// Trust & Security Report

    Gladly Software, Inc. logo

    Gladly Software, Inc.

    AI-powered customer experience and CX support platform

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Gladly 2025 SOC 2 Type 2 Report.pdf

    Verify on trust.gladly.com
    PCI DSS 4.0
    HELD

    Gladly PCI DSS v4.0 2025 Report

    Verify on trust.gladly.com
    GDPR
    HELD

    Compliance SOC 2 PCI DSS 4.0.1 GDPR CCPA COMPLIANT

    Verify on trust.gladly.com
    CCPA
    HELD

    Compliance SOC 2 PCI DSS 4.0.1 GDPR CCPA COMPLIANT

    Verify on trust.gladly.com
    > Show 8 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on trust center, security pages, help docs, or vendor blog as of 2026-06-29.

    source: trust.gladly.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification or BAA offering found on trust center, AI security page, or help docs as of 2026-06-29.

    source: trust.gladly.com
    ISO 27017
    NOT CONFIRMED

    No public evidence found on any Gladly-domain page as of 2026-06-29.

    source: trust.gladly.com
    ISO 27018
    NOT CONFIRMED

    No public evidence found on any Gladly-domain page as of 2026-06-29.

    source: trust.gladly.com
    ISO 27701
    NOT CONFIRMED

    No public evidence found on any Gladly-domain page as of 2026-06-29.

    source: trust.gladly.com
    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No public evidence found on any Gladly-domain page as of 2026-06-29.

    source: trust.gladly.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any Gladly-domain page as of 2026-06-29.

    source: trust.gladly.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found on any Gladly-domain page as of 2026-06-29.

    source: trust.gladly.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (ToS states: 'your User Content may be transferred, processed, and stored in the United States'). No multi-region or EU data residency option publicly documented.

    Gladly explicitly states it does not train on customer data: 'Customer messages processed by our AI are never used to train AI models.' and 'Gladly does not require new customer data to train our proprietary models, nor do we provide customer data to any third parties to train their models.' (source: https://help.gladly.com/docs/ai-security-and-compliance). However, the Terms of Service contain a broad clause permitting use of 'aggregated and anonymized data for any purpose during or after the term of this Agreement, including, to develop and improve the Service' - this applies to anonymized/aggregated data only, not identified customer content.

    // Security controls

    Encryption in transit

    TLS 1.2

    help.gladly.com

    Encryption at rest

    AES-256

    help.gladly.com

    Penetration testing

    Annual third-party penetration tests; 2025 web app and cloud environment pentests documented, 2026 engagement letter available on trust center

    trust.gladly.com

    Cloud infrastructure

    Amazon Web Services (listed as primary subprocessor on trust center)

    trust.gladly.com

    Production database authentication

    Unique production database authentication enforced (trust center control)

    trust.gladly.com

    Vulnerability disclosure

    security@gladly.com disclosed on trust center

    trust.gladly.com

    Business continuity

    Continuity and Disaster Recovery plans established and tested (trust center controls)

    trust.gladly.com

    Cybersecurity insurance

    Cybersecurity insurance maintained (trust center control)

    trust.gladly.com

    Data deletion

    Customer data deleted upon customer leaving; configurable data retention with minimum 365-day periods

    trust.gladly.com

    PCI payment data

    Payment data tokenization via Very Good Security (subprocessor); PCI DSS Level 2 compliance with annual attestations

    trust.gladly.com

    // Products & data scope

    Gladly AI (AI Agent)AI customer support automation

    data: Customer conversation history, order/product data, voice, chat, SMS, email, social messages; processes data via third-party AI models (Azure, OpenAI, Anthropic, Deepgram, ElevenLabs)

    Handles end-to-end customer conversations autonomously; AI partners are SOC 2 Type 2 and PCI compliant. Customer messages are NOT used to train any AI models. Temporary 30-day retention for abuse/misuse monitoring only.

    Gladly TeamHuman agent CX platform

    data: Lifelong customer conversation history across all channels, unified agent view

    Provides AI-assist to human agents rather than autonomous resolution. Same security posture as Gladly AI for data handling.

    // What to watch

    • No ISO 27001 certification found - notable gap for enterprise B2B SaaS
    • No HIPAA certification or BAA offering found - limits healthcare sector use
    • Data residency is US-only per ToS; EU customers should verify SCC arrangements before signing
    • AI subprocessors include OpenAI and Anthropic - customers should review pass-through DPAs for these partners
    • ToS broad license clause for aggregated/anonymized data could be read broadly; AI security page explicitly limits this to non-training uses
    • No standalone DPA URL found publicly - DPA appears to be incorporated within the Security Agreement at gladly.ai/security-agreement or provided on request
    • ElevenLabs and Deepgram listed as AI subprocessors for voice synthesis and speech recognition - PHI/sensitive voice data flows through these third parties

    // At a glance

    Pricing model

    Enterprise SaaS, subscription-based; demo required, no public pricing listed

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Gladly Software, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.gladly.com

    > Browse all vendor trust reports