// Trust & Security Report
Crayon, Inc.
Crayon AI — Competitive Intelligence Platform
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on crayon.co“Crayon adheres to a security-first company culture and our SOC 2 Type II certification ensures that we're meeting stringent industry standards for compliance. Upon request, the SOC 2 Type II audit report is available to Crayon customers and prospects under NDA.”
Verify on crayon.co“successfully completed its Service Organization Control (SOC 2) Type I compliance ... covering infrastructure, device management, incident response, vulnerability management, and more.”
Verify on crayon.co“No ISO 27001 claim found on Crayon's own domain (crayon.co). Note: crayon.com / Crayon Group is an unrelated Norwegian IT-licensing company and was excluded.”
Verify on crayon.co“No HIPAA claim found on Crayon's site; product is B2B competitive intelligence and not positioned for PHI.”
Verify on crayon.co“We have set out below, in a table format, a description of all the ways we plan to use your personal information and, if you are based in the European Union, which of the legal bases under the GDPR we rely on to do so. ... Sections include International Transfers, EU/UK Representative, and Data Privacy Framework.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
unknown
Terms of Service Section 8 (AI/Machine Learning) is explicit: 'Neither Crayon nor its AI Tools providers will use Customer data, User Content, Inputs, or Outputs to train, fine-tune, or otherwise improve any general-purpose AI or machine learning models.' AI Tools are third-party LLMs (Crayon does not operate its own models); Customer data/Inputs/Outputs are processed solely to provide the Services. The product itself aggregates PUBLICLY available data about a customer's tracked competitors ('Targets'/'Competitors'), so the core dataset is public intel rather than the customer's private corpus.
// Security controls
SOC 2 Type II audit
Completed (announced Feb 2022); report available to customers/prospects under NDA
crayon.coVulnerability management
Covered under SOC 2 Type I scope (infrastructure, device management, incident response, vulnerability management)
crayon.coData security section in Privacy Policy
Dedicated 'Data Security' and 'Data Retention' sections present; states commitment to protecting personal information
crayon.coSubprocessor due diligence
Privacy framework references third-party/subprocessor obligations; no public subprocessor list confirmed on crayon.co
crayon.coBug bounty program
None found (no HackerOne/Bugcrowd program or public vulnerability disclosure policy located)
crayon.coPenetration testing
Not publicly stated (likely covered under SOC 2 controls but no explicit public claim)
crayon.coEncryption
Not explicitly stated on public pages (no in-transit/at-rest claim found publicly; likely in SOC 2 report under NDA)
crayon.co// Products & data scope
data: Aggregates publicly available data and third-party materials about competitors the customer chooses to track ('Targets'/'Competitors'). Customer-side data includes account/profile data, billing, and User Content (comments, battlecards, uploaded insights, search history). AI features (e.g., 'Sparks') run on third-party LLMs; Inputs/Outputs are not used to train models.
Single unified platform with feature modules: Aggregate, Organize, Publish, Enable, Measure, plus the 'Sparks' AI feature. Integrates into Slack, Microsoft Teams, and Salesforce. Sold B2B via subscription (Authorization Form), no self-serve consumer tier surfaced.
// What to watch
- Name collision risk: crayon.com (Crayon Group ASA, a Norwegian IT/software-licensing company) is a DIFFERENT entity from crayon.co (Crayon, Inc., competitive intelligence). Subprocessor/privacy pages on crayon.com must NOT be attributed to this vendor.
- No dedicated trust center; SOC 2 report only available under NDA, so deep security detail (encryption specifics, pen-test cadence, DPA terms) is not publicly verifiable.
- Footer links to a 'Security' page but /security returned 404 at verification time; security claims sourced from press releases instead.
- Strong positive: AI no-training commitment is unusually explicit and contractual (Terms Sec. 8), and Crayon relies on third-party LLMs rather than operating its own models.
// At a glance
Pricing model
Subscription / contract (B2B; demo-led sales, per-Authorization-Form pricing, auto-renewing subscription periods)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Crayon, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
crayon.co