// Trust & Security Report
Mango Technologies, Inc. DBA ClickUp
ClickUp work management platform (Projects, Docs, Chat, Whiteboards, Dashboards, Automations) plus ClickUp AI / Brain (Brain, Brain MAX, Super Agents, AI Agents) and the public API/integrations.
Certifications held
11
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on clickup.com“Our continued SOC 1 Type 2, SOC 2 Type 2, and SOC 3 certifications ensures our organizational and technology controls are independently audited at least annually.”
Verify on clickup.com“Our continued SOC 1 Type 2, SOC 2 Type 2, and SOC 3 certifications ensures our organizational and technology controls are independently audited at least annually. Please contact sales@clickup.com for ClickUp's latest reports.”
Verify on clickup.com“Our continued SOC 1 Type 2, SOC 2 Type 2, and SOC 3 certifications ensures our organizational and technology controls are independently audited at least annually.”
Verify on clickup.com“the ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, and ISO 27701:2019 certifications confirm that ClickUp meets the highest international standards for security, privacy, reliability, quality, and trust.”
Verify on clickup.com“the ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, and ISO 27701:2019 certifications confirm that ClickUp meets the highest international standards for security, privacy, reliability, quality, and trust.”
Verify on clickup.com“the ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, and ISO 27701:2019 certifications confirm that ClickUp meets the highest international standards for security, privacy, reliability, quality, and trust.”
Verify on clickup.com“the ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, and ISO 27701:2019 certifications confirm that ClickUp meets the highest international standards for security, privacy, reliability, quality, and trust.”
Verify on clickup.com“ClickUp is proud to be among the first platforms to achieve ISO 42001 certification, the new global standard for Artificial Intelligence Management Systems.”
Verify on clickup.com“ClickUp maintains ongoing PCI compliance, abiding by stringent industry standards for storing, processing and transmitting credit card information online.”
Verify on clickup.com“SOC 2 TYPE II / ISO 27001 / GDPR / HIPAA (compliance badges shown in the Enterprise-grade section and footer). HIPAA is a self-attested compliance posture, not a third-party certification; a signed BAA is typically required and should be confirmed with sales.”
Verify on clickup.com“Under applicable data protection law (including GDPR), you have the following rights regarding your personal data: Right to Access... Right to Erasure... Right to Data Portability... You have the right to lodge a complaint with a supervisory authority.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Enterprise plan customers can choose US, Europe (Ireland), or Asia Pacific (Australia, Singapore) hosting region. Default/non-Enterprise data is processed in the United States. Privacy policy notes data 'may be transferred to, stored at and processed by us... outside the country in which you reside, including... the United States.'
ClickUp states third-party AI providers are contractually forbidden from training on customer data and from retaining it. Security page: 'ClickUp's AI partners are prohibited from using your data for training their models. ClickUp AI operates using in-context learning (ICL)... This means zero third-party data retention.' Homepage footnote: 'Our agreements ensure zero data training & retention on all third-party model providers.' ClickUp AI routes to GPT, Claude Opus, and Gemini; protections rely on ClickUp's contracts with those providers. AI behavior governed by a separate ClickUp AI Additional Terms document.
// Security controls
Penetration testing
Third-party penetration testing contracted; ongoing automated security testing. Quote: 'We run automated security testing on an ongoing basis. We also contract a third party for penetration testing.'
clickup.comVulnerability disclosure / bug bounty
Operates a Vulnerability Disclosure Program with a HackerOne-backed web form for researchers, with Safe Harbor language. A historically named Bug Bounty page exists (clickup.com/bug-bounty); current paid-bounty status is ambiguous (researchers directed to a disclosure form, no clear public bounty tiers).
clickup.comHosting
Hosted entirely on Amazon Web Services (AWS), which is itself SOC 2 Type 2 certified
clickup.comAuthentication
Two-factor authentication and Google SSO (Business); SAML/SSO available on higher tiers
clickup.comRisk framework
Risk Management Framework derived from NIST SP 800-39 and NIST SP 800-30; annual security awareness training; background checks for staff with production access
clickup.com// Products & data scope
data: Customer Workspace data (tasks, docs, chat, files) hosted on AWS, US region by default. Encrypted in transit (TLS 1.2) and at rest (AES-256).
Standard multi-tenant SaaS tiers. Data residency region selection not available below Enterprise.
data: Same Workspace data with added controls: customer-selectable data residency (US, Ireland/Europe, Australia or Singapore/APAC), SSO, advanced permissions.
Localized data residency offered at no additional cost on Enterprise plan only.
data: Sends Workspace context to third-party frontier models (GPT, Claude Opus, Gemini) under contracts that prohibit training and retention. Uses in-context learning; respects ClickUp user permissions (AI cannot surface data the user cannot access).
Covered by ISO 42001 AI management certification and a separate ClickUp AI Additional Terms document. 'Zero third-party data retention' is the vendor claim. AI Notetaker may process meeting/recording content.
data: Programmatic access to Workspace data; third-party integrations (Google Drive, GitHub, Salesforce, etc.) governed by their own privacy settings. Subprocessor list published.
Developer Terms and Subprocessors page exist. Brain2 connects to external apps via 'any MCP'.
// What to watch
- HIPAA shown as a compliance badge but is self-attested (no third-party cert); BAA availability should be confirmed with ClickUp sales before storing PHI.
- Bug bounty status is ambiguous: a Vulnerability Disclosure Program via HackerOne form exists with Safe Harbor, but whether paid bounties are currently active is unclear from public pages.
- ISO 42001 is a newer standard and an unusually strong AI-governance signal; certificate copies are gated behind sales@clickup.com (contact required to obtain actual reports/certs).
- No-training/no-retention AI guarantee depends on ClickUp's contracts with OpenAI/Anthropic/Google rather than on-device processing; verify scope in ClickUp AI Additional Terms for regulated data.
// At a glance
Pricing model
Freemium SaaS, per-seat subscription (Free Forever, Unlimited, Business, Enterprise); AI/Brain add-on priced per user
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Mango Technologies, Inc. DBA ClickUp's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
clickup.com