// Trust & Security Report
Close (Close CRM, Inc.)
AI-powered all-in-one sales CRM with calling, email, SMS, pipeline management, and Chloe AI sales agent
Certifications held
3
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on close.com“Close is SOC 2 Type 2 compliant. As a SOC 2 Type 2 certified SaaS provider, Close securely manages your data to protect the interests and privacy of your organization.”
Verify on close.com“Close is GDPR compliant. DPA available for signing via HelloSign or PDF download (last updated February 7, 2023), including standard contractual clauses enabling data transfers outside the European Economic Area.”
Verify on trust.close.com“CCPA COMPLIANT [label displayed on trust center]. Close is CCPA compliant.”
> Show 6 unconfirmed / not-held certifications
source: close.comNo public evidence that Close itself holds ISO 27001 certification. The GDPR page notes that sub-processors such as AWS 'maintain SOC2 and/or ISO 27001 certifications' — those belong to the sub-processor, not to Close.
source: close.comNo public evidence of HIPAA compliance or BAA offering on any Close-domain page reviewed.
source: close.comNo public evidence of PCI DSS certification or scope on any Close-domain page reviewed.
source: close.comNo public evidence of FedRAMP authorization on any Close-domain page reviewed.
source: trust.close.comNo public evidence of CSA STAR registration or certification on any Close-domain page reviewed.
source: close.comNo public evidence of ISO 42001 certification on any Close-domain page reviewed.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States (company HQ: Austin, Texas; primary cloud infrastructure on Amazon Web Services US). No EU data residency option confirmed in public documentation.
The ToS grants Close a broad, irrevocable, transferable, sublicensable (through multiple tiers), worldwide license to customer content 'for use as inputs in features incorporating Artificial Intelligence (as defined below), whether developed by Close or third-parties.' Anthropic is listed as a named subprocessor for 'AI functionality and tools,' confirming customer data is sent to Anthropic at runtime. No explicit statement is made confirming or denying that customer data is used to train or fine-tune underlying AI models. No opt-out mechanism is offered — the ToS states the only remedy for disagreement is to stop using the service. The DPA (last updated Feb 7, 2023) predates widespread AI agent deployment and should be reviewed for AI data-sharing adequacy.
// Security controls
Encryption in transit
TLS 1.2 with ECDHE_RSA (P-256) key exchange, AES_128_GCM cipher. All connections to Close (web browsers and Mac/Windows apps) are fully encrypted.
help.close.comEncryption at rest
256-bit AES encryption for email credentials; encryption keys stored on separate servers from data.
help.close.comPenetration testing
Penetration testing performed (listed as a product security control on trust center).
trust.close.comBackground checks
Employee background checks performed (listed as an organizational security control on trust center).
trust.close.comCybersecurity insurance
Cybersecurity insurance maintained (listed as an internal security procedure on trust center).
trust.close.comFirewall and network controls
Firewall access restricted; unique network system authentication enforced; encryption key access restricted.
trust.close.comControl self-assessments
Control self-assessments conducted and configuration management system established (trust center).
trust.close.comCustomer data deletion
Customer data deleted upon leaving. Deleting a lead results in complete system removal within 30 days including the Event Log API.
close.com// Products & data scope
data: Contact data, call recordings and transcripts, emails, SMS, pipeline/deal data, usage analytics
Core product. SOC 2 Type 2 and GDPR DPA apply to the full platform. Data shared only with organization team members and limited support staff.
data: Lead/pipeline data, call transcripts, email content, contact history processed by AI (Anthropic is named subprocessor)
Newest product. Automates calling, follow-ups, lead qualification, meeting booking. Customer data is sent to Anthropic as a subprocessor. The broad AI license in ToS applies. No tier-specific AI data opt-out documented.
data: Full CRM data accessible via REST API, webhooks, and MCP server
REST API and MCP server for custom integrations. Same data handling and ToS terms apply.
// What to watch
- AI license over-broad: ToS grants Close an irrevocable, sublicensable, worldwide license to use customer content 'as inputs in features incorporating Artificial Intelligence, whether developed by Close or third-parties' with no opt-out mechanism short of cancelling the service.
- Anthropic is a named subprocessor for 'AI functionality and tools' — customer data (calls, emails, leads) is transmitted to Anthropic at runtime for Chloe AI Agent features.
- DPA last updated February 7, 2023, predating the deployment of AI sales agent features; adequacy of DPA for current AI data flows should be independently assessed.
- No ISO 27001 certification held by Close. References to ISO 27001 on GDPR page relate to sub-processors (AWS), not Close itself.
- No HIPAA compliance or BAA offering documented. Platform is not suitable for healthcare CRM use cases involving PHI.
- No EU or non-US data residency option confirmed. All infrastructure is on AWS US.
- No CSA STAR, FedRAMP, PCI DSS, or ISO 42001 certifications.
// At a glance
Pricing model
Subscription per seat; tiered plans (Startup, Professional, Enterprise). Free 14-day trial, no credit card required.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Close (Close CRM, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.close.com