// Trust & Security Report
Budibase, Inc.
Open-source AI workflow platform with agents, automations, apps, and internal tools builder. Supports both cloud (Budibase Cloud) and self-hosted deployment options.
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on budibase.com“Budibase is ISO 27001 certified and fully committed to ongoing compliance. Underwent rigorous audits performed by independent third-party auditor NQA who evaluated the effectiveness of their ISMS implementation. Certificate viewable on UKAS website.”
Verify on budibase.com“GDPR compliant. Terms of Service function as a data processing agreement under Article 28 of EU GDPR and UK GDPR, with Budibase acting as Data Processor and customers as Data Controllers.”
> Show 8 unconfirmed / not-held certifications
source: budibase.comAll servers are hosted within EU datacenters certified by SOC 1/2 and ISO 27001. This refers to the hosting provider's certifications, not Budibase's own SOC 2 certification. No direct evidence of Budibase company-level SOC 2 Type II certification found.
source: budibase.comPer the Terms of Service: 'The Subscription Services are not designed to comply with industry-specific regulations such as the US Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), or the Federal Information Security Management Act (FISMA) ... so Customer may not use the Subscription Services where Customer's communications would be subject to such laws.' Separately, Budibase marketing/blog content references 'HIPAA readiness' and 'guardrails' (not the ToS), creating over-claim risk versus the binding terms.
No public evidence of PCI DSS certification found on vendor domain.
No public evidence of ISO 27017 certification found on vendor domain.
No public evidence of ISO 27018 certification found on vendor domain.
No public evidence of ISO 27701 certification found on vendor domain.
No public evidence of ISO/IEC 42001 AI governance certification found on vendor domain.
No public evidence of FedRAMP authorization found on vendor domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
EU (Ireland) for Budibase Cloud; self-hosted deployments can be on-premises or private cloud
Budibase is positioned as 'privacy-first AI workflow toolkit' with emphasis on data sovereignty. Self-hosted deployments maintain full data control. Cloud deployment data stored in EU (Ireland). No explicit statement found regarding training on customer data; privacy-first architecture and messaging suggests no training on customer data, but not explicitly confirmed.
// Security controls
Authentication & SSO
SAML 2.0, OpenID Connect, Google SSO, OIDC support; integrations with Active Directory, Auth0, Okta, OneLogin
budibase.comRole-Based Access Control (RBAC)
Custom RBAC, fine-grained permissions with custom roles and group management
budibase.comThird-Party Audits
Annual penetration tests and AWS security configuration audits from third-party vendors
budibase.comInfrastructure
Self-hosting supported; Budibase Cloud hosted in EU (Ireland) datacenters with SOC 1/2 and ISO 27001 certification
budibase.com// Products & data scope
data: Can access workspace data, APIs, integrated apps, tables, knowledge sources. Supports multi-channel deployment (Slack, Discord, Teams, custom).
Beta feature. Runs workflows across business operations - creating records, routing approvals, updating apps, notifying teams.
data: Connect to databases, spreadsheets, business systems for building internal tools
Visual app builder for forms, dashboards, and workflows. Core product.
data: Triggered by agents, schedules, emails, apps, or data changes. Can orchestrate across all connected systems.
Full observability with logs and testing. Can start from agents or traditional triggers.
data: Fully managed Budibase deployment with automatic scaling, backups, updates
Data hosted in EU (Ireland). Alternative to self-hosting.
data: Can be deployed on customer's own infrastructure with full data control
Open-source option. Complete data sovereignty.
// What to watch
- SOC 2 Certification Ambiguity: Marketing claims 'SOC 1/2 certified' and homepage mentions 'enterprise-grade security' but search results indicate this refers to datacenter provider certifications, not Budibase company-level SOC 2 Type II certification. Needs clarification.
- HIPAA Over-Claim Risk: Terms explicitly state services are NOT designed for HIPAA compliance, yet enterprise marketing mentions 'HIPAA-ready features' and 'HIPAA readiness.' This could confuse healthcare customers about actual compliance status.
- AI Training Data Posture Unclear: Product positioning emphasizes privacy-first AI and data sovereignty, but no explicit statement confirming customer data is never used for model training. This should be documented clearly.
- Missing Trust Center: No dedicated trust center page despite claiming ISO 27001 and GDPR compliance. Security information scattered across homepage, /security/ page, and docs.
// At a glance
Pricing model
Freemium (free tier available); Cloud SaaS (pay-as-you-go); Self-hosted (open-source with optional support)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Budibase, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
budibase.com