// Trust & Security Report
Botpress Inc.
Enterprise-grade AI agent platform for customer support; sub-products include Agent Studio, Autonomous Engine, AI-native Helpdesk, Knowledge Bases, Tables, Hub/Integrations, and a self-hostable open-source community edition
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on app.drata.com“SOC2 Type II Report and SOC2 Type II Attestation Confirmation listed as compliance documents in the Botpress Drata trust center. Homepage states: 'SOC II certified, GDPR compliant, and penetration tested by KPMG.'”
Verify on botpress.com“Homepage states 'GDPR compliant.' GDPR listed in Drata trust center. A Data Processing Agreement is published at botpress.com/legal/data-processing-agreement. Botpress is self-certified under the EU-US, UK-US, and Swiss-US Data Privacy Framework. DPO appointed.”
Verify on botpress.com“Botpress relies on the EU-US, UK-US and/or Swiss-US Data Privacy Framework self-certification program operated by the US Department of Commerce for international data transfers.”
Verify on botpress.com“Homepage states 'penetration tested by KPMG.' Drata trust center lists 'Annual Penetration Test' under App Security controls.”
> Show 6 unconfirmed / not-held certifications
source: app.drata.comNot listed in the Botpress Drata trust center or on botpress.com. A 2023 Discord community thread indicated Botpress was working toward ISO 27001 but had not yet obtained it. Third-party aggregator Nudge Security lists it but without vendor-domain proof. No public evidence on vendor-owned domain.
source: app.drata.comHIPAA is listed as a compliance category in the Botpress Drata trust center, but third-party healthcare compliance analysis (nirmitee.io) states 'The Botpress cloud service is not HIPAA compliant and does not sign BAAs.' Enterprise plan may offer BAA via negotiation. Listing HIPAA in the trust center without confirming BAA availability for standard cloud customers is a potential over-claim. Graded held=false for the standard cloud offering.
source: app.drata.comNot listed in the Botpress Drata trust center or on botpress.com. Listed by Nudge Security aggregator but that is a third-party source without vendor-domain proof. Stripe is a listed subprocessor for payment processing (which is PCI-compliant), but that is the host's cert, not Botpress's own PCI DSS certification.
source: app.drata.comNot listed in the Botpress Drata trust center, not on botpress.com, and not found in the FedRAMP marketplace. Listed by the Nudge Security aggregator, but that is a third-party source without vendor-domain proof. No public evidence.
source: cloudsecurityalliance.orgNot listed in the Botpress Drata trust center or on botpress.com. Botpress does not appear in the CSA STAR registry. Listed by Nudge Security aggregator without vendor-domain proof. No public evidence.
source: app.drata.comNo public evidence found on any vendor-owned domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US-east (AWS) by default per trust center subprocessors; Enterprise plan may allow custom AWS region selection
Botpress explicitly states it does not use customer conversation data or bot content for AI/ML model training, analytics, or algorithm improvement. From ToS research: 'Botpress does not use data obtained through the Workspace API to develop, improve, or train generalize AI and/or ML models' and 'does not use this content for any other purpose, including to perform analytics and model improvements, create algorithms or for training purposes.' Customer data is deleted 30 days after contract termination.
// Security controls
Encryption in transit
SSL/TLS enforced (listed in Drata trust center under Data Security)
app.drata.comEncryption at rest
Encryption at rest and hard-disk encryption listed in Drata trust center
app.drata.comInfrastructure
Built on AWS with automatic scaling, multiple availability zones, and zero maintenance for cloud customers
botpress.comPenetration testing
Annual penetration test by KPMG; listed in Drata trust center and homepage
botpress.comBug bounty / Responsible disclosure
Responsible Disclosure (Bug Bounty) program listed in Drata trust center
app.drata.comBCDR / Disaster Recovery
BCDR Plan and Disaster Recovery Plan listed in Drata trust center under Organization Security
app.drata.comSubprocessors
Disclosed in trust center: Microsoft (incl. OpenAI API), Segment by Twilio (US), Stripe (US), Upstash (US), Mixpanel (US), Grafana (US)
app.drata.com// Products & data scope
data: Customer conversation data, bot configuration, knowledge base content, end-user messages. All stored on AWS US-east.
HIPAA BAA not available on standard tiers per third-party analysis. No AI training on customer data. SOC 2 Type II applies. GDPR DPA available.
data: Same as cloud but with custom workspace limits and potentially custom AWS region for data residency.
HIPAA BAA may be available via negotiation. Custom data residency. Dedicated support and white-glove onboarding.
data: Customer controls all data on their own infrastructure.
HIPAA compliance achievable by deploying on HIPAA-eligible infrastructure (AWS GovCloud, Azure with BAA). Compliance posture inherits from customer's own infrastructure.
data: Support ticket data, customer conversations, agent interactions.
Newer product; can be used standalone or alongside Zendesk/Intercom.
// What to watch
- HIPAA over-claim risk: HIPAA is listed in the Drata trust center as a compliance category, but third-party healthcare compliance analysis states 'The Botpress cloud service is not HIPAA compliant and does not sign BAAs.' BAA may only be available to Enterprise customers via negotiation. AIFOXX should not list Botpress as 'HIPAA compliant' without the caveat that this is enterprise-only and requires a custom agreement.
- Aggregator cert inflation: The Nudge Security third-party security profile lists ISO 27001, FedRAMP, CSA STAR Level 1, and PCI DSS for Botpress. NONE of these appear in Botpress's own trust center or on botpress.com. These are likely aggregator inference errors or host-cert conflation (e.g., AWS holds these certs, not Botpress). Do not source these from Nudge Security.
- ISO 27001 in progress: Discord community posts from 2023 suggest Botpress was working toward ISO 27001 but had not yet obtained it. The cert may have been obtained since then, but there is no current public evidence on a vendor-owned domain. Verify directly with vendor before listing.
- KPMG pen test: Homepage and trust center confirm annual penetration testing by KPMG, but no public report is available. Enterprise customers may be able to request the report under NDA.
// At a glance
Pricing model
Freemium (Pay-as-you-go with 500 messages/month free); Plus and Team plans (usage-based, per conversation); Enterprise (custom pricing); open-source self-hosted (free)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Botpress Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
app.drata.com