// Trust & Security Report

    Close (Close CRM, Inc.) logo

    Close (Close CRM, Inc.)

    AI-powered all-in-one sales CRM with calling, email, SMS, pipeline management, and Chloe AI sales agent

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Close is SOC 2 Type 2 compliant. As a SOC 2 Type 2 certified SaaS provider, Close securely manages your data to protect the interests and privacy of your organization.

    Verify on close.com
    GDPR (compliance posture + DPA)
    HELD

    Close is GDPR compliant. DPA available for signing via HelloSign or PDF download (last updated February 7, 2023), including standard contractual clauses enabling data transfers outside the European Economic Area.

    Verify on close.com
    CCPA
    HELD

    CCPA COMPLIANT [label displayed on trust center]. Close is CCPA compliant.

    Verify on trust.close.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence that Close itself holds ISO 27001 certification. The GDPR page notes that sub-processors such as AWS 'maintain SOC2 and/or ISO 27001 certifications' — those belong to the sub-processor, not to Close.

    source: close.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or BAA offering on any Close-domain page reviewed.

    source: close.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification or scope on any Close-domain page reviewed.

    source: close.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on any Close-domain page reviewed.

    source: close.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification on any Close-domain page reviewed.

    source: trust.close.com
    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification on any Close-domain page reviewed.

    source: close.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    United States (company HQ: Austin, Texas; primary cloud infrastructure on Amazon Web Services US). No EU data residency option confirmed in public documentation.

    The ToS grants Close a broad, irrevocable, transferable, sublicensable (through multiple tiers), worldwide license to customer content 'for use as inputs in features incorporating Artificial Intelligence (as defined below), whether developed by Close or third-parties.' Anthropic is listed as a named subprocessor for 'AI functionality and tools,' confirming customer data is sent to Anthropic at runtime. No explicit statement is made confirming or denying that customer data is used to train or fine-tune underlying AI models. No opt-out mechanism is offered — the ToS states the only remedy for disagreement is to stop using the service. The DPA (last updated Feb 7, 2023) predates widespread AI agent deployment and should be reviewed for AI data-sharing adequacy.

    // Security controls

    Encryption in transit

    TLS 1.2 with ECDHE_RSA (P-256) key exchange, AES_128_GCM cipher. All connections to Close (web browsers and Mac/Windows apps) are fully encrypted.

    help.close.com

    Encryption at rest

    256-bit AES encryption for email credentials; encryption keys stored on separate servers from data.

    help.close.com

    Penetration testing

    Penetration testing performed (listed as a product security control on trust center).

    trust.close.com

    Background checks

    Employee background checks performed (listed as an organizational security control on trust center).

    trust.close.com

    Cybersecurity insurance

    Cybersecurity insurance maintained (listed as an internal security procedure on trust center).

    trust.close.com

    Firewall and network controls

    Firewall access restricted; unique network system authentication enforced; encryption key access restricted.

    trust.close.com

    Control self-assessments

    Control self-assessments conducted and configuration management system established (trust center).

    trust.close.com

    Customer data deletion

    Customer data deleted upon leaving. Deleting a lead results in complete system removal within 30 days including the Event Log API.

    close.com

    // Products & data scope

    Close CRMSales CRM

    data: Contact data, call recordings and transcripts, emails, SMS, pipeline/deal data, usage analytics

    Core product. SOC 2 Type 2 and GDPR DPA apply to the full platform. Data shared only with organization team members and limited support staff.

    Chloe AI AgentAI Sales Agent

    data: Lead/pipeline data, call transcripts, email content, contact history processed by AI (Anthropic is named subprocessor)

    Newest product. Automates calling, follow-ups, lead qualification, meeting booking. Customer data is sent to Anthropic as a subprocessor. The broad AI license in ToS applies. No tier-specific AI data opt-out documented.

    Close Developer PlatformAPI / Integration

    data: Full CRM data accessible via REST API, webhooks, and MCP server

    REST API and MCP server for custom integrations. Same data handling and ToS terms apply.

    // What to watch

    • AI license over-broad: ToS grants Close an irrevocable, sublicensable, worldwide license to use customer content 'as inputs in features incorporating Artificial Intelligence, whether developed by Close or third-parties' with no opt-out mechanism short of cancelling the service.
    • Anthropic is a named subprocessor for 'AI functionality and tools' — customer data (calls, emails, leads) is transmitted to Anthropic at runtime for Chloe AI Agent features.
    • DPA last updated February 7, 2023, predating the deployment of AI sales agent features; adequacy of DPA for current AI data flows should be independently assessed.
    • No ISO 27001 certification held by Close. References to ISO 27001 on GDPR page relate to sub-processors (AWS), not Close itself.
    • No HIPAA compliance or BAA offering documented. Platform is not suitable for healthcare CRM use cases involving PHI.
    • No EU or non-US data residency option confirmed. All infrastructure is on AWS US.
    • No CSA STAR, FedRAMP, PCI DSS, or ISO 42001 certifications.

    // At a glance

    Pricing model

    Subscription per seat; tiered plans (Startup, Professional, Enterprise). Free 14-day trial, no credit card required.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Close (Close CRM, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.close.com

    > Browse all vendor trust reports