// Trust & Security Report
CleverTap (WizRocket, Inc. / CleverTap Private Limited)
All-in-one customer engagement, analytics, and lifecycle marketing platform (mobile/web push, email, WhatsApp, SMS, in-app, RCS) with CleverAI agentic AI and predictive ML
Certifications held
9
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.clevertap.com“SOC 2 | Compliant (CleverTap Trust Portal, Compliances section); reinforced on security page: "CleverTap currently is compliant with GDPR, CCPA, SOC 2 Type II, ISO 27001, and HIPAA."”
Verify on trust.clevertap.com“ISO 27001 | Compliant (CleverTap Trust Portal); "CleverTap currently is compliant with GDPR, CCPA, SOC 2 Type II, ISO 27001, and HIPAA."”
Verify on trust.clevertap.com“ISO 27002 | Certified (CleverTap Trust Portal, Compliances section)”
Verify on trust.clevertap.com“HIPAA | Compliant (CleverTap Trust Portal); "CleverTap currently is compliant with GDPR, CCPA, SOC 2 Type II, ISO 27001, and HIPAA."”
Verify on trust.clevertap.com“GDPR | Compliant (CleverTap Trust Portal); dedicated GDPR documentation maintained at docs.clevertap.com/docs/gdpr”
Verify on trust.clevertap.com“CPRA (formerly CCPA) | Compliant (CleverTap Trust Portal); dedicated California privacy notice at clevertap.com/ccpa/”
Verify on trust.clevertap.com“CSA Star | Compliant (CleverTap Trust Portal, Compliances section)”
Verify on trust.clevertap.com“Privacy Shield | Compliant (Trust Portal); "CleverTap has certified to the U.S. Department of State that it adheres to the EU-U.S. Data Privacy Framework Policy Principles intended as a transfer mechanism."”
Verify on trust.clevertap.com“Digital Personal Data Protection Act (DPDPA) Compliance Framework | Compliant (CleverTap Trust Portal, Compliances section)”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Startup plans: data stored in EU region only. Enterprise plans: choice of server/data-center region. All data stored in localized AWS instances.
CleverTap operates as a data processor on behalf of its brand customers. Its proprietary predictive ML models (churn, recommendations, send-time/'Best Time' optimization, channel selection) are built/trained to serve the customer's own data, not to train shared cross-customer foundation models for outside benefit. For CleverAI agentic features that call external LLMs, CleverTap states only minimal context (prompt text or high-level event labels) is shared, with bulk customer data kept inside CleverTap's own infrastructure. No public statement was found that CleverTap trains third-party/foundation models on customer business data by default; nor an explicit blanket 'we never use your data to train AI' clause. Treat the in-tenant ML usage as expected service functionality.
// Security controls
Encryption at rest
Data at rest encrypted with AES-256 (server-side and on-device SDK storage). Quote: "Data at rest is encrypted with AES 256."
clevertap.comEncryption in transit
SDK data in transit encrypted with AES-256; API payloads in transit encrypted with HPKE (Hybrid Public Key Encryption).
clevertap.comPenetration testing
Yes - a Pentest Report is published as a downloadable resource in the Trust Portal (gated, request access).
trust.clevertap.comBug bounty
Yes - 'Bug Bounty' is listed as an App security control in the Trust Portal. Specific platform (HackerOne/Bugcrowd) not named in public-facing pages.
trust.clevertap.comAccess controls
Two-factor authentication (MFA), role-based access control (RBAC), restricted IP access, SSO support, audit logging, campaign approval workflow.
clevertap.comNetwork & endpoint security
Firewall, IDS/IPS, Data Loss Prevention, access monitoring, backups enabled; endpoint disk encryption, MDM, DNS filtering.
trust.clevertap.comHosting
AWS-hosted in localized/compliant data centers; subprocessors include AWS, Cloudflare, SendGrid, Salesforce, HubSpot, WhatsApp (regions US/EU/India/UAE).
trust.clevertap.com// Products & data scope
data: Processes Customer End-User behavioral and personal data (CleverTap acts as processor). Enterprise plan allows choice of data-center region.
Full multichannel suite: push, email, WhatsApp, SMS, in-app, web, RCS, plus analytics, segmentation, campaign orchestration. DPA available; SOC2/ISO/HIPAA scope applies.
data: Customer data stored in EU region only; no region choice.
Same platform, restricted to EU residency. Suitable for smaller brands; upgrade to Enterprise for residency control.
data: Proprietary in-tenant ML models trained on the customer's own data; for external LLM calls only minimal context shared, bulk data retained in CleverTap infrastructure.
AI layer for predictions (churn, recommendations, send-time) and autonomous engagement agents. Confirm specific LLM subprocessors and DPAI terms for high-sensitivity use cases.
// What to watch
- Some compliances on the Trust Portal use the word 'Compliant' rather than 'Certified' (e.g., SOC 2 'Compliant', HIPAA 'Compliant') - SOC 2 Type II and ISO 27001 are independently corroborated on the public security page; CSA STAR, Privacy Shield/DPF, and DPDPA appear only on the Trust Portal, so treat as self-attested pending the gated report.
- Bug bounty program platform (HackerOne/Bugcrowd) is not publicly named.
- No explicit blanket statement that customer business data is never used to train AI; in-tenant predictive ML does use customer data as expected service functionality.
// At a glance
Pricing model
Commercial SaaS; tiered Startup vs Enterprise plans (custom/quote-based for enterprise). Get-a-demo sales motion.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on CleverTap (WizRocket, Inc. / CleverTap Private Limited)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.clevertap.com