// Trust & Security Report
Crisp IM SAS
AI-powered omnichannel customer support platform with live chat, helpdesk, shared inbox, knowledge base, and AI agent (Hugo). Core product: unified messaging across web, email, WhatsApp, Messenger and 8+ other channels.
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on gocrisp.com“Crisp worked with Johanson Group LLP to perform the certification audit that successfully validated conformity and certified Crisp's ISMS against the ISO/IEC 27001:2022 and ISO/IEC 27017:2015 standards.”
Verify on gocrisp.com“Crisp worked with Johanson Group LLP to perform the certification audit that successfully validated conformity and certified Crisp's ISMS against the ISO/IEC 27001:2022 and ISO/IEC 27017:2015 standards.”
Verify on help.crisp.chat“All employees responsible of software development & infrastructure maintenance...are fully aware of the GDPR requirements. Code reviews by Data Protection Officers before deployment. Messaging data in Netherlands, plugin data in Germany. Zero major security issues in two years.”
> Show 2 unconfirmed / not-held certifications
source: help.crisp.chatPlease note that Crisp hasn't been over any SOC2 audit but we wish to show we are fully compliant with these specific needs.
source: crisp.chatNo public evidence of HIPAA compliance or Business Associate Agreement (BAA) on vendor domain. Crisp's marketing and help center focus on GDPR and EU data protection, not healthcare.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
EU (Netherlands for messaging, Germany for plugin data). EU data never transferred outside EU.
Hugo AI does not train on customer conversations. Training uses only resources explicitly provided by customer: knowledge base articles, Q&A snippets, website content, files, and integrations. No cross-customer data sharing. Optional EU-only model available via Scaleway in Paris.
// Security controls
// Products & data scope
data: Trained on customer-provided knowledge base, website content, PDFs, Q&A; does not learn from customer conversations
Core AI product. Does not use cross-customer data. EU data residency options available.
data: Website visitor conversations
Supports web and mobile apps (iOS, Android, React). Omnichannel integration available.
data: Email, chat, WhatsApp, Messenger, and 8+ messaging channels
Centralizes all inbound communications. All data in EU.
data: Help articles created and managed by customer
Used by Hugo for training. Customers control all content.
data: Customer profile, interaction history, lead data
Integrates with chat, email, and messaging. Data in EU.
data: Team performance metrics, support efficiency
Dashboard metrics only. No export of raw conversation data.
// What to watch
- SOC 2: Not formally certified. Crisp explicitly states no audit completed, only claims alignment with SOC 2 principles. Third-party review sites (e.g., Nudge Security) incorrectly claim Crisp is SOC 2 certified—this is an over-claim in secondary sources, not a Crisp claim.
- Over-claims in third-party reviews: Multiple SaaS review sites (Nudge Security) claim Crisp holds HIPAA, FedRamp, and CSA Star certifications with no vendor-domain evidence. These are NOT Crisp's claims but secondary source errors.
- ISO certifications recent: ISO 27001 and 27017 certifications achieved very recently (announced December 19, 2024). Verify currency before listing.
- No formal trust center: While Crisp has comprehensive security documentation in their help center, they do not maintain a dedicated trust center page like enterprise vendors.
// At a glance
Pricing model
Flat per-agent pricing. Free trial 14 days, no card required. Tiers: Base, Plus (includes Hugo), Professional, Enterprise.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Crisp IM SAS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
crisp.chat