// Trust & Security Report

    CrewAI, Inc. logo

    CrewAI, Inc.

    Multi-agent AI orchestration platform; sub-products include CrewAI Enterprise SaaS (app.crewai.com), CrewAI Open Source (self-hostable Python framework), CrewAI Discovery (agentic use-case identification), and CrewAI Control Plane (production agent management with RBAC and audit trails)

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Security is foundational to CrewAI. We maintain a SOC 2 Type 2 certified security program with comprehensive controls across our infrastructure, endpoints, and identity management.

    Verify on trust.crewai.com
    HIPAA (Audit/Compliance Posture)
    HELD

    Trust center Resources section lists a document titled verbatim 'HIPAA Audit Report - Feb 2026'. This is the only on-domain artifact; the page contains no affirmative HIPAA compliance statement in body text. HIPAA is a legal framework, not a third-party certification, and a Business Associate Agreement (BAA) for covered-entity customers is not publicly confirmed.

    Verify on trust.crewai.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on trust.crewai.com or crewai.com. Not mentioned in trust center resources or privacy policy.

    source: trust.crewai.com
    GDPR (Formal Compliance Documentation)
    NOT CONFIRMED

    Privacy policy addresses GDPR-relevant practices (data subject rights contact, data retention, deletion) but no Data Processing Addendum (DPA) or formal GDPR compliance page is publicly available. The trust center does not list GDPR as a certified posture.

    source: crewai.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on any crewai.com domain page.

    source: trust.crewai.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification found. Not mentioned in trust center, privacy policy, or enterprise pages.

    source: trust.crewai.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification found on any crewai.com domain.

    source: trust.crewai.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on any crewai.com domain.

    source: trust.crewai.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    United States (AWS US listed as primary cloud subprocessor in trust center)

    Terms of Service Section 1.5 grants CrewAI a broad license to use Customer Data 'to improve and develop products and services, including by training and developing models and/or algorithms.' This applies to all customer data uploaded or generated through the platform. No opt-out mechanism is described in the public ToS. By contrast, the Privacy Policy explicitly carves out Google OAuth user data: 'We never use Google user data for advertising or for training AI models.' This creates an asymmetry: Google-integrated data is excluded from training, but general platform Customer Data (inputs, outputs, workflow content) is not explicitly excluded.

    // Security controls

    Encryption in transit

    Yes - 'Data transmission encrypted' listed as a product security control; privacy policy states 'encryption in transit'

    trust.crewai.com

    Encryption at rest

    Yes - privacy policy states 'encryption in transit and at rest'

    crewai.com

    Encryption key management

    Restricted - trust center lists 'Encryption key access restricted' as an infrastructure security control

    trust.crewai.com

    Multi-factor authentication (MFA)

    Enforced for remote access - trust center lists 'Remote access MFA enforced'

    trust.crewai.com

    Network authentication

    Unique network system authentication enforced (trust center control)

    trust.crewai.com

    Mobile Device Management (MDM)

    MDM system utilized (trust center organizational security control)

    trust.crewai.com

    RBAC (Role-Based Access Control)

    Yes - RBAC for platform access and Enterprise IAM; granular control with immutable audit trails

    crewai.com

    Vulnerability and monitoring

    Vulnerability and system monitoring procedures established; continuous monitoring for unauthorized access mentioned in privacy policy

    trust.crewai.com

    Vulnerability disclosure program

    Yes - public VDP at security.crewai.com covering app.crewai.com (enterprise SaaS) and crewAIInc/crewAI open-source repository; safe harbor provided

    security.crewai.com

    Business continuity / Disaster recovery

    Continuity and Disaster Recovery plans established (trust center internal security control); Business Continuity Policy document available

    trust.crewai.com

    Change management

    Development lifecycle and change management policy established; production deployment access restricted

    trust.crewai.com

    Data retention

    Data retention procedures established; Google OAuth data retained while account is active, removed within 30 days of deactivation, backups purged within 180 days

    crewai.com

    PII redaction

    Runtime hooks inject PII redaction at every LLM and tool call (Enterprise plan, v1.8.0+); helps with GDPR, HIPAA, PCI-DSS compliance posture

    docs.crewai.com

    // Products & data scope

    CrewAI Enterprise (SaaS)Multi-agent orchestration platform (managed cloud)

    data: Workflow inputs and outputs, LLM call traces, tool call logs, agent execution data, third-party integration data (Google, etc.); Customer Data broadly as defined in ToS Section 1.5

    SOC 2 Type 2 scope; HIPAA audit conducted; RBAC, SSO, audit trails, PII redaction available; runs on AWS US; customer data may be used for model training per ToS

    CrewAI Open SourceSelf-hostable Python agent framework

    data: Fully self-hosted; no data sent to CrewAI servers except anonymous usage telemetry (prompts, tasks, and outputs are NOT collected per docs); telemetry opt-out available

    Apache 2.0 licensed; enterprise compliance posture is customer-determined; suitable for air-gapped deployments; ToS training clause does not apply (no data sent to CrewAI)

    CrewAI DiscoveryAutomation opportunity identification tool

    data: Analyzes customer tickets, chats, apps, and workflows to identify automation opportunities; pattern matching against aggregate agent run data

    SaaS product; data exposure scope depends on enterprise contract; compliance posture tied to enterprise SaaS offering

    CrewAI Control PlaneProduction agent management and observability

    data: Full execution traces of every LLM call, tool call, and memory read; cost accounting; audit logs

    Real-time tracing and RBAC; human-in-the-loop approval gates; sits in execution path of every workflow run

    // What to watch

    • TRAINING ON CUSTOMER DATA: ToS Section 1.5 explicitly grants CrewAI a broad license to use all Customer Data (platform inputs, outputs, workflow content) for 'training and developing models and/or algorithms.' No public opt-out mechanism is described. Enterprise customers should negotiate this clause out or confirm data processing restrictions in their Order Form.
    • TRAINING ASYMMETRY: Privacy Policy explicitly excludes Google OAuth user data from AI training ('We never use Google user data for advertising or for training AI models'), but this carve-out does not extend to general Customer Data. The asymmetry may confuse buyers who assume the training prohibition is universal.
    • HIPAA BAA NOT CONFIRMED: A HIPAA Audit Report (Feb 2026) is listed in the trust center, indicating a compliance audit was performed. However, no Business Associate Agreement (BAA) availability is publicly documented. HIPAA-covered entities must confirm BAA availability directly with CrewAI before processing PHI.
    • DPA NOT PUBLICLY AVAILABLE: No Data Processing Addendum for GDPR-regulated customers is published on the vendor's website. European customers or those processing EU personal data through the platform must request a DPA separately from CrewAI sales/legal.
    • ISO 27001 NOT CONFIRMED: No evidence of ISO 27001 certification on any crewai.com domain. Vendors sometimes achieve SOC 2 before ISO 27001; this gap may close but should not be assumed.
    • TRUST CENTER PARTIALLY JS-BLOCKED: The trust center (trust.crewai.com) renders via JavaScript and could not be fully crawled. The captured text and live search confirm SOC 2 Type 2 and HIPAA audit, but additional documents or certifications may exist that were not fully surfaced. Buyers should request the full trust center report access.

    // At a glance

    Pricing model

    Freemium / Enterprise subscription (self-serve sign-up for free/starter tier; enterprise pricing via sales/demo request; Order Form model for enterprise contracts)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on CrewAI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.crewai.com

    > Browse all vendor trust reports