// Trust & Security Report

    Budibase, Inc. logo

    Budibase, Inc.

    Open-source AI workflow platform with agents, automations, apps, and internal tools builder. Supports both cloud (Budibase Cloud) and self-hosted deployment options.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001:2022
    HELD

    Budibase is ISO 27001 certified and fully committed to ongoing compliance. Underwent rigorous audits performed by independent third-party auditor NQA who evaluated the effectiveness of their ISMS implementation. Certificate viewable on UKAS website.

    Verify on budibase.com
    GDPR Compliance
    HELD

    GDPR compliant. Terms of Service function as a data processing agreement under Article 28 of EU GDPR and UK GDPR, with Budibase acting as Data Processor and customers as Data Controllers.

    Verify on budibase.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    All servers are hosted within EU datacenters certified by SOC 1/2 and ISO 27001. This refers to the hosting provider's certifications, not Budibase's own SOC 2 certification. No direct evidence of Budibase company-level SOC 2 Type II certification found.

    source: budibase.com
    HIPAA
    NOT CONFIRMED

    Per the Terms of Service: 'The Subscription Services are not designed to comply with industry-specific regulations such as the US Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), or the Federal Information Security Management Act (FISMA) ... so Customer may not use the Subscription Services where Customer's communications would be subject to such laws.' Separately, Budibase marketing/blog content references 'HIPAA readiness' and 'guardrails' (not the ToS), creating over-claim risk versus the binding terms.

    source: budibase.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on vendor domain.

    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found on vendor domain.

    ISO 27018 (PII in Cloud)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found on vendor domain.

    ISO 27701 (PIMS)
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found on vendor domain.

    ISO 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 AI governance certification found on vendor domain.

    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on vendor domain.

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    EU (Ireland) for Budibase Cloud; self-hosted deployments can be on-premises or private cloud

    Budibase is positioned as 'privacy-first AI workflow toolkit' with emphasis on data sovereignty. Self-hosted deployments maintain full data control. Cloud deployment data stored in EU (Ireland). No explicit statement found regarding training on customer data; privacy-first architecture and messaging suggests no training on customer data, but not explicitly confirmed.

    // Security controls

    Data Encryption in Transit

    TLS 1.3 for all client-server communication

    budibase.com

    Data Encryption at Rest

    AES-256 encryption

    budibase.com

    Authentication & SSO

    SAML 2.0, OpenID Connect, Google SSO, OIDC support; integrations with Active Directory, Auth0, Okta, OneLogin

    budibase.com

    Role-Based Access Control (RBAC)

    Custom RBAC, fine-grained permissions with custom roles and group management

    budibase.com

    Audit Logging

    Comprehensive audit logs for all user actions and system events

    budibase.com

    Backups

    Backup and recovery capabilities offered

    budibase.com

    Third-Party Audits

    Annual penetration tests and AWS security configuration audits from third-party vendors

    budibase.com

    Infrastructure

    Self-hosting supported; Budibase Cloud hosted in EU (Ireland) datacenters with SOC 1/2 and ISO 27001 certification

    budibase.com

    // Products & data scope

    Budibase AgentsAI Agent Platform

    data: Can access workspace data, APIs, integrated apps, tables, knowledge sources. Supports multi-channel deployment (Slack, Discord, Teams, custom).

    Beta feature. Runs workflows across business operations - creating records, routing approvals, updating apps, notifying teams.

    Budibase AppsLow-Code App Builder

    data: Connect to databases, spreadsheets, business systems for building internal tools

    Visual app builder for forms, dashboards, and workflows. Core product.

    Budibase AutomationsWorkflow Automation

    data: Triggered by agents, schedules, emails, apps, or data changes. Can orchestrate across all connected systems.

    Full observability with logs and testing. Can start from agents or traditional triggers.

    Budibase CloudManaged Service

    data: Fully managed Budibase deployment with automatic scaling, backups, updates

    Data hosted in EU (Ireland). Alternative to self-hosting.

    Budibase Self-HostedSelf-Hosted Deployment

    data: Can be deployed on customer's own infrastructure with full data control

    Open-source option. Complete data sovereignty.

    // What to watch

    • SOC 2 Certification Ambiguity: Marketing claims 'SOC 1/2 certified' and homepage mentions 'enterprise-grade security' but search results indicate this refers to datacenter provider certifications, not Budibase company-level SOC 2 Type II certification. Needs clarification.
    • HIPAA Over-Claim Risk: Terms explicitly state services are NOT designed for HIPAA compliance, yet enterprise marketing mentions 'HIPAA-ready features' and 'HIPAA readiness.' This could confuse healthcare customers about actual compliance status.
    • AI Training Data Posture Unclear: Product positioning emphasizes privacy-first AI and data sovereignty, but no explicit statement confirming customer data is never used for model training. This should be documented clearly.
    • Missing Trust Center: No dedicated trust center page despite claiming ISO 27001 and GDPR compliance. Security information scattered across homepage, /security/ page, and docs.

    // At a glance

    Pricing model

    Freemium (free tier available); Cloud SaaS (pay-as-you-go); Self-hosted (open-source with optional support)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Budibase, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    budibase.com

    > Browse all vendor trust reports