// Trust & Security Report

    Cube Planning, Inc. logo

    Cube Planning, Inc.

    Agentic FP&A platform with AI agents, bi-directional spreadsheet sync, and financial data management

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Cube has successfully completed the SOC 2 Type II examination by Dansa D'Arata Soucia

    Verify on cubesoftware.com
    HIPAA
    HELD

    Cube is HIPAA compliant

    Verify on cubesoftware.com
    > Show 11 unconfirmed / not-held certifications
    GDPR
    NOT CONFIRMED

    No explicit GDPR compliance claim found on any cubesoftware.com page. The Trust Center FAQ lists 'Is Cube GDPR compliant?' but the answer was not publicly accessible. The Microsoft 365 App Certification self-attestation for the Cube Assistant Teams app (a narrower integration) states 'No' for GDPR requirements. Main platform GDPR status is not publicly confirmed.

    source: learn.microsoft.com
    CCPA
    NOT CONFIRMED

    No explicit CCPA compliance claim found on any cubesoftware.com page. The Trust Center FAQ lists 'Is Cube CCPA compliant?' but the answer was not publicly accessible.

    source: security.cubesoftware.com
    ISO 27001
    NOT CONFIRMED

    Is the app International Organization for Standardization (ISO 27001) certified? | No

    source: learn.microsoft.com
    ISO 27017
    NOT CONFIRMED

    Does the app comply with International Organization for Standardization (ISO 27017)? | No

    source: learn.microsoft.com
    ISO 27018
    NOT CONFIRMED

    Does the app comply with International Organization for Standardization (ISO 27018)? | No

    source: learn.microsoft.com
    PCI DSS
    NOT CONFIRMED

    No PCI DSS claim found. Trust Center lists credit card information as a data type collected, but no PCI DSS certification is stated anywhere on the vendor domain.

    source: security.cubesoftware.com
    FedRAMP
    NOT CONFIRMED

    Is the app Federal Risk and Authorization Management Program (FedRAMP) compliant? | No

    source: learn.microsoft.com
    HITRUST CSF
    NOT CONFIRMED

    Does the app comply with Health Information Trust Alliance, Common Security Framework (HITRUST CSF)? | No

    source: learn.microsoft.com
    CSA STAR
    NOT CONFIRMED

    Has the app been Cloud Security Alliance (CSA Star) certified? | No

    source: learn.microsoft.com
    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification found on any cubesoftware.com page or third-party source.

    source: security.cubesoftware.com
    SOX
    NOT CONFIRMED

    Does the app comply with Sarbanes-Oxley Act (SOX)? | No

    source: learn.microsoft.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    United States only (AWS US-based servers). No EU or regional data residency options are documented.

    No public disclosure on whether customer financial data is used to train Cube's AI models. The AI product page and privacy policy are both silent on this topic. The Terms of Service contain a broad sublicensable license clause for user-submitted content but context suggests this targets general user contributions, not enterprise customer financial data. No opt-out mechanism for AI training is mentioned. Separately, Cube connects customer financial data to third-party AI assistants (Claude, ChatGPT, Microsoft Copilot) via its MCP Server; those providers' own training and data-use policies apply to data sent through that channel.

    // Security controls

    Encryption in transit

    TLS (HTTPS) for all data transmission

    cubesoftware.com

    Encryption at rest

    Full encryption at rest

    cubesoftware.com

    Multi-factor authentication

    MFA via text or app-based authenticator

    cubesoftware.com

    Single Sign-On

    SAML SSO including Google SSO

    cubesoftware.com

    Cloud infrastructure

    Amazon Web Services (AWS), US-based; no on-premise hardware required

    security.cubesoftware.com

    Access controls

    Role-based access control with dimension-based security by department, entity, or territory

    cubesoftware.com

    Audit logging

    Full audit log with weekly updates tracking user activity and access

    cubesoftware.com

    Penetration testing

    Annual penetration testing performed

    learn.microsoft.com

    Vulnerability scanning

    Quarterly vulnerability scanning on app and supporting infrastructure

    learn.microsoft.com

    Employee background checks

    Employee background checks performed

    security.cubesoftware.com

    Cybersecurity insurance

    Cybersecurity insurance maintained

    security.cubesoftware.com

    Disaster recovery

    Continuity and Disaster Recovery plans established and tested

    security.cubesoftware.com

    Incident response

    Formal security incident response process documented. Data breaches reported to supervisory authorities and affected individuals within 72 hours.

    learn.microsoft.com

    Subprocessors

    Amazon Web Services (cloud infrastructure, US), Datadog (application performance monitoring, US), Atlassian (ticket management, US), Google Workspace (email and file storage, US)

    security.cubesoftware.com

    Data retention after account termination

    Less than 60 days (per Microsoft 365 App Certification attestation for Cube Assistant Teams app)

    learn.microsoft.com

    // Products & data scope

    Cube PlatformFP&A / Financial Planning and Analysis

    data: Financial data from ERPs (NetSuite, Sage Intacct, QuickBooks, Xero), spreadsheets (Excel, Google Sheets), payroll and headcount data, scenario models, variance reports

    SOC 2 Type II and HIPAA compliant. Patented bi-directional sync with spreadsheets. Includes cell-level security and full audit trails.

    Cube AI / FP&AgentsAI-powered FP&A automation

    data: Same financial data as the core platform; processed by AI agents covering data management, analysis, planning, and strategic communication roles

    No public policy on whether customer financial data is used for AI model training. AI outputs described as traceable and auditable.

    Cube MCP ServerAI integration / universal data interface

    data: Clean financial data piped to external AI assistants (Claude, ChatGPT, Microsoft Copilot, Cursor, Lovable)

    Third-party AI providers' own data-use and training policies apply to any financial data sent through this channel. Cube does not publicly address how customer data is handled by downstream AI providers.

    // What to watch

    • AI training policy is not publicly disclosed; no opt-out mechanism mentioned. The AI product page, privacy policy, and ToS are all silent on whether customer financial data is used for model training.
    • GDPR compliance cannot be confirmed from public pages. The MS365 attestation for the Cube Assistant Teams app states 'No' for GDPR requirements (scoped to that narrow integration). Main platform GDPR posture is unverified publicly.
    • CCPA compliance cannot be confirmed from public pages. Trust Center FAQ acknowledges the question but the answer is not publicly accessible.
    • All data is stored in US-only AWS infrastructure. EU and UK customers face potential GDPR transfer compliance gaps with no documented SCCs or adequacy mechanism on the vendor's public pages.
    • DPA is referenced in the subscription agreement as a 'data protection/processing addendum' but is not available as a standalone public document.
    • No ISO 27001, ISO 27017, ISO 27018, ISO 42001, CSA STAR, HITRUST, FedRAMP, SOX, or PCI DSS certifications held (all explicitly denied in Microsoft 365 App Certification self-attestation).
    • The Cube MCP Server channels customer financial data to third-party AI assistants (Claude, ChatGPT, Copilot). Cube does not publicly address the downstream data-handling obligations of those providers.
    • HIPAA compliance is claimed for the main Cube platform but the Microsoft 365 App Certification for the Cube Assistant Teams app marks HIPAA as N/A, suggesting the HIPAA posture applies to the core platform rather than all product surfaces.
    • Identity note: Do not confuse Cube Planning, Inc. (cubesoftware.com, FP&A software) with CUBE Global (cube.global, regulatory data intelligence) or Cube.dev (headless BI framework). All are separate companies.

    // At a glance

    Pricing model

    Quote-based subscription; no public pricing. Demo required to get a quote.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Cube Planning, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.cubesoftware.com

    > Browse all vendor trust reports