// Trust & Security Report

    Sorter, Inc. (doing business as Lavender) logo

    Sorter, Inc. (doing business as Lavender)

    Lavender Email Coach (browser extension for individuals/teams that scores and improves sales emails) plus Ora, a newer autonomous AI sales agent that drafts and sends outbound email; both share the same underlying compliance posture.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    We are SOC 2 Type 2 certified and GDPR compliant.

    Verify on lavender.ai
    GDPR (compliance posture)
    HELD

    In compliance with GDPR, CCPA, and other data privacy acts, users can easily and automatically delete any data we have on them from our servers.

    Verify on lavender.ai
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence. Not mentioned on lavender.ai/privacy, the privacy policy, or the terms of service; a search-engine summary claimed ISO 27001/PCI/FedRAMP/CSA STAR compliance but no vendor-domain source could be found to back it, so it is treated as unverified over-claim rather than fact.

    source: lavender.ai
    HIPAA
    NOT CONFIRMED

    The Services are not tailored to comply with industry-specific regulations (Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), etc.), so if your interactions would be subjected to such laws, you may not use the Services.

    source: lavender.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence. Lavender does not store payment data itself ('Payment information is not stored by Lavender; all payments are securely processed by Stripe'), so PCI scope sits with Stripe, not Lavender. No vendor-domain PCI claim found.

    source: lavender.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence on any lavender.ai page.

    source: lavender.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence on any lavender.ai page.

    source: lavender.ai
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of an AI-governance certification on lavender.ai.

    source: lavender.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    United States only, per the privacy policy: 'Lavender is located in the United States and any information you provide to us may be stored in the United States.' No EU/UK data-residency option is documented.

    For Google Workspace data the policy is explicit and protective: 'Data obtained through Google APIs has not and will not be used to develop, improve, or train Generalized AI or ML models.' However the same policy allows broader use of other, non-Google 'Third-Party Data...to improve our products and services, including for use with and de-identified training of our machine learning and artificial intelligence models,' which is a narrower carve-out than a blanket no-training promise. Emails themselves are described as not retained beyond analysis in marketing copy ('Lavender does not store copies of your emails' per third-party summaries) while the privacy policy separately states up to two years of retention for uploaded email correspondence for historical analysis, an internal inconsistency worth flagging to a customer.

    // Security controls

    Encryption in transit

    TLS

    lavender.ai

    Encryption at rest

    AES

    lavender.ai

    Hosting

    Amazon Web Services, behind a firewall

    lavender.ai

    Authentication

    OAuth-based sign-in with Google/Microsoft; product marketing states passwords are not stored, though this could not be independently confirmed on a vendor-domain security page beyond secondary summaries

    lavender.ai

    Trust center

    Drata-powered trust center exists at trust.lavender.ai (confirmed by page title 'Trust Center | Powered by Drata' in search results and a Drata customer case study), but the live portal returned HTTP 403 / gated content during this review, so its certification list could not be read directly and SOC 2/GDPR were instead verified from the vendor's own privacy page.

    trust.lavender.ai

    // Products & data scope

    Lavender Email Coach (free/individual)AI email writing assistant / browser extension

    data: Access to the single email currently being composed in Gmail/Outlook

    Entry-level product, OAuth sign-in, no payment data stored (handled by Stripe).

    Lavender for TeamsSales coaching / analytics dashboard

    data: Team email metrics, template performance, rep activity data across Gmail, Outlook, Outreach, Salesloft, HubSpot, Apollo, Groove integrations

    Adds manager-facing analytics; no SSO or granular RBAC details were publicly documented at time of review.

    Ora (AI Sales Agent)Autonomous outbound email agent

    data: CRM/CSV prospect data plus historical email corpus used to draft and send campaigns on the user's behalf

    Newer product (2025); vendor states it inherits the same SOC 2/GDPR posture as core Lavender, but this is not yet independently broken out on a dedicated Ora trust page.

    // What to watch

    • Trust center at trust.lavender.ai is Drata-powered but returned HTTP 403 during live verification, so its cert list could not be read directly; SOC 2/GDPR claims were instead confirmed from the vendor's own /privacy page, which is solid but is a secondary source to the trust center itself.
    • A search-engine AI summary asserted Lavender holds ISO 27001, PCI, HIPAA, FedRAMP, and CSA STAR certifications; none of this could be corroborated on any lavender.ai page, and the Terms of Service directly contradicts the HIPAA claim ('not tailored to comply with...HIPAA'). This looks like an aggregator/SEO-site over-claim and should not be trusted; graded held=false for all of these.
    • Minor internal inconsistency: privacy policy states up to two years' retention of uploaded email correspondence for historical analysis, while marketing/security copy elsewhere implies emails are not retained after analysis. Buyers with strict retention requirements should confirm directly with Lavender.
    • No public Data Processing Agreement (DPA) link was found; GDPR posture is asserted but the mechanism for signing a DPA is not self-serve/public.
    • AI training carve-out is Google-Workspace-specific ('has not and will not be used to...train...models'); data from other integrations may be used in de-identified model training, so 'no training' should not be presented as a blanket claim in the AIFOXX listing.

    // At a glance

    Pricing model

    Freemium individual tier plus paid Team/Enterprise tiers and a separate Ora product; exact seat pricing not captured in this review

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Sorter, Inc. (doing business as Lavender)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.lavender.ai

    > Browse all vendor trust reports