// Trust & Security Report

    Elementl, Inc. (d.b.a. Dagster Labs) logo

    Elementl, Inc. (d.b.a. Dagster Labs)

    Dagster: AI-native DataOps orchestration platform with open-source core (Dagster), cloud SaaS (Dagster+), and hybrid/serverless deployment options. Key modules: data orchestration, asset-based pipelines, data catalog, data quality, cost insights, and Compass (AI-assisted workflows).

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    Elementl announced SOC 2 Type I compliance in July 2022: 'SOC 2 Type I is just the first step and we've already started our SOC 2 Type II audit.'

    Verify on dagster.io
    SOC 2 Type II
    HELD

    SOC 2 Type II report proves our commitment to security as we aim to keep our customer data secure. (Audit reports available on request to trustcenter@dagsterlabs.com, per the security page.)

    Verify on dagster.io
    HIPAA
    HELD

    In order to handle the most sensitive types of customer information, Dagster Labs (the company behind Dagster) is HIPAA compliant to secure Protected Health Information. (Note: the security page states HIPAA compliance but does not mention a Business Associate Agreement; BAA availability is not publicly documented and should be confirmed with the vendor.)

    Verify on dagster.io
    > Show 3 unconfirmed / not-held certifications
    GDPR
    NOT CONFIRMED

    No explicit GDPR compliance statement or Data Processing Agreement found on the dagster.io domain. Neither the security page nor the privacy policy mentions GDPR or a DPA. Dagster+ does offer EU data residency ('With Dagster+ EU, your control plane, metadata, and operational data reside in European data centers'; deployments placed in the eu-north-1 region), but data residency is not a GDPR compliance attestation.

    source: docs.dagster.io
    ISO 27001
    NOT CONFIRMED

    No public evidence found despite vendor domain search. No mention in security pages, trust documentation, or compliance materials.

    source: dagster.io
    PCI DSS
    NOT CONFIRMED

    No public evidence found. Not mentioned in security pages or compliance materials.

    source: dagster.io

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    US (default); EU region (eu-north-1) available for Dagster+ control plane and metadata. Hybrid deployments keep customer data on-premises in customer infrastructure.

    Privacy policy makes no explicit mention of AI model training on customer data. No opt-out clause found. Status unknown; contact vendor for clarification.

    // Security controls

    Data Encryption in Transit

    HTTPS required for all inbound requests to Dagster+ (security page states 'All inbound network requests to Dagster+ require HTTPS'; specific TLS version not publicly documented)

    dagster.io

    Data Encryption at Rest

    All data stored persistently in Postgres, Redis, and S3 is encrypted at rest (security page states data 'are encrypted at rest'; specific cipher/key length not publicly documented)

    dagster.io

    Risk Management

    Annual risk assessments, network penetration tests, and Dagster+ penetration testing conducted regularly

    dagster.io

    Incident Response

    Formal incident response policy with employee-initiated security incident reporting

    dagster.io

    Physical Security

    AWS hosts all infrastructure; no employee access to AWS data centers; offices do not store customer information

    dagster.io

    Vulnerability Disclosure Program

    Operates responsible disclosure program for security researchers

    dagster.io

    Audit Access

    SOC 2 reports and penetration test documentation available upon request to customers and partners. Contact: trustcenter@dagsterlabs.com

    dagster.io

    // Products & data scope

    Dagster (Open Source)Data Orchestration

    data: Runs in customer infrastructure; no data transmitted to vendor unless explicitly configured

    Free, open-source Python framework for data orchestration. Community-driven with active development. Self-hosted only (no vendor data processing unless Dagster+ integration enabled).

    Dagster+ ServerlessCloud SaaS

    data: Control plane and metadata in Dagster-managed AWS (US or EU region). Actual data processing in customer code. WARNING: Default I/O manager stores data in Dagster-managed storage; custom I/O managers required for PII/PHI/GDPR data.

    Fully managed cloud deployment. Enforces data residency via EU region (eu-north-1). Requires careful configuration for regulated data.

    Dagster+ HybridCloud SaaS (Hybrid)

    data: Control plane in Dagster-managed AWS. Customer code and data remain in customer infrastructure (cloud, on-premises, or hybrid). Metadata and operational data only sent to Dagster+.

    Recommended for regulated data and compliance-sensitive deployments. Supports multi-region failover. EU region available.

    Dagster+ EnterpriseCloud SaaS (Enterprise)

    data: Same as Hybrid; adds enterprise features, branch deployments, and governance

    Adds advanced access control, branch deployments, and dedicated support. Vendor states HIPAA compliance on its security page, but BAA availability is not publicly documented; confirm with the vendor. Available in US and EU regions.

    // What to watch

    • SOC 2 Type II completion date not public: blog post from July 2022 confirmed Type I and stated Type II was 'in progress.' Later pages claim Type II certified, but no audit completion date or scope details are publicly documented. Recommend requesting audit report from trustcenter@dagsterlabs.com.
    • GDPR compliance not substantiated on vendor domain: no GDPR compliance statement appears on the security page or privacy policy, and no public DPA (standard template or on-request) was found. Only EU data residency (eu-north-1 region for control plane, metadata, and operational data) is documented, which is not itself a GDPR attestation. Confirm GDPR posture and DPA availability directly with the vendor.
    • Privacy policy US-centric: primary privacy policy is US-focused with limited GDPR-specific language. No explicit GDPR rights articulation (right to access, erasure, portability, etc.).
    • Serverless deployment risk for regulated data: default I/O manager stores data in Dagster-managed S3; users working with PII/PHI/GDPR data must explicitly configure custom I/O managers. Risk of misconfiguration.
    • AI training on customer data: privacy policy does not address whether Dagster+ uses customer data (orchestration context, lineage, failures) to train Dagster+ AI features. Status unknown; recommend clarification.
    • No ISO 27001 certification: despite enterprise positioning and SOC 2 certification, no ISO 27001 certification found. This is common for SaaS vendors but notable for compliance-sensitive customers.
    • Audit reports require direct request: SOC 2 reports not publicly available; must be requested from trustcenter@dagsterlabs.com. This is standard practice but limits transparent verification.

    // At a glance

    Pricing model

    Freemium (open-source) + SaaS subscription (Dagster+) with usage-based and enterprise tiers

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Elementl, Inc. (d.b.a. Dagster Labs)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    dagster.io

    > Browse all vendor trust reports