// Trust & Security Report
Freshworks Inc.
Freshworks (Freshsales is the AI-powered Sales CRM; part of the broader Freshworks suite including Freshsales Suite, Freshdesk, Freshchat, Freshservice, Freshmarketer, all powered by Freddy AI)
Certifications held
11
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.freshworks.com“The Trust Center explicitly displays 'SOC 2 Type 2' among its certifications. Freshworks states it is 'audited by independent audit entities for ISO 27001, SOC 2, and other compliances at least once a year.'”
Verify on trust.freshworks.com“Trust Center lists 'SOC 1 Type 2'. Freshworks 'has successfully achieved SOC 1 Type II attestation, covering the period from October 1, 2024, to October 31, 2025.'”
Verify on trust.freshworks.com“Trust Center lists 'ISO/IEC 27001:2022' and 'ISO/IEC 27001 SoA' (Statement of Applicability).”
Verify on trust.freshworks.com“Trust Center lists 'ISO/IEC 27701:2019' (privacy information management).”
Verify on trust.freshworks.com“Trust Center lists both 'Cyber Essentials' and 'Cyber Essentials Plus'.”
Verify on trust.freshworks.com“Trust Center lists 'TX-RAMP' (Texas Risk and Authorization Management Program).”
Verify on trust.freshworks.com“PCI DSS was reported by a third-party aggregator but was NOT explicitly listed in the certifications section of the SafeBase Trust Center at verification time. Encryption page notes card data handling but no direct PCI attestation quote was confirmed on the vendor domain.”
Verify on trust.freshworks.com“A third-party security profile states 'Freshworks is HIPAA Compliant,' but no HIPAA attestation or BAA statement was confirmed directly in the Freshworks Trust Center certification list. Treat as unverified for Freshsales specifically.”
Verify on freshworks.com“Privacy Notice: 'While processing Personal Data we comply with the principles and rules of the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).' Trust Center also lists 'EU-US DPF', 'Swiss-US DPF', 'UK Extension to EU-US DPF', and 'CCPA'.”
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Processing in United States, United Kingdom, and the EEA per Privacy Notice; Freshworks operates regional data centers (US, EU, India, Australia) on AWS, and offers data-region selection at provisioning.
Nuanced. Freshworks states it 'does not use customer data to train third-party hosted generative models' and 'does not share customer data with any third-party providers for AI model training.' However, Freddy AI DOES use customer data from CONSENTING customers to train its own proprietary models: 'Custom Models' (trained only on that org's data, used exclusively in that account) and 'Collaborative Models' (trained on de-identified data from multiple customers). Customers can opt out at any time via support@freshworks.com, after which data is removed from training sets. Net: no third-party/foundation-model training on customer data; first-party model training is consent-based with opt-out, hence 'unknown/conditional' rather than a flat true or false.
// Security controls
Bug bounty platform
HackerOne - 'We have partnered with HackerOne to handle security vulnerabilities identified in our products.' (public program at hackerone.com/freshworks)
freshworks.comPenetration testing
Application VAPT Report and Infrastructure VAPT Report published in Trust Center; 'Vulnerability Assessment and Penetration Test' and 'Code Analysis' documented under App Security
trust.freshworks.comAccess control
Role-based access through IAM enforces segregation of duties, two-factor authentication, and end-to-end audit trails
freshworks.comHosting / infrastructure
Hosted on AWS in dedicated VPCs (non-promiscuous mode), n+1 redundancy across multiple availability zones, daily snapshots retained 7 days, near real-time cross-AZ backups
freshworks.comSecurity operations
24x7 monitoring and situation awareness through detection, containment, and remediation of suspected or actual security incidents
freshworks.com// Products & data scope
data: Lead/contact/deal CRM records, email and conversation data, intent scores; processed by Freddy AI for lead scoring, deal recommendations, and email drafting. Freshworks acts as Processor of this Hosted Data; the customer is the Controller.
Core product. Freddy AI features can be enabled; customer data used for first-party model training only with consent and with opt-out.
data: Adds marketing automation, campaign, and email-engagement data on top of the Freshsales CRM scope. Same Processor relationship and Freddy AI scope.
Unified sales+marketing CRM; broader marketing/PII processing than standalone Freshsales.
data: Generative + predictive AI. Does not train third-party/foundation models on customer data; trains first-party Custom and Collaborative models on consenting customers' data with opt-out.
Shared AI engine; data-use governed by Freddy AI Trust Framework, distinct from base CRM data handling.
// What to watch
- AI training is conditional, not a flat no: Freddy AI trains Freshworks' own Custom and Collaborative models on CONSENTING customers' data (Collaborative Models use de-identified cross-customer data). Opt-out exists via support@freshworks.com. Buyers who never want their data in any model training must explicitly opt out.
- HIPAA and PCI DSS were reported by third-party aggregators but NOT confirmed in the vendor's own Trust Center certification list at verification time. Do not advertise HIPAA/PCI for Freshsales without a signed BAA / direct attestation.
- Full Trust Center documents (audit reports, VAPT reports) sit behind a SafeBase login/NDA gate; certification names are public but underlying reports require request access.
- Enterprise-grade vendor: NYSE-listed Freshworks Inc., 74,000+ customers, mature security program with HackerOne bug bounty and annual third-party audits.
// At a glance
Pricing model
Subscription SaaS, per-user per-month tiers starting at $9/user/month (Growth/Pro/Enterprise tiers); 21-day free trial, no credit card required
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Freshworks Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.freshworks.com