// Trust & Security Report

    Crisp IM SAS logo

    Crisp IM SAS

    AI-powered omnichannel customer support platform with live chat, helpdesk, shared inbox, knowledge base, and AI agent (Hugo). Core product: unified messaging across web, email, WhatsApp, Messenger and 8+ other channels.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001:2022
    HELD

    Crisp worked with Johanson Group LLP to perform the certification audit that successfully validated conformity and certified Crisp's ISMS against the ISO/IEC 27001:2022 and ISO/IEC 27017:2015 standards.

    Verify on gocrisp.com
    ISO/IEC 27017:2015
    HELD

    Crisp worked with Johanson Group LLP to perform the certification audit that successfully validated conformity and certified Crisp's ISMS against the ISO/IEC 27001:2022 and ISO/IEC 27017:2015 standards.

    Verify on gocrisp.com
    GDPR
    HELD

    All employees responsible of software development & infrastructure maintenance...are fully aware of the GDPR requirements. Code reviews by Data Protection Officers before deployment. Messaging data in Netherlands, plugin data in Germany. Zero major security issues in two years.

    Verify on help.crisp.chat
    > Show 2 unconfirmed / not-held certifications
    SOC 2 Type I/II
    NOT CONFIRMED

    Please note that Crisp hasn't been over any SOC2 audit but we wish to show we are fully compliant with these specific needs.

    source: help.crisp.chat
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or Business Associate Agreement (BAA) on vendor domain. Crisp's marketing and help center focus on GDPR and EU data protection, not healthcare.

    source: crisp.chat

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    EU (Netherlands for messaging, Germany for plugin data). EU data never transferred outside EU.

    Hugo AI does not train on customer conversations. Training uses only resources explicitly provided by customer: knowledge base articles, Q&A snippets, website content, files, and integrations. No cross-customer data sharing. Optional EU-only model available via Scaleway in Paris.

    // Security controls

    Encryption in transit

    Yes, standard HTTPS/TLS encryption

    help.crisp.chat

    Data encryption at rest

    Yes, encryption of backups

    help.crisp.chat

    Two-factor authentication

    Yes, 2FA available for accounts

    help.crisp.chat

    VPN-only server access

    Yes, all production server access requires VPN

    help.crisp.chat

    Penetration testing

    Yes, third-party penetration testing conducted regularly

    help.crisp.chat

    Disaster recovery exercises

    Quarterly exercises and contingency planning

    help.crisp.chat

    Data Protection Officer

    Yes, designated DPO (dpo@crisp.chat)

    help.crisp.chat

    // Products & data scope

    Hugo AI AgentAI Customer Support

    data: Trained on customer-provided knowledge base, website content, PDFs, Q&A; does not learn from customer conversations

    Core AI product. Does not use cross-customer data. EU data residency options available.

    Chat WidgetCustomer Engagement

    data: Website visitor conversations

    Supports web and mobile apps (iOS, Android, React). Omnichannel integration available.

    Shared InboxTeam Collaboration

    data: Email, chat, WhatsApp, Messenger, and 8+ messaging channels

    Centralizes all inbound communications. All data in EU.

    Knowledge BaseCustomer Self-Service

    data: Help articles created and managed by customer

    Used by Hugo for training. Customers control all content.

    Support CRMCustomer Data Management

    data: Customer profile, interaction history, lead data

    Integrates with chat, email, and messaging. Data in EU.

    Support AnalyticsReporting & Analytics

    data: Team performance metrics, support efficiency

    Dashboard metrics only. No export of raw conversation data.

    // What to watch

    • SOC 2: Not formally certified. Crisp explicitly states no audit completed, only claims alignment with SOC 2 principles. Third-party review sites (e.g., Nudge Security) incorrectly claim Crisp is SOC 2 certified—this is an over-claim in secondary sources, not a Crisp claim.
    • Over-claims in third-party reviews: Multiple SaaS review sites (Nudge Security) claim Crisp holds HIPAA, FedRamp, and CSA Star certifications with no vendor-domain evidence. These are NOT Crisp's claims but secondary source errors.
    • ISO certifications recent: ISO 27001 and 27017 certifications achieved very recently (announced December 19, 2024). Verify currency before listing.
    • No formal trust center: While Crisp has comprehensive security documentation in their help center, they do not maintain a dedicated trust center page like enterprise vendors.

    // At a glance

    Pricing model

    Flat per-agent pricing. Free trial 14 days, no card required. Tiers: Base, Plus (includes Hugo), Professional, Enterprise.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Crisp IM SAS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    crisp.chat

    > Browse all vendor trust reports