// Trust & Security Report

    Eraser Labs, Inc. logo

    Eraser Labs, Inc.

    AI co-pilot for technical design and documentation — generates and maintains diagrams (architecture, entity relationships, flow charts, sequences). Includes markdown support, version history, API, and GitHub integration. Available in multi-tenant, single-tenant, and private cloud (BYOC) deployments.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2 type 2 certified and penetration tested annually

    Verify on eraser.io
    Penetration Testing (Annual)
    HELD

    penetration tested annually

    Verify on eraser.io
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence found on vendor domain. SOC 2 Type 2 is offered instead as primary information security certification.

    source: docs.eraser.io
    HIPAA
    NOT CONFIRMED

    No evidence of HIPAA compliance, BAA, or healthcare-specific certifications found on vendor domain.

    source: eraser.io
    GDPR
    NOT CONFIRMED

    Privacy policy mentions 'no transfer of Your Personal Data will place to an organization or a country unless there are adequate controls in place' but no explicit GDPR compliance certification or DPA framework stated.

    source: eraser.io
    PCI DSS
    NOT CONFIRMED

    No public evidence found. Eraser notes 'we will not store or collect Your payment card details' (Stripe handles payments).

    source: eraser.io
    ISO 27701 (Privacy)
    NOT CONFIRMED

    No public evidence found on vendor domain.

    source: docs.eraser.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Not explicitly specified; privacy policy states data processing may occur at 'Company's operating offices and in any other places where the parties involved in the processing are located.' Multi-tenancy default, but BYOC (private cloud) option available for data residency control.

    Vendor explicitly states: 'OpenAI nor Eraser will use your data to train AI models.' However, 'Eraser may analyze your usage to improve and enhance our AI feature.' OpenAI retains API requests/responses for up to 30 days per their usage policy.

    // Security controls

    SAML SSO

    Supported (Microsoft Entra, Okta, others)

    eraser.io

    Deployment Models

    Multi-tenancy, single-tenancy, private cloud (BYOC)

    eraser.io

    Data Backup & Recovery

    Version history & snapshots available; users responsible for independent backup of content

    eraser.io

    Third-Party Service Providers

    Google Analytics, Amplitude (analytics); SendGrid (email); Stripe (payments)

    eraser.io

    Encryption Details

    Not publicly specified on vendor domain

    docs.eraser.io

    Trust Portal Access

    Available for enterprise customers; includes SOC 2 Type 2 report and annual penetration test report. Contact: hello@eraser.io

    docs.eraser.io

    // Products & data scope

    Eraser Core PlatformTechnical Design & Documentation

    data: Diagrams, design docs, markdown content, version history, user data

    Available in free, paid, and enterprise tiers. Supports architecture diagrams, ERDs, flow charts, sequence diagrams. API available. Markdown-based with export to PNG/SVG/PDF/MD.

    DiagramGPT (AI Feature)AI-Powered Design

    data: Diagram prompts, generated diagrams

    Uses OpenAI API; neither Eraser nor OpenAI trains models on user data. OpenAI retains requests/responses up to 30 days.

    MCP Server (Model Context Protocol)Integration/API

    data: API-based diagram generation and management

    Launching MCP Server per homepage. Allows integration with other AI tools and workflows.

    // What to watch

    • No ISO 27001 certification — only SOC 2 Type 2 offered as primary security certification
    • No HIPAA compliance or BAA availability — healthcare/regulated use cases not explicitly supported
    • No explicit GDPR compliance statement or DPA framework — privacy policy addresses data transfers but no formal compliance posture stated
    • Data residency not guaranteed in multi-tenant default — international data transfers possible (US-based service providers); BYOC option mitigates for on-premise needs
    • Privacy policy mentions analytics data collection (Google Analytics, Amplitude) — may raise concerns for GDPR-sensitive organizations
    • Trust Portal not directly accessible online (must request via hello@eraser.io) — transparency slightly limited compared to vendors with public trust portals
    • Encryption details not publicly specified — best practices assumed but not documented on public pages
    • AI training policy clear but OpenAI 30-day retention of API requests/responses not widely advertised — could be concern for sensitive technical diagrams

    // At a glance

    Pricing model

    Freemium (free tier), subscription tiers, enterprise pricing available. No public pricing details for enterprise.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Eraser Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    eraser.io

    > Browse all vendor trust reports