// Trust & Security Report
Nosto Solutions Ltd
AI-powered ecommerce Commerce Experience Platform: Predictive Product Recommendations, on-site Search Personalization, Category Merchandising, and Huginn (agentic AI layer for personalization/merchandising/A-B testing). Also includes the legacy Stackla UGC platform, acquired and offered under separate legacy terms.
Certifications held
1
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on nosto.com“"For the transfer of personal data to Nosto's third party service providers, or the sub-processors, located in the USA... Nosto has transferred personal data based on data processing agreements which incorporate the Standard Contractual Clauses" and Nosto publishes a Privacy Notice, Cookie Notice, DPA, and Subprocessor list; company is headquartered in Helsinki, Finland (EU).”
> Show 7 unconfirmed / not-held certifications
source: nosto.comNo public evidence. No SOC 2 report, badge, or reference found on nosto.com, help.nosto.com, or in the DPA/subprocessor/privacy pages; no dedicated trust center exists to host one.
source: nosto.comNo public evidence. No ISO 27001 certificate or reference found anywhere on Nosto's own domain, including the Legal Center and Data Processing Addendum, which instead describe internal 'technical and organisational precautions' (VPC firewalling, MFA VPN, IAM, audit logging) without naming any external certification.
source: help.nosto.comNo public evidence, and out of scope: Nosto is an ecommerce personalization/search/merchandising platform, not a healthcare product, and states it does 'not collect any confidential data, such as payment card details or personal details except an e-mail address.'
source: help.nosto.comNo public evidence, and largely out of scope: Nosto's own Help Center states it does 'not collect any confidential data, such as payment card details,' indicating no cardholder-data environment requiring PCI DSS.
source: nosto.comNo public evidence. No mention of ISO/IEC 42001 or any AI-governance certification anywhere on Nosto's site, despite active marketing of the Huginn agentic AI feature.
source: nosto.comNo public evidence. Not referenced on nosto.com or help.nosto.com.
source: nosto.comNo public evidence; not applicable to Nosto's commercial ecommerce customer base. Not referenced anywhere on the vendor domain.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Primary hosting in AWS us-east-1 (N. Virginia, USA) across multiple Availability Zones, plus an AWS Australia region for hosting/storage; CloudFront CDN with EU edge locations; Nosto states data is processed on servers in 'the USA or EU/EEA or in such countries which the Commission of European Union has determined to ensure adequate protection,' with Standard Contractual Clauses used for US transfers.
Nosto's core product is a predictive AI/ML recommendation and personalization engine that is trained on each customer's own real-time behavioral and transactional data (browsing events, product views, cart/order data) to generate on-site recommendations; the newer Huginn agent is described as 'trained on millions of behavioral and transactional data points.' This is core product functionality (personalization ML), not generative-AI training on customer documents/PII for a foundation model, and no explicit customer-level opt-out of this core training was found on the vendor's own pages. The general Privacy Notice does not separately address AI/ML model training, and no opt-out mechanism specific to AI training was located; this should be confirmed directly with Nosto for enterprise contracts.
// Security controls
Hosting infrastructure
AWS, multiple Availability Zones in us-east-1 (N. Virginia); separate AWS Australia region for hosting/storage; CloudFront CDN
help.nosto.comNetwork access controls
VPC with firewall restrictions, VPN access requiring time-based one-time-password MFA, IAM authentication required for infrastructure access
nosto.comData protection in processing
Pseudonymization and encryption of personal data as part of Nosto's technical/organisational measures program
nosto.comPhysical security
AWS data center physical controls described (electronic access control, motion detection, logged access points) - this is the AWS host's physical security, not an independent Nosto facility
nosto.comAudit logging
Audit logging of Nosto infrastructure performed at multiple levels covering Nosto personnel, customer, and system-component activity
nosto.comSensitive data collection
Nosto states it does not collect payment card details or personal data beyond an email address as part of core tracking, reducing cardholder-data / high-sensitivity exposure
help.nosto.comSub-processors
Amazon Web Services, Inc. and Amazon Web Services Australia Pty Ltd (hosting/storage), MongoDB, Inc. (backup storage), Iron.io, Inc. (webhook transport), plus Nosto's own regional affiliates
nosto.com// Products & data scope
data: Shopper behavioral/browsing/transaction data on the customer's storefront
Core product; ML model trained on each customer's real-time behavioral data
data: Search queries, product catalog, shopper behavior data
Same underlying data/infra as recommendations
data: Product performance metrics and attributes
Rules-based plus AI signals
data: Behavioral/transactional data feeding a 'Large Intent Model'; operates under brand supervision per vendor marketing
Newest product (2026 launch, early access program); least amount of public security/privacy documentation of any Nosto product - no dedicated AI governance page or opt-out mechanism found
data: Social network content and organic advocate data
Governed by separate legacy Master Subscription Agreement / DPA, distinct from the core Nosto personalization terms
// What to watch
- No SOC 2, ISO 27001, PCI DSS, HIPAA, ISO 42001, or CSA STAR certification could be found anywhere on Nosto's own domain despite a fairly mature customer base (1,500+ brands including Marc Jacobs); this is a real gap for an enterprise-facing vendor of this size, not just a startup with no evidence.
- No dedicated trust center exists; security information is scattered across a Help Center FAQ article and the legal DPA, and the Help Center security FAQ ('we don't collect confidential data... except an e-mail address') reads as outdated/inconsistent with the far broader data types (browsing events, cart, order info, names) listed in the DPA - flagging as a possible legacy-copy vs current-practice contradiction.
- Huginn (agentic AI feature) is actively marketed as being 'trained on millions of behavioral and transactional data points' but there is no AI-specific governance page, no stated customer opt-out from this training, and no AI-governance certification (ISO 42001, CSA STAR AI) - an over-claim risk if AIFOXX or the vendor implies AI-safety maturity without backing documentation.
- AWS physical/data-center security controls described in the DPA belong to the host (AWS), not to Nosto directly; do not attribute AWS's SOC/ISO posture to Nosto without Nosto's own attestation.
// At a glance
Pricing model
Enterprise B2B SaaS, quote-based ("Book a demo"); no public self-serve pricing found
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Nosto Solutions Ltd's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
nosto.com