// Trust & Security Report
Kustomer, LLC
AI-native customer experience (CX) platform and CRM combining a unified customer timeline, omnichannel messaging (chat, email, SMS, voice, web forms), and built-in AI agents (KIQ). Tiered as Enterprise and Ultimate subscriptions, with AI features (bots, agent copilot) sold as add-ons; HIPAA support is a paid add-on available only on Enterprise/Ultimate. Independent company since a 2023 spin-out from Meta (Meta retains a minority stake); VC-backed (Battery, Redpoint, Boldstart, Norwest).
Certifications held
8
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.kustomer.com“Compliance: SOC 2 Type II ... Resources: SOC2 Type II Report ... 'Kustomer's latest SOC 2 Type II report is now available to customers and prospects via our Trust Center under NDA. This independent examination validates the design and operating effectiveness of our controls...' (Update published November 18, 2025)”
Verify on trust.kustomer.com“Compliance: ISO 27001:2022 ... Resources: ISO 27001:2022 Certificate ... 'Kustomer has also successfully completed an independent audit against ISO/IEC 27001:2022, the globally recognized standard for information security management systems.'”
Verify on trust.kustomer.com“Compliance: ISO 27701 ... Resources: ISO 27701:2019 Certificate (listed as a downloadable trust-center resource alongside the SOC 2 report and ISO 27001 certificate).”
Verify on trust.kustomer.com“Compliance: ISO/IEC 42001:2023 ... Resources: ISO 42001:2023 Certificate (listed as a downloadable trust-center resource; the AI-governance-specific certificate).”
Verify on kustomer.com“Compliance: GDPR ... 'We act as the data processor (under GDPR)' and offers a 'Data Processing Addendum (DPA) to the subscription agreement'; DPA incorporates the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.”
Verify on kustomer.com“'Kustomer is limited to the status of a business associate' and 'Customers of Kustomer who are subject to HIPAA must review and accept the Kustomer BAA'; HIPAA support is available exclusively through the Enterprise or Ultimate Subscription with a HIPAA add-on package, and 'Email Hooks are not HIPAA Compliant.'”
Verify on trust.kustomer.com“Compliance: CCPA ... 'COMPLIANT' badge shown in the trust center compliance grid; separately, Kustomer states it acts as a 'service provider (under CCPA)' and that its DPA 'has been updated to confirm our compliance with the GDPR and CCPA.'”
Verify on trust.kustomer.com“Compliance: Data Privacy Framework (DPF) Self Certified. Kustomer is listed as an active participant in the EU-US and Swiss-US Data Privacy Framework (verifiable on the DPF registry).”
> Show 3 unconfirmed / not-held certifications
source: trust.kustomer.comResources: 'CAIQ v4.1.0 Self Assessment Security Questionnaire' -- this is a CSA Consensus Assessments Initiative Questionnaire self-assessment, not a third-party-audited CSA STAR Certification (Level 2) or Attestation. No public evidence of a formal CSA STAR certificate or listing on the CSA STAR Registry.
source: trust.kustomer.comNo public evidence of a PCI DSS attestation of compliance on the Kustomer trust center, security, or privacy pages, despite the trust center noting 'Credit card information' as a data type collected by at least one subprocessor. Not listed among trust-center resources or compliance badges.
source: trust.kustomer.comNo public evidence of FedRAMP authorization on any Kustomer-owned page; not listed in the trust center compliance grid.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (primary); AWS and MongoDB Atlas subprocessors also offer Ireland (EU) and India hosting, with cloud hosting and database location 'determined at time of customer onboarding.'
Per Kustomer's own AI Compliance FAQ (kustomer.com/privacy/ai-compliance/): customer data is not used to train Kustomer's global/shared AI models by default. In cases where AI is tailored for a specific customer, that customer's own data may be used to refine a model exclusive to that customer's environment (tenant-scoped, not shared across customers). Kustomer states it shares only message content (not full customer records) with its AI engines. Per the AI Compliance FAQ, the generative-AI LLM providers are 'OpenAI, Anthropic and AWS Bedrock' (OpenAI under a Zero Data Retention policy per Kustomer; AWS Bedrock with an AI opt-out policy). Separately, the trust-center subprocessor grid lists an 'Anthropic' entry whose stated purpose is 'Engineering / Claude Desktop and CLI usage' -- i.e. Kustomer's own engineering team using Claude tooling internally. That specific grid entry is internal tooling and should not be read as the vendor's product-AI use of Anthropic; Anthropic's product-AI role is documented on the AI Compliance FAQ, not the subprocessor grid. Note that OpenAI itself does not appear in the captured trust-center subprocessor grid (which lists AWS, Anthropic, MongoDB Atlas, Coralogix); OpenAI is named as an AI provider only on the AI Compliance FAQ.
// Security controls
Encryption in transit and at rest
Trust center Product Security control category lists 'Data encryption utilized' as an implemented control; AI Compliance FAQ separately notes encryption for data in transit and at rest.
trust.kustomer.comSSO / access control
SAML SSO and SCIM provisioning, role-based access control, granular permissions, and IP allow-listing are called out as in-app security features (Ultimate tier), per the November 2025 Security Datasheet update.
trust.kustomer.comPenetration testing
'Penetration testing performed' listed as an active Product Security control in the trust center.
trust.kustomer.comBusiness continuity / disaster recovery
'Continuity and Disaster Recovery plans established' and 'tested' listed as controls; a 'Kustomer Disaster Recovery Test Report' is offered as a trust-center resource. Cybersecurity insurance is maintained.
trust.kustomer.comSubprocessor transparency
Public subprocessor list published and updated with dated change notices (e.g. ClickHouse, Inc. added March 9, 2026 for reporting/analytics); the trust-center subprocessor grid lists AWS (Bedrock as the AI inference layer), Anthropic (internal engineering tooling), MongoDB Atlas, and Coralogix. OpenAI is named as a generative-AI LLM provider on the AI Compliance FAQ, not in the subprocessor grid.
trust.kustomer.comInformation security policies (detailed)
Full internal Information Security Policies (access management, secure development, incident response, vendor management, data retention/disposal) are available to customers under NDA, beyond the public Security Datasheet.
trust.kustomer.com// Products & data scope
data: Customer PII, conversation/support content, employee PII (per trust center 'Data collected' list)
Entry paid tier ($89/seat/mo billed annually per third-party pricing sources, or usage-based per conversation); omnichannel messaging, standard reporting; AI features (bots, copilot) are separate paid add-ons.
data: Same as Enterprise plus expanded data/file storage quotas
Adds SAML SSO/SCIM, data masking, skills-based routing, and is the only tier (with Enterprise) eligible for the HIPAA add-on package and full AI add-on support.
data: Message/conversation content shared with AI engines (OpenAI, Anthropic, AWS Bedrock) per vendor's AI Compliance FAQ
Sold as an add-on (bots from $0.60/conversation, copilot ~$40/user/month per third-party pricing pages); governed by Kustomer's AI Compliance FAQ, not by the base subscription terms alone; excluded from HIPAA-covered channels unless separately confirmed.
data: ePHI carried over Chat, Voice, SMS, and Web Forms only
Requires a signed BAA and is explicitly NOT available for Email Hooks; Gmail integration requires the covered entity to separately BAA with Google. Only sold on Enterprise/Ultimate subscriptions.
// What to watch
- HIPAA is real but conditional: only sold as a paid add-on on Enterprise/Ultimate tiers, and explicitly excludes Email Hooks -- do not list HIPAA as a blanket, plan-agnostic capability.
- The trust-center subprocessor grid's 'Anthropic' entry (purpose 'Engineering / Claude Desktop and CLI usage') is internal engineering tooling. Do not read that specific entry as the vendor's product AI. However, the AI Compliance FAQ separately names Anthropic alongside OpenAI and AWS Bedrock as a generative-AI LLM provider, so Anthropic is not purely internal: the product AI providers are OpenAI, Anthropic, and AWS Bedrock. Also note OpenAI is not itself listed in the captured subprocessor grid (AWS, Anthropic, MongoDB Atlas, Coralogix); it appears only on the AI Compliance FAQ.
- CSA STAR appears in trust-center resources only as a CAIQ v4.1.0 self-assessment questionnaire, not a third-party-audited STAR Certification/Attestation or CSA STAR Registry listing; listed here as held=false to avoid over-claiming.
- SOC 2 report, ISO 27001 certificate, and detailed Information Security Policies are gated under NDA/customer request rather than fully public -- consistent with normal enterprise practice but worth noting for listing caveats.
- AI training posture has a real nuance (no training on shared/global models, but tenant-specific model refinement using that customer's own data is possible) -- avoid a flat 'does not train on customer data' claim without the tenant-scoped caveat.
// At a glance
Pricing model
Per-seat annual subscription (Enterprise from $89/seat/mo, Ultimate from $139/seat/mo per third-party pricing pages) or usage-based per-conversation pricing; AI features (bots, copilot) are metered add-ons on top of either model. No self-serve monthly plan; no published free tier.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Kustomer, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.kustomer.com