// Trust & Security Report
Sorter, Inc. (doing business as Lavender)
Lavender Email Coach (browser extension for individuals/teams that scores and improves sales emails) plus Ora, a newer autonomous AI sales agent that drafts and sends outbound email; both share the same underlying compliance posture.
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on lavender.ai“In compliance with GDPR, CCPA, and other data privacy acts, users can easily and automatically delete any data we have on them from our servers.”
> Show 6 unconfirmed / not-held certifications
source: lavender.aiNo public evidence. Not mentioned on lavender.ai/privacy, the privacy policy, or the terms of service; a search-engine summary claimed ISO 27001/PCI/FedRAMP/CSA STAR compliance but no vendor-domain source could be found to back it, so it is treated as unverified over-claim rather than fact.
source: lavender.aiThe Services are not tailored to comply with industry-specific regulations (Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), etc.), so if your interactions would be subjected to such laws, you may not use the Services.
source: lavender.aiNo public evidence. Lavender does not store payment data itself ('Payment information is not stored by Lavender; all payments are securely processed by Stripe'), so PCI scope sits with Stripe, not Lavender. No vendor-domain PCI claim found.
source: lavender.aiNo public evidence of an AI-governance certification on lavender.ai.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
United States only, per the privacy policy: 'Lavender is located in the United States and any information you provide to us may be stored in the United States.' No EU/UK data-residency option is documented.
For Google Workspace data the policy is explicit and protective: 'Data obtained through Google APIs has not and will not be used to develop, improve, or train Generalized AI or ML models.' However the same policy allows broader use of other, non-Google 'Third-Party Data...to improve our products and services, including for use with and de-identified training of our machine learning and artificial intelligence models,' which is a narrower carve-out than a blanket no-training promise. Emails themselves are described as not retained beyond analysis in marketing copy ('Lavender does not store copies of your emails' per third-party summaries) while the privacy policy separately states up to two years of retention for uploaded email correspondence for historical analysis, an internal inconsistency worth flagging to a customer.
// Security controls
Authentication
OAuth-based sign-in with Google/Microsoft; product marketing states passwords are not stored, though this could not be independently confirmed on a vendor-domain security page beyond secondary summaries
lavender.aiTrust center
Drata-powered trust center exists at trust.lavender.ai (confirmed by page title 'Trust Center | Powered by Drata' in search results and a Drata customer case study), but the live portal returned HTTP 403 / gated content during this review, so its certification list could not be read directly and SOC 2/GDPR were instead verified from the vendor's own privacy page.
trust.lavender.ai// Products & data scope
data: Access to the single email currently being composed in Gmail/Outlook
Entry-level product, OAuth sign-in, no payment data stored (handled by Stripe).
data: Team email metrics, template performance, rep activity data across Gmail, Outlook, Outreach, Salesloft, HubSpot, Apollo, Groove integrations
Adds manager-facing analytics; no SSO or granular RBAC details were publicly documented at time of review.
data: CRM/CSV prospect data plus historical email corpus used to draft and send campaigns on the user's behalf
Newer product (2025); vendor states it inherits the same SOC 2/GDPR posture as core Lavender, but this is not yet independently broken out on a dedicated Ora trust page.
// What to watch
- Trust center at trust.lavender.ai is Drata-powered but returned HTTP 403 during live verification, so its cert list could not be read directly; SOC 2/GDPR claims were instead confirmed from the vendor's own /privacy page, which is solid but is a secondary source to the trust center itself.
- A search-engine AI summary asserted Lavender holds ISO 27001, PCI, HIPAA, FedRAMP, and CSA STAR certifications; none of this could be corroborated on any lavender.ai page, and the Terms of Service directly contradicts the HIPAA claim ('not tailored to comply with...HIPAA'). This looks like an aggregator/SEO-site over-claim and should not be trusted; graded held=false for all of these.
- Minor internal inconsistency: privacy policy states up to two years' retention of uploaded email correspondence for historical analysis, while marketing/security copy elsewhere implies emails are not retained after analysis. Buyers with strict retention requirements should confirm directly with Lavender.
- No public Data Processing Agreement (DPA) link was found; GDPR posture is asserted but the mechanism for signing a DPA is not self-serve/public.
- AI training carve-out is Google-Workspace-specific ('has not and will not be used to...train...models'); data from other integrations may be used in de-identified model training, so 'no training' should not be presented as a blanket claim in the AIFOXX listing.
// At a glance
Pricing model
Freemium individual tier plus paid Team/Enterprise tiers and a separate Ora product; exact seat pricing not captured in this review
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Sorter, Inc. (doing business as Lavender)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.lavender.ai