// Trust & Security Report
Missive Inc.
Missive is a shared-inbox / email collaboration app for teams (Mac, Windows, Linux, iOS, Android, web). Notable sub-feature: an optional AI assistant / AI rules layer that routes selected email content to a third-party LLM provider (OpenAI, Anthropic, or Google) chosen by the customer.
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on missiveapp.com“Missive has achieved SOC 2 Type II compliance, a widely recognized auditing standard for service providers... Our SOC 2 Type II audit was conducted by an independent third-party CPA based in California, USA. Our SOC 2 report is available upon request.”
Verify on missiveapp.com“Missive is fully compliant with the EU's General Data Protection Regulation.”
> Show 6 unconfirmed / not-held certifications
source: missiveapp.comNo public evidence of an ISO 27001 certification for Missive; not mentioned on the security page, GDPR page, or privacy FAQ.
source: missiveapp.comMissive is not HIPAA compliant and we don't sign Business Associate Agreements (BAAs).
source: missiveapp.comAll payments made through our services are processed by Stripe which is certified as a PCI Level 1 Service Provider. We do not collect or store payment information in our infrastructure. (This is Stripe's/the payment processor's certification, not Missive's own PCI attestation.)
source: missiveapp.comNo public evidence of ISO/IEC 42001 or any AI-governance certification.
source: missiveapp.comNo public evidence of CSA STAR registration or certification.
source: missiveapp.comNo public evidence of FedRAMP authorization; Missive is a small/growth-stage SMB collaboration tool with no government-authorization claims.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primarily United States (AWS, Crunchy Data/Crunchy Bridge for databases, Postmark, Rollbar, Segment, Mixpanel, Stripe, Canny, Google - all listed as US-based subprocessors). One listed subprocessor, Campaign Monitor (marketing newsletters only), is based in Australia. No dedicated EU/other regional hosting option found.
Missive states plainly it does not train models on customer data: 'No. Missive does not train models on your data.' (blog privacy FAQ) and 'Missive doesn't train on your emails, ever... Whether you use Missive AI credits or your own key, requests go to your chosen provider's API. Missive doesn't store or train on your emails.' (AI assistant page). When a customer enables the optional AI assistant / AI rules feature, relevant email content is sent to the customer's chosen third-party LLM provider (OpenAI, Anthropic, or Google); each provider's own default (non-training) API data policy then applies. No tier-specific difference in this posture was found; feature is opt-in per workspace.
// Security controls
Encryption in transit
All connections between Missive apps and Missive servers, and between Missive servers and third-party integrations (e.g. Gmail, Office 365, Twilio), use TLS.
missiveapp.comEncryption at rest
All data stored in Missive's database and cloud storage is encrypted at rest.
missiveapp.comInfrastructure
Hosted on Amazon Web Services, with Crunchy Data / Crunchy Bridge as the managed database provider.
missiveapp.comThird-party access review
Missive has completed Google's mandatory security assessment (CASA/OAuth verification) required for apps accessing Gmail / Google Workspace data; assessment letters available on request via security@missiveapp.com.
missiveapp.comVulnerability disclosure
Missive runs a public vulnerability disclosure and bug bounty program.
missiveapp.comPayment data handling
Payments are processed by Stripe (PCI Level 1 Service Provider); Missive does not collect or store payment card data itself.
missiveapp.com// Products & data scope
data: Customer emails, chat messages, tasks, and connected-account data (Gmail, Office 365, SMS/Twilio, social channels) synced into Missive's infrastructure on AWS.
Primary product; billed per-seat across Starter/Productive/Business-style plans.
data: Selected email/message content is sent to a customer-chosen third-party LLM provider (OpenAI, Anthropic, or Google) only when the feature is actively invoked; not stored or trained on by Missive.
Opt-in per workspace; billed via prepaid Missive AI credits or a customer-supplied API key. Data-handling depends partly on the chosen third-party provider's own policy.
// What to watch
- No dedicated 'Trust Center' subdomain or self-serve compliance portal (e.g. Vanta/Drata-hosted); SOC 2 report is available only on request via email, not downloadable.
- No ISO 27001, HIPAA, PCI DSS, ISO/IEC 42001, or CSA STAR held; vendor's own copy explicitly states it is NOT HIPAA compliant and does not sign BAAs, so AIFOXX must not imply healthcare-data suitability.
- AWS/Crunchy Data hosting infrastructure certifications belong to the hosting providers, not to Missive directly; only the SOC 2 Type II attestation is described as Missive's own independent audit.
// At a glance
Pricing model
Per-seat subscription tiers (with a free trial); optional prepaid AI credits or bring-your-own API key for the AI assistant.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Missive Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
missiveapp.com