// Trust & Security Report
Cube Planning, Inc.
Agentic FP&A platform with AI agents, bi-directional spreadsheet sync, and financial data management
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on cubesoftware.com“Cube has successfully completed the SOC 2 Type II examination by Dansa D'Arata Soucia”
> Show 11 unconfirmed / not-held certifications
source: learn.microsoft.comNo explicit GDPR compliance claim found on any cubesoftware.com page. The Trust Center FAQ lists 'Is Cube GDPR compliant?' but the answer was not publicly accessible. The Microsoft 365 App Certification self-attestation for the Cube Assistant Teams app (a narrower integration) states 'No' for GDPR requirements. Main platform GDPR status is not publicly confirmed.
source: security.cubesoftware.comNo explicit CCPA compliance claim found on any cubesoftware.com page. The Trust Center FAQ lists 'Is Cube CCPA compliant?' but the answer was not publicly accessible.
source: learn.microsoft.comIs the app International Organization for Standardization (ISO 27001) certified? | No
source: learn.microsoft.comDoes the app comply with International Organization for Standardization (ISO 27017)? | No
source: learn.microsoft.comDoes the app comply with International Organization for Standardization (ISO 27018)? | No
source: security.cubesoftware.comNo PCI DSS claim found. Trust Center lists credit card information as a data type collected, but no PCI DSS certification is stated anywhere on the vendor domain.
source: learn.microsoft.comIs the app Federal Risk and Authorization Management Program (FedRAMP) compliant? | No
source: learn.microsoft.comDoes the app comply with Health Information Trust Alliance, Common Security Framework (HITRUST CSF)? | No
source: learn.microsoft.comHas the app been Cloud Security Alliance (CSA Star) certified? | No
source: security.cubesoftware.comNo public evidence of ISO 42001 certification found on any cubesoftware.com page or third-party source.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States only (AWS US-based servers). No EU or regional data residency options are documented.
No public disclosure on whether customer financial data is used to train Cube's AI models. The AI product page and privacy policy are both silent on this topic. The Terms of Service contain a broad sublicensable license clause for user-submitted content but context suggests this targets general user contributions, not enterprise customer financial data. No opt-out mechanism for AI training is mentioned. Separately, Cube connects customer financial data to third-party AI assistants (Claude, ChatGPT, Microsoft Copilot) via its MCP Server; those providers' own training and data-use policies apply to data sent through that channel.
// Security controls
Cloud infrastructure
Amazon Web Services (AWS), US-based; no on-premise hardware required
security.cubesoftware.comAccess controls
Role-based access control with dimension-based security by department, entity, or territory
cubesoftware.comVulnerability scanning
Quarterly vulnerability scanning on app and supporting infrastructure
learn.microsoft.comDisaster recovery
Continuity and Disaster Recovery plans established and tested
security.cubesoftware.comIncident response
Formal security incident response process documented. Data breaches reported to supervisory authorities and affected individuals within 72 hours.
learn.microsoft.comSubprocessors
Amazon Web Services (cloud infrastructure, US), Datadog (application performance monitoring, US), Atlassian (ticket management, US), Google Workspace (email and file storage, US)
security.cubesoftware.comData retention after account termination
Less than 60 days (per Microsoft 365 App Certification attestation for Cube Assistant Teams app)
learn.microsoft.com// Products & data scope
data: Financial data from ERPs (NetSuite, Sage Intacct, QuickBooks, Xero), spreadsheets (Excel, Google Sheets), payroll and headcount data, scenario models, variance reports
SOC 2 Type II and HIPAA compliant. Patented bi-directional sync with spreadsheets. Includes cell-level security and full audit trails.
data: Same financial data as the core platform; processed by AI agents covering data management, analysis, planning, and strategic communication roles
No public policy on whether customer financial data is used for AI model training. AI outputs described as traceable and auditable.
data: Clean financial data piped to external AI assistants (Claude, ChatGPT, Microsoft Copilot, Cursor, Lovable)
Third-party AI providers' own data-use and training policies apply to any financial data sent through this channel. Cube does not publicly address how customer data is handled by downstream AI providers.
// What to watch
- AI training policy is not publicly disclosed; no opt-out mechanism mentioned. The AI product page, privacy policy, and ToS are all silent on whether customer financial data is used for model training.
- GDPR compliance cannot be confirmed from public pages. The MS365 attestation for the Cube Assistant Teams app states 'No' for GDPR requirements (scoped to that narrow integration). Main platform GDPR posture is unverified publicly.
- CCPA compliance cannot be confirmed from public pages. Trust Center FAQ acknowledges the question but the answer is not publicly accessible.
- All data is stored in US-only AWS infrastructure. EU and UK customers face potential GDPR transfer compliance gaps with no documented SCCs or adequacy mechanism on the vendor's public pages.
- DPA is referenced in the subscription agreement as a 'data protection/processing addendum' but is not available as a standalone public document.
- No ISO 27001, ISO 27017, ISO 27018, ISO 42001, CSA STAR, HITRUST, FedRAMP, SOX, or PCI DSS certifications held (all explicitly denied in Microsoft 365 App Certification self-attestation).
- The Cube MCP Server channels customer financial data to third-party AI assistants (Claude, ChatGPT, Copilot). Cube does not publicly address the downstream data-handling obligations of those providers.
- HIPAA compliance is claimed for the main Cube platform but the Microsoft 365 App Certification for the Cube Assistant Teams app marks HIPAA as N/A, suggesting the HIPAA posture applies to the core platform rather than all product surfaces.
- Identity note: Do not confuse Cube Planning, Inc. (cubesoftware.com, FP&A software) with CUBE Global (cube.global, regulatory data intelligence) or Cube.dev (headless BI framework). All are separate companies.
// At a glance
Pricing model
Quote-based subscription; no public pricing. Demo required to get a quote.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Cube Planning, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.cubesoftware.com