-party source without vendor-domain proof. Stripe is a listed subprocessor for payment processing (which is PCI-compliant), but that is the host's cert, not Botpress's own PCI DSS certification.

    source: app.drata.com
    FedRAMP
    NOT CONFIRMED

    Not listed in the Botpress Drata trust center, not on botpress.com, and not found in the FedRAMP marketplace. Listed by the Nudge Security aggregator, but that is a third-party source without vendor-domain proof. No public evidence.

    source: app.drata.com
    CSA STAR
    NOT CONFIRMED

    Not listed in the Botpress Drata trust center or on botpress.com. Botpress does not appear in the CSA STAR registry. Listed by Nudge Security aggregator without vendor-domain proof. No public evidence.

    source: cloudsecurityalliance.org
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence found on any vendor-owned domain.

    source: app.drata.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US-east (AWS) by default per trust center subprocessors; Enterprise plan may allow custom AWS region selection

    Botpress explicitly states it does not use customer conversation data or bot content for AI/ML model training, analytics, or algorithm improvement. From ToS research: 'Botpress does not use data obtained through the Workspace API to develop, improve, or train generalize AI and/or ML models' and 'does not use this content for any other purpose, including to perform analytics and model improvements, create algorithms or for training purposes.' Customer data is deleted 30 days after contract termination.

    // Security controls

    Encryption in transit

    SSL/TLS enforced (listed in Drata trust center under Data Security)

    app.drata.com

    Encryption at rest

    Encryption at rest and hard-disk encryption listed in Drata trust center

    app.drata.com

    Infrastructure

    Built on AWS with automatic scaling, multiple availability zones, and zero maintenance for cloud customers

    botpress.com

    Web Application Firewall

    WAF listed in Drata trust center under App Security

    app.drata.com

    Penetration testing

    Annual penetration test by KPMG; listed in Drata trust center and homepage

    botpress.com

    Vulnerability scanning

    Quarterly vulnerability scan listed in Drata trust center

    app.drata.com

    MFA

    MFA on accounts listed in Drata trust center under Product Security

    app.drata.com

    Bug bounty / Responsible disclosure

    Responsible Disclosure (Bug Bounty) program listed in Drata trust center

    app.drata.com

    Backup

    Daily database backups listed in Drata trust center

    app.drata.com

    BCDR / Disaster Recovery

    BCDR Plan and Disaster Recovery Plan listed in Drata trust center under Organization Security

    app.drata.com

    Subprocessors

    Disclosed in trust center: Microsoft (incl. OpenAI API), Segment by Twilio (US), Stripe (US), Upstash (US), Mixpanel (US), Grafana (US)

    app.drata.com

    Cybersecurity insurance

    Cybersecurity insurance listed in Drata trust center

    app.drata.com

    // Products & data scope

    Botpress Cloud (Pay-as-you-go / Plus / Team)AI agent and chatbot platform - cloud hosted

    data: Customer conversation data, bot configuration, knowledge base content, end-user messages. All stored on AWS US-east.

    HIPAA BAA not available on standard tiers per third-party analysis. No AI training on customer data. SOC 2 Type II applies. GDPR DPA available.

    Botpress EnterpriseAI agent and chatbot platform - enterprise cloud

    data: Same as cloud but with custom workspace limits and potentially custom AWS region for data residency.

    HIPAA BAA may be available via negotiation. Custom data residency. Dedicated support and white-glove onboarding.

    Botpress Self-hosted (Open Source)AI agent and chatbot platform - self-hosted

    data: Customer controls all data on their own infrastructure.

    HIPAA compliance achievable by deploying on HIPAA-eligible infrastructure (AWS GovCloud, Azure with BAA). Compliance posture inherits from customer's own infrastructure.

    AI-native HelpdeskCustomer support helpdesk

    data: Support ticket data, customer conversations, agent interactions.

    Newer product; can be used standalone or alongside Zendesk/Intercom.

    // What to watch

    • HIPAA over-claim risk: HIPAA is listed in the Drata trust center as a compliance category, but third-party healthcare compliance analysis states 'The Botpress cloud service is not HIPAA compliant and does not sign BAAs.' BAA may only be available to Enterprise customers via negotiation. AIFOXX should not list Botpress as 'HIPAA compliant' without the caveat that this is enterprise-only and requires a custom agreement.
    • Aggregator cert inflation: The Nudge Security third-party security profile lists ISO 27001, FedRAMP, CSA STAR Level 1, and PCI DSS for Botpress. NONE of these appear in Botpress's own trust center or on botpress.com. These are likely aggregator inference errors or host-cert conflation (e.g., AWS holds these certs, not Botpress). Do not source these from Nudge Security.
    • ISO 27001 in progress: Discord community posts from 2023 suggest Botpress was working toward ISO 27001 but had not yet obtained it. The cert may have been obtained since then, but there is no current public evidence on a vendor-owned domain. Verify directly with vendor before listing.
    • KPMG pen test: Homepage and trust center confirm annual penetration testing by KPMG, but no public report is available. Enterprise customers may be able to request the report under NDA.

    // At a glance

    Pricing model

    Freemium (Pay-as-you-go with 500 messages/month free); Plus and Team plans (usage-based, per conversation); Enterprise (custom pricing); open-source self-hosted (free)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Botpress Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    app.drata.com

    > Browse all vendor trust reports