// Trust & Security Report
Elementl, Inc. (d.b.a. Dagster Labs)
Dagster: AI-native DataOps orchestration platform with open-source core (Dagster), cloud SaaS (Dagster+), and hybrid/serverless deployment options. Key modules: data orchestration, asset-based pipelines, data catalog, data quality, cost insights, and Compass (AI-assisted workflows).
Certifications held
3
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on dagster.io“Elementl announced SOC 2 Type I compliance in July 2022: 'SOC 2 Type I is just the first step and we've already started our SOC 2 Type II audit.'”
Verify on dagster.io“SOC 2 Type II report proves our commitment to security as we aim to keep our customer data secure. (Audit reports available on request to trustcenter@dagsterlabs.com, per the security page.)”
Verify on dagster.io“In order to handle the most sensitive types of customer information, Dagster Labs (the company behind Dagster) is HIPAA compliant to secure Protected Health Information. (Note: the security page states HIPAA compliance but does not mention a Business Associate Agreement; BAA availability is not publicly documented and should be confirmed with the vendor.)”
> Show 3 unconfirmed / not-held certifications
source: docs.dagster.ioNo explicit GDPR compliance statement or Data Processing Agreement found on the dagster.io domain. Neither the security page nor the privacy policy mentions GDPR or a DPA. Dagster+ does offer EU data residency ('With Dagster+ EU, your control plane, metadata, and operational data reside in European data centers'; deployments placed in the eu-north-1 region), but data residency is not a GDPR compliance attestation.
source: dagster.ioNo public evidence found despite vendor domain search. No mention in security pages, trust documentation, or compliance materials.
source: dagster.ioNo public evidence found. Not mentioned in security pages or compliance materials.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
US (default); EU region (eu-north-1) available for Dagster+ control plane and metadata. Hybrid deployments keep customer data on-premises in customer infrastructure.
Privacy policy makes no explicit mention of AI model training on customer data. No opt-out clause found. Status unknown; contact vendor for clarification.
// Security controls
Data Encryption in Transit
HTTPS required for all inbound requests to Dagster+ (security page states 'All inbound network requests to Dagster+ require HTTPS'; specific TLS version not publicly documented)
dagster.ioData Encryption at Rest
All data stored persistently in Postgres, Redis, and S3 is encrypted at rest (security page states data 'are encrypted at rest'; specific cipher/key length not publicly documented)
dagster.ioRisk Management
Annual risk assessments, network penetration tests, and Dagster+ penetration testing conducted regularly
dagster.ioIncident Response
Formal incident response policy with employee-initiated security incident reporting
dagster.ioPhysical Security
AWS hosts all infrastructure; no employee access to AWS data centers; offices do not store customer information
dagster.ioVulnerability Disclosure Program
Operates responsible disclosure program for security researchers
dagster.ioAudit Access
SOC 2 reports and penetration test documentation available upon request to customers and partners. Contact: trustcenter@dagsterlabs.com
dagster.io// Products & data scope
data: Runs in customer infrastructure; no data transmitted to vendor unless explicitly configured
Free, open-source Python framework for data orchestration. Community-driven with active development. Self-hosted only (no vendor data processing unless Dagster+ integration enabled).
data: Control plane and metadata in Dagster-managed AWS (US or EU region). Actual data processing in customer code. WARNING: Default I/O manager stores data in Dagster-managed storage; custom I/O managers required for PII/PHI/GDPR data.
Fully managed cloud deployment. Enforces data residency via EU region (eu-north-1). Requires careful configuration for regulated data.
data: Control plane in Dagster-managed AWS. Customer code and data remain in customer infrastructure (cloud, on-premises, or hybrid). Metadata and operational data only sent to Dagster+.
Recommended for regulated data and compliance-sensitive deployments. Supports multi-region failover. EU region available.
data: Same as Hybrid; adds enterprise features, branch deployments, and governance
Adds advanced access control, branch deployments, and dedicated support. Vendor states HIPAA compliance on its security page, but BAA availability is not publicly documented; confirm with the vendor. Available in US and EU regions.
// What to watch
- SOC 2 Type II completion date not public: blog post from July 2022 confirmed Type I and stated Type II was 'in progress.' Later pages claim Type II certified, but no audit completion date or scope details are publicly documented. Recommend requesting audit report from trustcenter@dagsterlabs.com.
- GDPR compliance not substantiated on vendor domain: no GDPR compliance statement appears on the security page or privacy policy, and no public DPA (standard template or on-request) was found. Only EU data residency (eu-north-1 region for control plane, metadata, and operational data) is documented, which is not itself a GDPR attestation. Confirm GDPR posture and DPA availability directly with the vendor.
- Privacy policy US-centric: primary privacy policy is US-focused with limited GDPR-specific language. No explicit GDPR rights articulation (right to access, erasure, portability, etc.).
- Serverless deployment risk for regulated data: default I/O manager stores data in Dagster-managed S3; users working with PII/PHI/GDPR data must explicitly configure custom I/O managers. Risk of misconfiguration.
- AI training on customer data: privacy policy does not address whether Dagster+ uses customer data (orchestration context, lineage, failures) to train Dagster+ AI features. Status unknown; recommend clarification.
- No ISO 27001 certification: despite enterprise positioning and SOC 2 certification, no ISO 27001 certification found. This is common for SaaS vendors but notable for compliance-sensitive customers.
- Audit reports require direct request: SOC 2 reports not publicly available; must be requested from trustcenter@dagsterlabs.com. This is standard practice but limits transparent verification.
// At a glance
Pricing model
Freemium (open-source) + SaaS subscription (Dagster+) with usage-based and enterprise tiers
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Elementl, Inc. (d.b.a. Dagster Labs)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
dagster.io