// Trust & Security Report

    Kayako (ESW Operations, LLC) logo

    Kayako (ESW Operations, LLC)

    AI-powered customer support help desk. Kayako One (full help desk: omnichannel inbox, ticketing, live chat, knowledge base, SLAs, analytics) plus 'Kay', an AI support agent that triages, drafts replies, and takes actions (refunds, user creation, data updates), deployable on top of Zendesk, Freshdesk, Intercom, Salesforce, or the Kayako help desk.

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II (Kayako's own product/org)
    HELD

    Enterprise security & compliance — SOC 2 Type II, GDPR, SSO/SAML, role-based access, and audit logs built in from day one.

    Verify on kayako.com
    SOC 1 / SOC 2 / SOC 3 (SSAE-16) — data-center / hosting provider only
    HELD

    Core Kayako infrastructure is hosted at SSAE-16 (SOC 1, SOC 2, SOC 3), PCI DSS, ISO 27001, ISO 27017, ISO 27018 and Cloud Security Alliance compliant data facilities.

    Verify on kayako.com
    ISO 27001 / ISO 27017 / ISO 27018 — data-center / hosting provider only
    HELD

    Core Kayako infrastructure is hosted at SSAE-16 (SOC 1, SOC 2, SOC 3), PCI DSS, ISO 27001, ISO 27017, ISO 27018 and Cloud Security Alliance compliant data facilities.

    Verify on kayako.com
    PCI DSS — data-center / hosting provider only
    HELD

    Core Kayako infrastructure is hosted at SSAE-16 (SOC 1, SOC 2, SOC 3), PCI DSS, ISO 27001, ISO 27017, ISO 27018 and Cloud Security Alliance compliant data facilities.

    Verify on kayako.com
    GDPR compliance posture
    HELD

    With respect to personal data of individuals from the European Economic Area ('EEA'), the United Kingdom ('UK') or Switzerland, our legal basis for collecting and using the personal data will depend on the personal data concerned... we have your consent... we need the personal data to perform a contract... or where the processing is in our or a third party's legitimate interests.

    Verify on kayako.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not stated

    Data region

    unknown (privacy policy confirms data is transferred to and stored in the United States: 'data transfer to the United States'; backups are kept in multiple geographies per the security page, but no customer-selectable data residency is documented)

    Kay, the AI agent, is explicitly 'Trained on your tickets, not on a generic model. The longer Kay runs, the better it gets at your customers' questions' and 'Learns from human resolutions to improve coverage' (homepage). This indicates per-customer model tuning on that customer's own ticket data, which is expected behavior for the product. There is NO published statement on whether customer data is used to train shared/cross-customer or foundation models, no model-provider disclosure, and no AI/data-use sub-policy. The general privacy policy treats customer-submitted data under a processor model ('The data that we process through our Services is processed by us on behalf of our customer'), so end-customer ticket content is governed by the customer contract, not the public policy. Cross-customer training default is therefore unverified.

    // Security controls

    Encryption in transit

    TLS/HTTPS for all traffic: 'All data between your users and Kayako are encrypted using industry-standard HTTPS and Transport Layer Security (TLS).'

    kayako.com

    Encryption at rest

    Not explicitly stated for stored data. Passwords are irreversibly hashed: 'We follow best practices by irreversibly hashing user passwords and never storing them in plain text.' No statement on database-level at-rest encryption of customer data.

    kayako.com

    SSO / SAML

    Single sign-on supported: 'Authenticate agents and customers against your own systems or third-party apps.' Homepage adds 'SSO/SAML'.

    kayako.com

    Two-factor authentication

    Supported for agents and customers: 'Kayako supports 2FA (for both your team and your customers).'

    kayako.com

    Role-based access control

    'You can configure multiple roles, access rights and restrictions for your team.' Homepage cites 'role-based access, and audit logs built in from day one.'

    kayako.com

    IP / network restrictions

    'Your Kayako agent area can be configured to only allow access from specific IP address ranges.'

    kayako.com

    Vulnerability disclosure / bug bounty

    Public responsible disclosure policy, but NO formal bug-bounty platform (HackerOne/Bugcrowd) is named: 'We operate a public, transparent responsible disclosure policy which encourages cooperation with whitehat hackers and penetration testers.'

    kayako.com

    Penetration testing

    Referenced only indirectly via the disclosure policy ('penetration testers'). No statement of regular third-party pentests or a summary report. Unverified as a formal program.

    kayako.com

    Backups / DR / redundancy

    'We operate a multi-level backup and disaster recovery strategy. Backups and near real-time snapshots are taken at various intervals and multiple copies are securely stored in different geographical locations.' Redundancy architecture eliminates single points of failure.

    kayako.com

    Environment separation

    'We physically and logically keep testing and staging environments separate from production... No customer data is used during development or testing.'

    kayako.com

    DDoS mitigation

    'Industry-leading infrastructure is in place to protect against and mitigate the impact of denial of service attacks.'

    kayako.com

    // Products & data scope

    Kayako OneFull AI help desk platform (omnichannel inbox, ticketing, live chat, knowledge base, SLAs, analytics)

    data: Stores end-customer support tickets, contact PII (name, email, phone), order/billing context via SingleView, and agent accounts. Kayako acts as data processor on behalf of the business customer; data transferred to/stored in the US.

    Marketed with 'enterprise-grade security' (SOC 2 Type II, GDPR, SSO/SAML, RBAC, audit logs). Expert-led/white-glove deployment model; sales-led (no public self-serve pricing surfaced).

    Kay (AI support agent)AI agent / automation layer

    data: Ingests and is trained on the customer's own tickets, products, and tone; can take actions through connected systems (issue refunds, create users, update data, close cases) via external API connections. Sits on top of Zendesk, Freshdesk, Intercom, Salesforce, or the Kayako help desk.

    Per-customer model tuning is explicit. Cross-customer / foundation-model training default is NOT disclosed. Action-taking on external systems (refunds, data writes) expands the data-access and blast-radius scope materially versus a read-only assistant. No published AI/data-use policy or model-provider transparency.

    Kayako ClassicLegacy help desk (linked in footer)

    data: Legacy product; distinct codebase and likely distinct data/compliance scope.

    Still referenced in navigation; security posture for Classic not separately documented. Treat compliance claims as applying to the current Kayako One platform unless confirmed otherwise.

    // What to watch

    • Discrepancy: homepage markets 'SOC 2 Type II ... built in from day one' but the dedicated /security/ page makes NO Kayako-held SOC 2 claim; it attributes SOC 1/2/3, PCI DSS, ISO 27001/27017/27018 to the data-center provider only. No SOC 2 report, attestation letter, or trust center is published to confirm Kayako itself holds a current SOC 2 Type II.
    • No trust center / security portal — certifications cannot be independently verified by a buyer; would require NDA + direct request.
    • AI training transparency gap: Kay trains on customer tickets (per-customer tuning confirmed), but there is no disclosure of whether data is used cross-customer or to train shared/foundation models, no underlying model-provider named, and no dedicated AI/data-use policy.
    • Kay can take write/financial actions (issue refunds, create users, update data) via external API connections — elevated risk surface that warrants scrutiny of action scoping and approval controls.
    • No DPA, no named bug-bounty platform (HackerOne/Bugcrowd), and no formal third-party pentest cadence published.
    • Owned by ESW Operations, LLC / ESW Capital (acquired Kayako in 2018); governance entity differs from the original UK Kayako brand. Terms of Use grant ESW a broad license over user-submitted website content and allow ESW to 'sell, repurpose, aggregate, or transfer to third parties any information that you provide' (note: this is the WEBSITE terms, not the product/service contract, but worth noting).
    • Terms include mandatory binding arbitration and class-action waiver (Texas / Travis County venue).

    // At a glance

    Pricing model

    Sales-led / 'Book a Strategy Session'. Expert-led, white-glove deployment, priced per engagement; no transparent public self-serve pricing was surfaced on the site.

    Self-hostable

    Not stated

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Kayako (ESW Operations, LLC)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    kayako.com

    > Browse all vendor trust reports