// Trust & Security Report
OpenBMB (Open Lab for Big Model Base) / Tsinghua University NLP Lab
ChatDev 2.0 (DevAll): Open-source zero-code multi-agent orchestration platform for LLM-powered workflow automation. Includes legacy ChatDev v1.0 for software development teams.
Certifications held
0
Maturity
Startup
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 6 unconfirmed / not-held certifications
source: github.comNo public evidence of SOC 2 certification. ChatDev is open-source software, not a commercial SaaS service, so SOC 2 does not apply to the project itself. Users' deployments are their own responsibility.
source: github.comNo public evidence of ISO 27001 certification. ChatDev is open-source software. OpenBMB and affiliated organizations (Tsinghua University, BAAI) are not publicly documented as ISO 27001 certified.
source: github.comNot applicable. ChatDev is open-source software deployed on user infrastructure. No personal data processing by the vendor.
source: github.comNot applicable. ChatDev is open-source software. Users deploying ChatDev in regulated environments (healthcare) are responsible for their own HIPAA compliance.
source: github.comNot applicable. ChatDev is open-source software. PCI DSS compliance depends on user deployment.
source: github.comNot applicable. ChatDev is open-source, user-deployed software, not a cloud service provided by the vendor.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
N/A - user-hosted open-source software
ChatDev is a multi-agent orchestration platform, not a model trainer. Users' workflows and data are not ingested by OpenBMB. Users can configure ChatDev to use third-party LLM APIs (OpenAI, Anthropic, Gemini, etc.); compliance depends on which LLM provider is configured.
// Security controls
License & Open Source Audit
Apache 2.0 (permissive). Full source code available for review on GitHub. 199 commits, 73 contributors, 33.6k stars. Active development.
github.comSelf-Hosting Model
ChatDev is designed for self-hosting. Users deploy via Docker Compose, Python/uv, or direct Python execution. No vendor-managed SaaS infrastructure.
github.comEncryption in Transit (TLS)
Depends on user deployment. Backend is FastAPI (Python), frontend is Vue 3. Users are responsible for TLS/HTTPS configuration in their own environment.
github.comData Storage
ChatDev includes YAML workflow configs and in-memory session data. No vendor-managed database. Users control where YAML files and workflow artifacts are stored. Artifacts are generated in local 'WareHouse/' directory.
github.comAuthentication
No built-in user authentication in open-source ChatDev. Users deploying ChatDev for multi-user access are responsible for adding authentication/authorization (via reverse proxy, IAM, etc.).
github.comLLM API Keys
ChatDev requires users to provide LLM API keys (OpenAI, Anthropic, Gemini, etc.). Keys are configured via .env file. Users are responsible for key rotation and secure storage.
github.com// Products & data scope
data: Workflow YAML configs, workflow artifacts (generated code, data visualizations, 3D models), session logs. All user-controlled, locally stored.
Zero-code platform. Users define agents, workflows, and tasks via YAML. Supports out-of-the-box templates for data visualization, 3D generation (Blender), game dev, deep research, and video generation.
data: Software development tasks, generated code, documentation. User-deployed.
Moved to chatdev1.0 branch. Simulates a virtual software company with specialized agent roles (CEO, CTO, Programmer, Tester, etc.). No longer the primary focus.
data: Workflow execution via Python. Outputs and results handled by user code.
PyPI package 'chatdev' (v0.1.0+). Users can orchestrate workflows programmatically rather than via the web console.
// What to watch
- ChatDev is NOT a commercial SaaS vendor. It is an open-source project. Traditional vendor compliance metrics (SOC 2, ISO 27001, GDPR, HIPAA, DPA) do not apply to the open-source project itself.
- Users deploying ChatDev are responsible for their own compliance. Compliance posture depends entirely on deployment context (on-premises, cloud, LLM provider choice).
- No vendor trust center, security documentation, or privacy policy exists. This is normal for open-source projects.
- LLM Provider Risk: ChatDev is configured to use third-party LLM APIs (OpenAI, Anthropic, Gemini). Users' workflows and prompts are sent to the configured LLM provider. Compliance with user's data policies depends on which LLM is selected and that provider's terms.
- No built-in user authentication. Multi-user deployments require additional security controls (reverse proxy, IAM, etc.).
- OpenBMB is academically affiliated (Tsinghua University, BAAI, Beijing) with a related commercial entity (ModelBest, founded 2022). ChatDev itself remains open-source.
// At a glance
Pricing model
Open-source (free). No commercial SaaS offering. Users pay for third-party LLM API usage (OpenAI, Anthropic, etc.) and infrastructure costs.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on OpenBMB (Open Lab for Big Model Base) / Tsinghua University NLP Lab's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
github.com