// Trust & Security Report
Gladly Software, Inc.
AI-powered customer experience and CX support platform
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: trust.gladly.comNo public evidence of ISO 27001 certification found on trust center, security pages, help docs, or vendor blog as of 2026-06-29.
source: trust.gladly.comNo public evidence of HIPAA certification or BAA offering found on trust center, AI security page, or help docs as of 2026-06-29.
source: trust.gladly.comNo public evidence found on any Gladly-domain page as of 2026-06-29.
source: trust.gladly.comNo public evidence found on any Gladly-domain page as of 2026-06-29.
source: trust.gladly.comNo public evidence found on any Gladly-domain page as of 2026-06-29.
source: trust.gladly.comNo public evidence found on any Gladly-domain page as of 2026-06-29.
source: trust.gladly.comNo public evidence found on any Gladly-domain page as of 2026-06-29.
source: trust.gladly.comNo public evidence found on any Gladly-domain page as of 2026-06-29.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (ToS states: 'your User Content may be transferred, processed, and stored in the United States'). No multi-region or EU data residency option publicly documented.
Gladly explicitly states it does not train on customer data: 'Customer messages processed by our AI are never used to train AI models.' and 'Gladly does not require new customer data to train our proprietary models, nor do we provide customer data to any third parties to train their models.' (source: https://help.gladly.com/docs/ai-security-and-compliance). However, the Terms of Service contain a broad clause permitting use of 'aggregated and anonymized data for any purpose during or after the term of this Agreement, including, to develop and improve the Service' - this applies to anonymized/aggregated data only, not identified customer content.
// Security controls
Penetration testing
Annual third-party penetration tests; 2025 web app and cloud environment pentests documented, 2026 engagement letter available on trust center
trust.gladly.comCloud infrastructure
Amazon Web Services (listed as primary subprocessor on trust center)
trust.gladly.comProduction database authentication
Unique production database authentication enforced (trust center control)
trust.gladly.comBusiness continuity
Continuity and Disaster Recovery plans established and tested (trust center controls)
trust.gladly.comData deletion
Customer data deleted upon customer leaving; configurable data retention with minimum 365-day periods
trust.gladly.comPCI payment data
Payment data tokenization via Very Good Security (subprocessor); PCI DSS Level 2 compliance with annual attestations
trust.gladly.com// Products & data scope
data: Customer conversation history, order/product data, voice, chat, SMS, email, social messages; processes data via third-party AI models (Azure, OpenAI, Anthropic, Deepgram, ElevenLabs)
Handles end-to-end customer conversations autonomously; AI partners are SOC 2 Type 2 and PCI compliant. Customer messages are NOT used to train any AI models. Temporary 30-day retention for abuse/misuse monitoring only.
data: Lifelong customer conversation history across all channels, unified agent view
Provides AI-assist to human agents rather than autonomous resolution. Same security posture as Gladly AI for data handling.
// What to watch
- No ISO 27001 certification found - notable gap for enterprise B2B SaaS
- No HIPAA certification or BAA offering found - limits healthcare sector use
- Data residency is US-only per ToS; EU customers should verify SCC arrangements before signing
- AI subprocessors include OpenAI and Anthropic - customers should review pass-through DPAs for these partners
- ToS broad license clause for aggregated/anonymized data could be read broadly; AI security page explicitly limits this to non-training uses
- No standalone DPA URL found publicly - DPA appears to be incorporated within the Security Agreement at gladly.ai/security-agreement or provided on request
- ElevenLabs and Deepgram listed as AI subprocessors for voice synthesis and speech recognition - PHI/sensitive voice data flows through these third parties
// At a glance
Pricing model
Enterprise SaaS, subscription-based; demo required, no public pricing listed
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Gladly Software, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.gladly.com