// Trust & Security Report

    Crayon, Inc. logo

    Crayon, Inc.

    Crayon AI — Competitive Intelligence Platform

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Crayon adheres to a security-first company culture and our SOC 2 Type II certification ensures that we're meeting stringent industry standards for compliance. Upon request, the SOC 2 Type II audit report is available to Crayon customers and prospects under NDA.

    Verify on crayon.co
    SOC 2 Type I
    HELD

    successfully completed its Service Organization Control (SOC 2) Type I compliance ... covering infrastructure, device management, incident response, vulnerability management, and more.

    Verify on crayon.co
    ISO 27001
    HELD

    No ISO 27001 claim found on Crayon's own domain (crayon.co). Note: crayon.com / Crayon Group is an unrelated Norwegian IT-licensing company and was excluded.

    Verify on crayon.co
    HIPAA
    HELD

    No HIPAA claim found on Crayon's site; product is B2B competitive intelligence and not positioned for PHI.

    Verify on crayon.co
    GDPR (compliance posture, not a certification)
    HELD

    We have set out below, in a table format, a description of all the ways we plan to use your personal information and, if you are based in the European Union, which of the legal bases under the GDPR we rely on to do so. ... Sections include International Transfers, EU/UK Representative, and Data Privacy Framework.

    Verify on crayon.co

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    unknown

    Terms of Service Section 8 (AI/Machine Learning) is explicit: 'Neither Crayon nor its AI Tools providers will use Customer data, User Content, Inputs, or Outputs to train, fine-tune, or otherwise improve any general-purpose AI or machine learning models.' AI Tools are third-party LLMs (Crayon does not operate its own models); Customer data/Inputs/Outputs are processed solely to provide the Services. The product itself aggregates PUBLICLY available data about a customer's tracked competitors ('Targets'/'Competitors'), so the core dataset is public intel rather than the customer's private corpus.

    // Security controls

    SOC 2 Type II audit

    Completed (announced Feb 2022); report available to customers/prospects under NDA

    crayon.co

    Vulnerability management

    Covered under SOC 2 Type I scope (infrastructure, device management, incident response, vulnerability management)

    crayon.co

    Data security section in Privacy Policy

    Dedicated 'Data Security' and 'Data Retention' sections present; states commitment to protecting personal information

    crayon.co

    Subprocessor due diligence

    Privacy framework references third-party/subprocessor obligations; no public subprocessor list confirmed on crayon.co

    crayon.co

    Bug bounty program

    None found (no HackerOne/Bugcrowd program or public vulnerability disclosure policy located)

    crayon.co

    Penetration testing

    Not publicly stated (likely covered under SOC 2 controls but no explicit public claim)

    crayon.co

    Encryption

    Not explicitly stated on public pages (no in-transit/at-rest claim found publicly; likely in SOC 2 report under NDA)

    crayon.co

    // Products & data scope

    Crayon AI (Competitive Intelligence Platform)Competitive intelligence / sales enablement SaaS

    data: Aggregates publicly available data and third-party materials about competitors the customer chooses to track ('Targets'/'Competitors'). Customer-side data includes account/profile data, billing, and User Content (comments, battlecards, uploaded insights, search history). AI features (e.g., 'Sparks') run on third-party LLMs; Inputs/Outputs are not used to train models.

    Single unified platform with feature modules: Aggregate, Organize, Publish, Enable, Measure, plus the 'Sparks' AI feature. Integrates into Slack, Microsoft Teams, and Salesforce. Sold B2B via subscription (Authorization Form), no self-serve consumer tier surfaced.

    // What to watch

    • Name collision risk: crayon.com (Crayon Group ASA, a Norwegian IT/software-licensing company) is a DIFFERENT entity from crayon.co (Crayon, Inc., competitive intelligence). Subprocessor/privacy pages on crayon.com must NOT be attributed to this vendor.
    • No dedicated trust center; SOC 2 report only available under NDA, so deep security detail (encryption specifics, pen-test cadence, DPA terms) is not publicly verifiable.
    • Footer links to a 'Security' page but /security returned 404 at verification time; security claims sourced from press releases instead.
    • Strong positive: AI no-training commitment is unusually explicit and contractual (Terms Sec. 8), and Crayon relies on third-party LLMs rather than operating its own models.

    // At a glance

    Pricing model

    Subscription / contract (B2B; demo-led sales, per-Authorization-Form pricing, auto-renewing subscription periods)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Crayon, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    crayon.co

    > Browse all vendor trust reports