// Trust & Security Report

    Klue Labs Inc. logo

    Klue Labs Inc.

    AI-powered competitive intelligence and win-loss platform with integrated research assistant (Compete Agent), win-loss interview suite, and third-party CRM integrations

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Klue maintains SOC 2, Type II compliance in accordance with the five Trust Services Criteria defined by the American Institute of Certified Public Accountants. In fact, we're the only Competitive Enablement platform that has achieved SOC2 compliance.

    Verify on klue.com
    GDPR Compliance
    HELD

    Klue is headquartered in Canada and is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). The European Commission declares that PIPEDA provides adequate privacy safeguards with respect to the EU's General Data Protection Regulation (GDPR). Klue complies with the GDPR and utilizes the June 2021 Standard Contractual Clauses when applicable.

    Verify on klue.com
    PIPEDA Compliance
    HELD

    Klue is headquartered in Canada and is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).

    Verify on klue.com
    CCPA Compliance
    HELD

    Although Klue's volume of sales in the State of California are not yet high enough to trigger application of the California Consumer Privacy Act (CCPA), Klue still actively complies with the CCPA. Klue does not sell any personal data.

    Verify on klue.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on Klue's official security page or documentation. While third-party sources claim this certification, Klue's official security page at https://klue.com/product/security does not list ISO 27001 as a held certification.

    source: klue.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance on Klue's official security page or documentation. HIPAA is not claimed in https://klue.com/product/security or https://klue.com/privacy.

    source: klue.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on Klue's official documentation.

    source: klue.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on Klue's official documentation.

    source: klue.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification on Klue's official documentation.

    source: klue.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Canada, United States, and elsewhere

    Klue's terms explicitly state: 'Customer Data will not be (a) used to train, validate or enhance any AI Features except solely for the benefit of the Customer and as permitted in this Agreement; (b) used to train any publicly available AI systems or public large language models; or (c) shared with publicly available, unrestricted consumer tools or platforms.' Customer data is used only for AI features that benefit that specific customer. Klue may create 'Pattern Data' from anonymized customer usage which becomes Klue's property.

    // Security controls

    Encryption in transit

    TLS 1.2+

    klue.com

    Encryption at rest

    AES-256 block-level storage encryption

    klue.com

    Infrastructure hosting

    Primary: Amazon Web Services (AWS) secure data centers; Secondary web services: Google Cloud Storage

    klue.com

    Penetration testing

    Third-party penetration tests conducted annually with ASVS 4.0 compliance

    klue.com

    Authentication

    SSO/SAML with multi-factor authentication (MFA) support

    klue.com

    Recent security incident

    June 12, 2026: Compromised legacy credential in integration service allowed unauthorized access to OAuth tokens; attacker accessed Salesforce and third-party integration data across a number of connected customer environments (Klue's disclosure does not state a specific count of affected customers). Klue platform itself not compromised. Remediation: revoked affected credentials/tokens, removed unauthorized code, disabled potentially impacted integrations, engaged CrowdStrike, notified law enforcement. A Telegram account purporting to be ShinyHunters claimed responsibility June 21, 2026 (attribution unverified).

    klue.com

    // Products & data scope

    Klue CompeteCompetitive Intelligence

    data: Competitive market intelligence, competitor profiles, buyer signals, AI-powered research

    AI research analyst ('Compete Agent') that continuously collects competitive intel and delivers to sales team; supports 60+ competitor tracking

    Win-Loss SuiteSales Intelligence

    data: Customer deal data, win-loss interview feedback, competitive positioning analysis

    Includes AI interviewer, analyst team, and verified buyer signal extraction; integrated into sales workflows

    // What to watch

    • SECURITY INCIDENT: June 2026 OAuth credential compromise affecting integrations is recent (within last month). While Klue platform itself was not breached, this reveals weaknesses in legacy credential management and integration security controls.
    • OVER-CLAIM RISK: Third-party sources (e.g., Nudge Security) claim Klue holds ISO 27001, HIPAA, PCI DSS, FedRAMP, and CSA STAR certifications, but these are NOT mentioned on Klue's official security page. Only SOC 2, GDPR, PIPEDA, and CCPA are claimed by Klue.
    • CREDENTIAL HYGIENE: The June 2026 incident involved a 'legacy credential' - indicates older, potentially weaker access controls may still exist in production systems.
    • AI TRAINING CLARIFICATION NEEDED: While Klue's terms state customer data is not used for public LLMs, the specific scope of internal AI model training and what constitutes 'Pattern Data' could be clearer.
    • DATA RESIDENCY VAGUENESS: Terms state data is maintained 'in Canada, the United States, and elsewhere' - the 'elsewhere' clause could be more specific.

    // At a glance

    Pricing model

    Subscription SaaS (per-seat or usage-based)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Klue Labs Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    klue.com

    > Browse all vendor trust reports