// Trust & Security Report

    MoEngage, Inc. logo

    MoEngage, Inc.

    Agentic customer engagement platform: Analytics & Insights, Cross-Channel Marketing (push, email, SMS, WhatsApp, in-app), Web & App Personalization, Real-Time Transactional Alerts (API), and Merlin AI (generative/agentic AI layer for content, insights, and decisioning)

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    "MoEngage has received the SOC 2 Type 2 and CSA STAR attestation" resulting from "in-depth third-party audits by Accedere that scrutinize the architecture and operations of MoEngage's SaaS service and infrastructure," covering the Security, Confidentiality, and Availability Trust Service Criteria.

    Verify on moengage.com
    ISO 27001:2022
    HELD

    "MoEngage is the first customer engagement platform to achieve this certification" (ISO 27001:2022), an update to its earlier ISO 27001:2013 certification which was audited by BSI Group per an earlier MoEngage blog post.

    Verify on moengage.com
    ISO 27701:2019 (PIMS)
    HELD

    "We are the first in our industry to gain the PIMS ISO 27701: 2019 and the BCMS ISO 22301: 2019 certifications"

    Verify on moengage.com
    ISO 22301:2019 (BCMS)
    HELD

    "We are the first in our industry to gain the PIMS ISO 27701: 2019 and the BCMS ISO 22301: 2019 certifications"

    Verify on moengage.com
    CSA STAR (Level 2 Attestation)
    HELD

    "MoEngage has completed the CSA STAR Level 2 Attestation for its SaaS Infrastructure and Service," validating compliance with the "CSA Cloud Controls Matrix (CCM) Version 4.0.5 control specifications."

    Verify on moengage.com
    GDPR (compliance posture)
    HELD

    "MoEngage processes personal data on clients' behalf, according to their instructions" and supports data subject rights (access, rectification, erasure via a dedicated Erase API, restriction, and portability); the DPA uses "Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs)" for cross-border transfers.

    Verify on moengage.com
    HIPAA
    HELD

    "MoEngage has fairly designed, documented, and implemented controls to meet the Health Insurance Portability and Accountability Act (HIPAA) requirements" and can "Sign the Business Associate Agreement (BAA), a document often sought by healthcare brands." Note: self-attested controls rather than a government-issued certification, and BAA execution is presented as available on request rather than automatic for all customers.

    Verify on moengage.com
    CCPA (compliance posture)
    HELD

    MoEngage's own security/compliance page lists "CCPA Compliance" alongside GDPR and other frameworks, and MoEngage publishes a dedicated CCPA developer/user guide.

    Verify on moengage.com
    > Show 4 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    No public evidence on any MoEngage-owned page (scale-and-security page, trust vault landing, GDPR page, or compliance blog posts) lists PCI DSS. The only mention found is a third-party AWS Partner Network blog post that lists "Adherence to major compliance standards including PCI-DSS, FedRAMP, ISO 27001, GDPR, HIPAA" as a MoEngage claim, but this is not the vendor's own domain and is not corroborated anywhere on moengage.com or trust.moengage.com. Treated as unconfirmed, not held.

    source: aws.amazon.com
    FedRAMP
    NOT CONFIRMED

    Same unverified AWS partner-blog claim as PCI DSS above ("Adherence to major compliance standards including PCI-DSS, FedRAMP..."). FedRAMP is a US federal cloud authorization that would be prominently marketed if genuinely held, and no MoEngage-owned page mentions it. Not corroborated on vendor domain; treated as an over-claim by a third-party blog, not a MoEngage-held authorization.

    source: aws.amazon.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence found on moengage.com, trust.moengage.com, or in web search results of an ISO 42001 or other dedicated AI-governance certification, despite MoEngage's heavy marketing of Merlin AI. Vendor instead relies on a written 'Approach to Generative AI' data-handling policy rather than a certified AI management system.

    source: help.moengage.com
    CSA STAR for AI / CAIQ-AI
    NOT CONFIRMED

    No public evidence of an AI-specific CSA STAR submission; MoEngage's CSA STAR attestation found is the general Level 2 CCM attestation, not an AI-specific one.

    source: moengage.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Data centers in the US, Europe (EU), India, and Indonesia per MoEngage's own security page; cross-border transfers to countries without adequate protection use SCC-backed DPAs, and the company states its Indian subsidiary is bound by Standard Contractual Clauses; MoEngage also references EU-U.S. Data Privacy Framework participation for EU/UK/Swiss data flows.

    MoEngage's Merlin AI documentation states "3rd party AI models are not trained on your data and will not be trained on your data" and that prompts/completions "are NOT used to improve foundation models provided by partners" or "any 3rd party products or services." Customer data is kept separated from model providers. MoEngage's own proprietary recommendation/personalization algorithms do learn from a customer's own workspace data (campaign history, user actions) to power features within that customer's account, but this is described as intra-tenant personalization, not cross-customer model training. No opt-out mechanism or tier-based (enterprise vs. standard) difference is documented for this policy; it is presented as a blanket commitment.

    // Security controls

    Encryption in transit and at rest

    MoEngage's compliance certifications (SOC 2 Type 2, ISO 27001:2022) imply standard encryption controls are audited; a third-party AWS partner blog additionally claims "comprehensive encryption for data at rest & transit," though this specific line is not independently confirmed on a MoEngage-owned page.

    aws.amazon.com

    Access control / dashboard security

    MoEngage documentation describes a "Security Firewall that limits and controls access to the dashboard to only trusted IP addresses/ranges" plus a "two-step verification process" for account access.

    moengage.com

    Sub-processors disclosure

    MoEngage maintains a public sub-processor list; the privacy policy notes "the list of sub-processors may differ from customer-to-customer," with full detail behind the Trust Vault (trust.moengage.com), which requires a login/access request to view documents beyond the compliance category names.

    moengage.com

    Business continuity / disaster recovery

    Certified to ISO 22301:2019 (Business Continuity Management System), described as an industry-first for the customer engagement category.

    moengage.com

    Trust center access model

    trust.moengage.com ("Trust Vault") lists Compliance / Documents / Controls / Sub-processors / FAQs categories but gates full documents and audit reports behind a login/access-request flow; only category labels and a few FAQ questions are publicly crawlable.

    trust.moengage.com

    // Products & data scope

    Analytics & InsightsCustomer analytics

    data: Behavioral and event-level customer data across web/app/channels

    Same compliance posture as core platform; no separate certification scope disclosed.

    Cross-Channel MarketingMarketing automation / messaging (push, email, SMS, WhatsApp)

    data: Contact/PII data plus message content and delivery metadata

    Primary channel-orchestration product; covered by the platform-wide SOC 2, ISO 27001, and GDPR/HIPAA posture.

    Web & App PersonalizationOn-site/in-app personalization

    data: Real-time behavioral/session data for content targeting

    No separate compliance scope statement found; assumed covered under platform-wide certifications.

    Real-Time Transactional AlertsTransactional messaging API

    data: Transaction/event payloads sent via single API call

    Positioned for regulated use cases (e.g. financial services); HIPAA BAA and SCC-backed DPA are the relevant controls for sensitive data here.

    Merlin AIGenerative/agentic AI layer (content generation, insights, decisioning)

    data: Customer workspace data used for in-tenant personalization; prompts/outputs isolated from third-party model providers per vendor's Generative AI approach doc

    No dedicated AI-governance certification (e.g. ISO 42001) found; relies on a written data-handling policy rather than a third-party AI audit. This is the highest-risk area for future re-verification as MoEngage expands agentic AI features (e.g. the 2026 Aampe acquisition for '1:1 agentic decisioning').

    // What to watch

    • Trust center (trust.moengage.com) gates actual audit reports and full certification documents behind a login/access-request flow; public crawl only exposes category labels (Compliance/Documents/Controls/Sub-processors/FAQs), so certifications were verified via MoEngage's own blog posts and marketing pages rather than the trust center's primary documents themselves.
    • PCI DSS and FedRAMP are claimed for MoEngage in a third-party AWS Partner Network blog post, but neither appears anywhere on moengage.com or trust.moengage.com. FedRAMP in particular is a significant US federal authorization that would be prominently marketed if genuinely held; this looks like an over-claim or error in the partner blog and should NOT be listed as a MoEngage credential until confirmed directly from MoEngage.
    • HIPAA and BAA availability are self-attested by MoEngage (no named independent HIPAA auditor/certifying body disclosed in the vendor's own post); BAA execution is described as available on request, not automatic for all customers or tiers.
    • No AI-specific governance certification (ISO 42001, CSA STAR for AI, etc.) was found despite MoEngage's significant and growing generative/agentic AI surface area (Merlin AI, and the 2026 Aampe acquisition for agentic decisioning). AI-training claims rely on a support-center policy document rather than an audited control.
    • ISO 27001:2013 was superseded by ISO 27001:2022 per MoEngage's own blog; older third-party listings that still cite ISO 27001:2013 should be treated as stale.

    // At a glance

    Pricing model

    Custom/quote-based enterprise SaaS pricing (usage/tier-based, not publicly listed self-serve pricing)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on MoEngage, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.moengage.com

    > Browse all vendor trust reports