// Trust & Security Report

    CleverTap (WizRocket, Inc. / CleverTap Private Limited) logo

    CleverTap (WizRocket, Inc. / CleverTap Private Limited)

    All-in-one customer engagement, analytics, and lifecycle marketing platform (mobile/web push, email, WhatsApp, SMS, in-app, RCS) with CleverAI agentic AI and predictive ML

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 | Compliant (CleverTap Trust Portal, Compliances section); reinforced on security page: "CleverTap currently is compliant with GDPR, CCPA, SOC 2 Type II, ISO 27001, and HIPAA."

    Verify on trust.clevertap.com
    ISO 27001
    HELD

    ISO 27001 | Compliant (CleverTap Trust Portal); "CleverTap currently is compliant with GDPR, CCPA, SOC 2 Type II, ISO 27001, and HIPAA."

    Verify on trust.clevertap.com
    ISO 27002
    HELD

    ISO 27002 | Certified (CleverTap Trust Portal, Compliances section)

    Verify on trust.clevertap.com
    HIPAA
    HELD

    HIPAA | Compliant (CleverTap Trust Portal); "CleverTap currently is compliant with GDPR, CCPA, SOC 2 Type II, ISO 27001, and HIPAA."

    Verify on trust.clevertap.com
    GDPR
    HELD

    GDPR | Compliant (CleverTap Trust Portal); dedicated GDPR documentation maintained at docs.clevertap.com/docs/gdpr

    Verify on trust.clevertap.com
    CPRA / CCPA
    HELD

    CPRA (formerly CCPA) | Compliant (CleverTap Trust Portal); dedicated California privacy notice at clevertap.com/ccpa/

    Verify on trust.clevertap.com
    CSA STAR
    HELD

    CSA Star | Compliant (CleverTap Trust Portal, Compliances section)

    Verify on trust.clevertap.com
    EU-U.S. Data Privacy Framework (formerly Privacy Shield)
    HELD

    Privacy Shield | Compliant (Trust Portal); "CleverTap has certified to the U.S. Department of State that it adheres to the EU-U.S. Data Privacy Framework Policy Principles intended as a transfer mechanism."

    Verify on trust.clevertap.com
    India DPDPA (Digital Personal Data Protection Act) Compliance Framework
    HELD

    Digital Personal Data Protection Act (DPDPA) Compliance Framework | Compliant (CleverTap Trust Portal, Compliances section)

    Verify on trust.clevertap.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Startup plans: data stored in EU region only. Enterprise plans: choice of server/data-center region. All data stored in localized AWS instances.

    CleverTap operates as a data processor on behalf of its brand customers. Its proprietary predictive ML models (churn, recommendations, send-time/'Best Time' optimization, channel selection) are built/trained to serve the customer's own data, not to train shared cross-customer foundation models for outside benefit. For CleverAI agentic features that call external LLMs, CleverTap states only minimal context (prompt text or high-level event labels) is shared, with bulk customer data kept inside CleverTap's own infrastructure. No public statement was found that CleverTap trains third-party/foundation models on customer business data by default; nor an explicit blanket 'we never use your data to train AI' clause. Treat the in-tenant ML usage as expected service functionality.

    // Security controls

    Encryption at rest

    Data at rest encrypted with AES-256 (server-side and on-device SDK storage). Quote: "Data at rest is encrypted with AES 256."

    clevertap.com

    Encryption in transit

    SDK data in transit encrypted with AES-256; API payloads in transit encrypted with HPKE (Hybrid Public Key Encryption).

    clevertap.com

    Penetration testing

    Yes - a Pentest Report is published as a downloadable resource in the Trust Portal (gated, request access).

    trust.clevertap.com

    Bug bounty

    Yes - 'Bug Bounty' is listed as an App security control in the Trust Portal. Specific platform (HackerOne/Bugcrowd) not named in public-facing pages.

    trust.clevertap.com

    Access controls

    Two-factor authentication (MFA), role-based access control (RBAC), restricted IP access, SSO support, audit logging, campaign approval workflow.

    clevertap.com

    Network & endpoint security

    Firewall, IDS/IPS, Data Loss Prevention, access monitoring, backups enabled; endpoint disk encryption, MDM, DNS filtering.

    trust.clevertap.com

    Hosting

    AWS-hosted in localized/compliant data centers; subprocessors include AWS, Cloudflare, SendGrid, Salesforce, HubSpot, WhatsApp (regions US/EU/India/UAE).

    trust.clevertap.com

    // Products & data scope

    CleverTap Engagement Platform (Enterprise)Customer engagement / lifecycle marketing / analytics

    data: Processes Customer End-User behavioral and personal data (CleverTap acts as processor). Enterprise plan allows choice of data-center region.

    Full multichannel suite: push, email, WhatsApp, SMS, in-app, web, RCS, plus analytics, segmentation, campaign orchestration. DPA available; SOC2/ISO/HIPAA scope applies.

    CleverTap Startup planEngagement (lower tier)

    data: Customer data stored in EU region only; no region choice.

    Same platform, restricted to EU residency. Suitable for smaller brands; upgrade to Enterprise for residency control.

    CleverAI (Agents + Predictions Agent)Agentic / predictive AI

    data: Proprietary in-tenant ML models trained on the customer's own data; for external LLM calls only minimal context shared, bulk data retained in CleverTap infrastructure.

    AI layer for predictions (churn, recommendations, send-time) and autonomous engagement agents. Confirm specific LLM subprocessors and DPAI terms for high-sensitivity use cases.

    // What to watch

    • Some compliances on the Trust Portal use the word 'Compliant' rather than 'Certified' (e.g., SOC 2 'Compliant', HIPAA 'Compliant') - SOC 2 Type II and ISO 27001 are independently corroborated on the public security page; CSA STAR, Privacy Shield/DPF, and DPDPA appear only on the Trust Portal, so treat as self-attested pending the gated report.
    • Bug bounty program platform (HackerOne/Bugcrowd) is not publicly named.
    • No explicit blanket statement that customer business data is never used to train AI; in-tenant predictive ML does use customer data as expected service functionality.

    // At a glance

    Pricing model

    Commercial SaaS; tiered Startup vs Enterprise plans (custom/quote-based for enterprise). Get-a-demo sales motion.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on CleverTap (WizRocket, Inc. / CleverTap Private Limited)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.clevertap.com

    > Browse all vendor trust reports