// Trust & Security Report

    Nifty Technologies Inc. (Nifty PM) logo

    Nifty Technologies Inc. (Nifty PM)

    All-in-one project management OS (niftypm.com) combining Roadmaps, Tasks, Docs, Discussions/Chat, Forms, Reporting, and an embedded AI layer ("Nifty Orbit AI") for auto-generating projects, tasks, and documents. Also exposes a developer API (developers.niftypm.com). Single product line, tiered by seats/features (Free, Starter, Pro, Business, Unlimited) rather than by security posture.

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    We've earned the SOC 2 Trust Services Principles certification, highlighting our commitment to security.

    Verify on niftypm.com
    ISO 27001:2022
    HELD

    Nifty has achieved ISO 27001:2022 certification, a globally recognized standard for information security management.

    Verify on niftypm.com
    PCI DSS (Level 1)
    HELD

    Nifty maintains ongoing Level 1 PCI compliance which is top-level credit card storage and processing standards.

    Verify on niftypm.com
    GDPR (posture)
    HELD

    Nifty is compliant with the General Data Protection Regulation (GDPR) and leverages the privacy features built into Amazon Web Services (AWS).

    Verify on niftypm.com
    CASA (Google Cloud Application Security Assessment)
    HELD

    Our Cloud Application Security Assessment certifications underscores our adherence to rigorous cybersecurity standards.

    Verify on niftypm.com
    > Show 5 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence: HIPAA is not mentioned anywhere on niftypm.com/security/, /privacy/, or /terms/.

    source: niftypm.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on vendor domain.

    source: niftypm.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence of these ISO extensions found on vendor domain; only ISO 27001:2022 is cited.

    source: niftypm.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of AI governance certification found on vendor domain, including the dedicated /ai/ product page.

    source: niftypm.com
    CSA STAR / CSA STAR AI
    NOT CONFIRMED

    No public evidence of CSA STAR or CSA STAR for AI listing found on vendor domain.

    source: niftypm.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    AWS-hosted; company headquartered at 315 W 36th St, New York, NY 10018. No specific data-center region or EU/US residency commitment is published; policy references Irish/EU data-subject-rights standards without stating where data is actually stored.

    The privacy policy contains a narrow, explicit denial scoped only to one data source: 'We will not use any data or APIs from Google Workspace integrations to develop, improve, or train generalized AI and/or ML models.' There is no equivalent statement covering the core product's own AI feature (Nifty Orbit AI) or general workspace/task/document data. The dedicated /ai/ product page has no privacy or training-data disclosure at all. Graded null (unresolved) rather than false because the vendor's own denial does not extend that far.

    // Security controls

    Encryption in transit

    All data end-to-end encrypted over SSL/TLS, described as "financial-institute level security," encrypted from the moment it leaves the device until it reaches its destination.

    niftypm.com

    Encryption at rest

    Not separately specified beyond general "end-to-end encrypted" language; no AES-256-at-rest statement found.

    niftypm.com

    Backups

    Daily backups stored on separate servers.

    niftypm.com

    Monitoring

    24/7/365 active monitoring of security, performance, and availability.

    niftypm.com

    Testing

    Automated security testing on an ongoing basis, plus third-party independent penetration testing.

    niftypm.com

    Authentication

    Single Sign-On (SSO) and two-factor authentication (2FA) available as onboarding options.

    niftypm.com

    Infrastructure

    Hosted on Amazon Web Services (AWS).

    niftypm.com

    Data retention

    Deleted items purged within 30 days (retained in trash until then); upon account cancellation nothing is stored past 30 days per the security page (privacy policy separately states a 60-day auto-deletion window for uploaded content) - the two pages are not fully consistent on the exact retention window.

    niftypm.com

    // Products & data scope

    Nifty (core PM platform)Project management / work OS

    data: Project and task data, roadmaps, uploaded documents/files, discussion/chat messages, forms, reporting data, user account information.

    Primary product; the certifications above (SOC 2, ISO 27001, PCI DSS) are stated at the company/platform level, not per-tier.

    Nifty Orbit AIEmbedded AI feature layer

    data: User prompts and existing workspace content (chats, tasks) used to auto-generate projects, tasks, and documents.

    AI model/provider not disclosed on the vendor's site. No AI-specific privacy or training-data statement found on the /ai/ product page; this is a real disclosure gap, not a confirmed practice either way.

    Nifty Developer APIIntegration / API access

    data: Programmatic read/write access to workspace data via API tokens.

    No API-specific security documentation (rate limiting, token scoping, etc.) was found beyond the general developer docs at developers.niftypm.com.

    // What to watch

    • SOC 2 claim does not specify Type 1 vs Type 2, names no auditor, and no report or badge is linked; the report is only obtainable by emailing team@niftypm.com. Recommend independent verification before relying on this for enterprise/regulated deals.
    • AI-training posture is ambiguous: the only training-data denial on the privacy policy is scoped narrowly to 'Google Workspace integrations' data, and does not cover the built-in Nifty Orbit AI feature or general product data. Graded trains_on_customer_data as null (unresolved), not false - do not present this as a clean 'does not train on your data' claim.
    • No independent third-party trust portal (e.g., Vanta, Drata, SecurityScorecard, Whistic) was found; all compliance claims live as marketing copy on niftypm.com/security/ with no linked certificates, audit dates, or badges.
    • Identity warning: 'Nifty AI' at nifty.ai (formerly Auto Posher, an e-commerce reselling/cross-listing tool) is a DIFFERENT, unrelated company. Do not conflate its data or certifications with Nifty PM (niftypm.com), the project-management vendor assessed here.
    • Minor inconsistency between the security page (30-day post-cancellation deletion) and the privacy policy (60-day auto-deletion of uploaded content) on exact data retention windows.
    • No HIPAA, FedRAMP, ISO 27017/27018/27701, ISO/IEC 42001, or CSA STAR evidence found; these are correctly graded absent, not a red flag on their own for a PM tool of this size.

    // At a glance

    Pricing model

    Freemium, per-seat SaaS subscription (Free, Starter, Pro, Business, Unlimited tiers); "Free forever, no credit card needed" entry tier.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Nifty Technologies Inc. (Nifty PM)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    niftypm.com

    > Browse all vendor trust reports