// Trust & Security Report

    Missive Inc. logo

    Missive Inc.

    Missive is a shared-inbox / email collaboration app for teams (Mac, Windows, Linux, iOS, Android, web). Notable sub-feature: an optional AI assistant / AI rules layer that routes selected email content to a third-party LLM provider (OpenAI, Anthropic, or Google) chosen by the customer.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Missive has achieved SOC 2 Type II compliance, a widely recognized auditing standard for service providers... Our SOC 2 Type II audit was conducted by an independent third-party CPA based in California, USA. Our SOC 2 report is available upon request.

    Verify on missiveapp.com
    GDPR (compliance posture)
    HELD

    Missive is fully compliant with the EU's General Data Protection Regulation.

    Verify on missiveapp.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of an ISO 27001 certification for Missive; not mentioned on the security page, GDPR page, or privacy FAQ.

    source: missiveapp.com
    HIPAA
    NOT CONFIRMED

    Missive is not HIPAA compliant and we don't sign Business Associate Agreements (BAAs).

    source: missiveapp.com
    PCI DSS
    NOT CONFIRMED

    All payments made through our services are processed by Stripe which is certified as a PCI Level 1 Service Provider. We do not collect or store payment information in our infrastructure. (This is Stripe's/the payment processor's certification, not Missive's own PCI attestation.)

    source: missiveapp.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 or any AI-governance certification.

    source: missiveapp.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification.

    source: missiveapp.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization; Missive is a small/growth-stage SMB collaboration tool with no government-authorization claims.

    source: missiveapp.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primarily United States (AWS, Crunchy Data/Crunchy Bridge for databases, Postmark, Rollbar, Segment, Mixpanel, Stripe, Canny, Google - all listed as US-based subprocessors). One listed subprocessor, Campaign Monitor (marketing newsletters only), is based in Australia. No dedicated EU/other regional hosting option found.

    Missive states plainly it does not train models on customer data: 'No. Missive does not train models on your data.' (blog privacy FAQ) and 'Missive doesn't train on your emails, ever... Whether you use Missive AI credits or your own key, requests go to your chosen provider's API. Missive doesn't store or train on your emails.' (AI assistant page). When a customer enables the optional AI assistant / AI rules feature, relevant email content is sent to the customer's chosen third-party LLM provider (OpenAI, Anthropic, or Google); each provider's own default (non-training) API data policy then applies. No tier-specific difference in this posture was found; feature is opt-in per workspace.

    // Security controls

    Encryption in transit

    All connections between Missive apps and Missive servers, and between Missive servers and third-party integrations (e.g. Gmail, Office 365, Twilio), use TLS.

    missiveapp.com

    Encryption at rest

    All data stored in Missive's database and cloud storage is encrypted at rest.

    missiveapp.com

    Infrastructure

    Hosted on Amazon Web Services, with Crunchy Data / Crunchy Bridge as the managed database provider.

    missiveapp.com

    Data selling

    We do not sell user data, to anyone, ever.

    missiveapp.com

    Third-party access review

    Missive has completed Google's mandatory security assessment (CASA/OAuth verification) required for apps accessing Gmail / Google Workspace data; assessment letters available on request via security@missiveapp.com.

    missiveapp.com

    Vulnerability disclosure

    Missive runs a public vulnerability disclosure and bug bounty program.

    missiveapp.com

    Payment data handling

    Payments are processed by Stripe (PCI Level 1 Service Provider); Missive does not collect or store payment card data itself.

    missiveapp.com

    // Products & data scope

    Missive (core shared-inbox app)Team email collaboration / shared inbox

    data: Customer emails, chat messages, tasks, and connected-account data (Gmail, Office 365, SMS/Twilio, social channels) synced into Missive's infrastructure on AWS.

    Primary product; billed per-seat across Starter/Productive/Business-style plans.

    AI assistant / AI rulesOptional AI add-on within the core app

    data: Selected email/message content is sent to a customer-chosen third-party LLM provider (OpenAI, Anthropic, or Google) only when the feature is actively invoked; not stored or trained on by Missive.

    Opt-in per workspace; billed via prepaid Missive AI credits or a customer-supplied API key. Data-handling depends partly on the chosen third-party provider's own policy.

    // What to watch

    • No dedicated 'Trust Center' subdomain or self-serve compliance portal (e.g. Vanta/Drata-hosted); SOC 2 report is available only on request via email, not downloadable.
    • No ISO 27001, HIPAA, PCI DSS, ISO/IEC 42001, or CSA STAR held; vendor's own copy explicitly states it is NOT HIPAA compliant and does not sign BAAs, so AIFOXX must not imply healthcare-data suitability.
    • AWS/Crunchy Data hosting infrastructure certifications belong to the hosting providers, not to Missive directly; only the SOC 2 Type II attestation is described as Missive's own independent audit.

    // At a glance

    Pricing model

    Per-seat subscription tiers (with a free trial); optional prepaid AI credits or bring-your-own API key for the AI assistant.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Missive Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    missiveapp.com

    > Browse all vendor trust reports