// Trust & Security Report
Kayako (ESW Operations, LLC)
AI-powered customer support help desk. Kayako One (full help desk: omnichannel inbox, ticketing, live chat, knowledge base, SLAs, analytics) plus 'Kay', an AI support agent that triages, drafts replies, and takes actions (refunds, user creation, data updates), deployable on top of Zendesk, Freshdesk, Intercom, Salesforce, or the Kayako help desk.
Certifications held
5
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on kayako.com“Enterprise security & compliance — SOC 2 Type II, GDPR, SSO/SAML, role-based access, and audit logs built in from day one.”
Verify on kayako.com“Core Kayako infrastructure is hosted at SSAE-16 (SOC 1, SOC 2, SOC 3), PCI DSS, ISO 27001, ISO 27017, ISO 27018 and Cloud Security Alliance compliant data facilities.”
Verify on kayako.com“Core Kayako infrastructure is hosted at SSAE-16 (SOC 1, SOC 2, SOC 3), PCI DSS, ISO 27001, ISO 27017, ISO 27018 and Cloud Security Alliance compliant data facilities.”
Verify on kayako.com“Core Kayako infrastructure is hosted at SSAE-16 (SOC 1, SOC 2, SOC 3), PCI DSS, ISO 27001, ISO 27017, ISO 27018 and Cloud Security Alliance compliant data facilities.”
Verify on kayako.com“With respect to personal data of individuals from the European Economic Area ('EEA'), the United Kingdom ('UK') or Switzerland, our legal basis for collecting and using the personal data will depend on the personal data concerned... we have your consent... we need the personal data to perform a contract... or where the processing is in our or a third party's legitimate interests.”
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not stated
Data region
unknown (privacy policy confirms data is transferred to and stored in the United States: 'data transfer to the United States'; backups are kept in multiple geographies per the security page, but no customer-selectable data residency is documented)
Kay, the AI agent, is explicitly 'Trained on your tickets, not on a generic model. The longer Kay runs, the better it gets at your customers' questions' and 'Learns from human resolutions to improve coverage' (homepage). This indicates per-customer model tuning on that customer's own ticket data, which is expected behavior for the product. There is NO published statement on whether customer data is used to train shared/cross-customer or foundation models, no model-provider disclosure, and no AI/data-use sub-policy. The general privacy policy treats customer-submitted data under a processor model ('The data that we process through our Services is processed by us on behalf of our customer'), so end-customer ticket content is governed by the customer contract, not the public policy. Cross-customer training default is therefore unverified.
// Security controls
Encryption in transit
TLS/HTTPS for all traffic: 'All data between your users and Kayako are encrypted using industry-standard HTTPS and Transport Layer Security (TLS).'
kayako.comEncryption at rest
Not explicitly stated for stored data. Passwords are irreversibly hashed: 'We follow best practices by irreversibly hashing user passwords and never storing them in plain text.' No statement on database-level at-rest encryption of customer data.
kayako.comSSO / SAML
Single sign-on supported: 'Authenticate agents and customers against your own systems or third-party apps.' Homepage adds 'SSO/SAML'.
kayako.comTwo-factor authentication
Supported for agents and customers: 'Kayako supports 2FA (for both your team and your customers).'
kayako.comRole-based access control
'You can configure multiple roles, access rights and restrictions for your team.' Homepage cites 'role-based access, and audit logs built in from day one.'
kayako.comIP / network restrictions
'Your Kayako agent area can be configured to only allow access from specific IP address ranges.'
kayako.comVulnerability disclosure / bug bounty
Public responsible disclosure policy, but NO formal bug-bounty platform (HackerOne/Bugcrowd) is named: 'We operate a public, transparent responsible disclosure policy which encourages cooperation with whitehat hackers and penetration testers.'
kayako.comPenetration testing
Referenced only indirectly via the disclosure policy ('penetration testers'). No statement of regular third-party pentests or a summary report. Unverified as a formal program.
kayako.comBackups / DR / redundancy
'We operate a multi-level backup and disaster recovery strategy. Backups and near real-time snapshots are taken at various intervals and multiple copies are securely stored in different geographical locations.' Redundancy architecture eliminates single points of failure.
kayako.comEnvironment separation
'We physically and logically keep testing and staging environments separate from production... No customer data is used during development or testing.'
kayako.comDDoS mitigation
'Industry-leading infrastructure is in place to protect against and mitigate the impact of denial of service attacks.'
kayako.com// Products & data scope
data: Stores end-customer support tickets, contact PII (name, email, phone), order/billing context via SingleView, and agent accounts. Kayako acts as data processor on behalf of the business customer; data transferred to/stored in the US.
Marketed with 'enterprise-grade security' (SOC 2 Type II, GDPR, SSO/SAML, RBAC, audit logs). Expert-led/white-glove deployment model; sales-led (no public self-serve pricing surfaced).
data: Ingests and is trained on the customer's own tickets, products, and tone; can take actions through connected systems (issue refunds, create users, update data, close cases) via external API connections. Sits on top of Zendesk, Freshdesk, Intercom, Salesforce, or the Kayako help desk.
Per-customer model tuning is explicit. Cross-customer / foundation-model training default is NOT disclosed. Action-taking on external systems (refunds, data writes) expands the data-access and blast-radius scope materially versus a read-only assistant. No published AI/data-use policy or model-provider transparency.
data: Legacy product; distinct codebase and likely distinct data/compliance scope.
Still referenced in navigation; security posture for Classic not separately documented. Treat compliance claims as applying to the current Kayako One platform unless confirmed otherwise.
// What to watch
- Discrepancy: homepage markets 'SOC 2 Type II ... built in from day one' but the dedicated /security/ page makes NO Kayako-held SOC 2 claim; it attributes SOC 1/2/3, PCI DSS, ISO 27001/27017/27018 to the data-center provider only. No SOC 2 report, attestation letter, or trust center is published to confirm Kayako itself holds a current SOC 2 Type II.
- No trust center / security portal — certifications cannot be independently verified by a buyer; would require NDA + direct request.
- AI training transparency gap: Kay trains on customer tickets (per-customer tuning confirmed), but there is no disclosure of whether data is used cross-customer or to train shared/foundation models, no underlying model-provider named, and no dedicated AI/data-use policy.
- Kay can take write/financial actions (issue refunds, create users, update data) via external API connections — elevated risk surface that warrants scrutiny of action scoping and approval controls.
- No DPA, no named bug-bounty platform (HackerOne/Bugcrowd), and no formal third-party pentest cadence published.
- Owned by ESW Operations, LLC / ESW Capital (acquired Kayako in 2018); governance entity differs from the original UK Kayako brand. Terms of Use grant ESW a broad license over user-submitted website content and allow ESW to 'sell, repurpose, aggregate, or transfer to third parties any information that you provide' (note: this is the WEBSITE terms, not the product/service contract, but worth noting).
- Terms include mandatory binding arbitration and class-action waiver (Texas / Travis County venue).
// At a glance
Pricing model
Sales-led / 'Book a Strategy Session'. Expert-led, white-glove deployment, priced per engagement; no transparent public self-serve pricing was surfaced on the site.
Self-hostable
Not stated
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Kayako (ESW Operations, LLC)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
kayako.com