// Trust & Security Report

    Nosto Solutions Ltd logo

    Nosto Solutions Ltd

    AI-powered ecommerce Commerce Experience Platform: Predictive Product Recommendations, on-site Search Personalization, Category Merchandising, and Huginn (agentic AI layer for personalization/merchandising/A-B testing). Also includes the legacy Stackla UGC platform, acquired and offered under separate legacy terms.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture)
    HELD

    "For the transfer of personal data to Nosto's third party service providers, or the sub-processors, located in the USA... Nosto has transferred personal data based on data processing agreements which incorporate the Standard Contractual Clauses" and Nosto publishes a Privacy Notice, Cookie Notice, DPA, and Subprocessor list; company is headquartered in Helsinki, Finland (EU).

    Verify on nosto.com
    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. No SOC 2 report, badge, or reference found on nosto.com, help.nosto.com, or in the DPA/subprocessor/privacy pages; no dedicated trust center exists to host one.

    source: nosto.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. No ISO 27001 certificate or reference found anywhere on Nosto's own domain, including the Legal Center and Data Processing Addendum, which instead describe internal 'technical and organisational precautions' (VPC firewalling, MFA VPN, IAM, audit logging) without naming any external certification.

    source: nosto.com
    HIPAA
    NOT CONFIRMED

    No public evidence, and out of scope: Nosto is an ecommerce personalization/search/merchandising platform, not a healthcare product, and states it does 'not collect any confidential data, such as payment card details or personal details except an e-mail address.'

    source: help.nosto.com
    PCI DSS
    NOT CONFIRMED

    No public evidence, and largely out of scope: Nosto's own Help Center states it does 'not collect any confidential data, such as payment card details,' indicating no cardholder-data environment requiring PCI DSS.

    source: help.nosto.com
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence. No mention of ISO/IEC 42001 or any AI-governance certification anywhere on Nosto's site, despite active marketing of the Huginn agentic AI feature.

    source: nosto.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. Not referenced on nosto.com or help.nosto.com.

    source: nosto.com
    FedRAMP
    NOT CONFIRMED

    No public evidence; not applicable to Nosto's commercial ecommerce customer base. Not referenced anywhere on the vendor domain.

    source: nosto.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Primary hosting in AWS us-east-1 (N. Virginia, USA) across multiple Availability Zones, plus an AWS Australia region for hosting/storage; CloudFront CDN with EU edge locations; Nosto states data is processed on servers in 'the USA or EU/EEA or in such countries which the Commission of European Union has determined to ensure adequate protection,' with Standard Contractual Clauses used for US transfers.

    Nosto's core product is a predictive AI/ML recommendation and personalization engine that is trained on each customer's own real-time behavioral and transactional data (browsing events, product views, cart/order data) to generate on-site recommendations; the newer Huginn agent is described as 'trained on millions of behavioral and transactional data points.' This is core product functionality (personalization ML), not generative-AI training on customer documents/PII for a foundation model, and no explicit customer-level opt-out of this core training was found on the vendor's own pages. The general Privacy Notice does not separately address AI/ML model training, and no opt-out mechanism specific to AI training was located; this should be confirmed directly with Nosto for enterprise contracts.

    // Security controls

    Hosting infrastructure

    AWS, multiple Availability Zones in us-east-1 (N. Virginia); separate AWS Australia region for hosting/storage; CloudFront CDN

    help.nosto.com

    Network access controls

    VPC with firewall restrictions, VPN access requiring time-based one-time-password MFA, IAM authentication required for infrastructure access

    nosto.com

    Data protection in processing

    Pseudonymization and encryption of personal data as part of Nosto's technical/organisational measures program

    nosto.com

    Physical security

    AWS data center physical controls described (electronic access control, motion detection, logged access points) - this is the AWS host's physical security, not an independent Nosto facility

    nosto.com

    Audit logging

    Audit logging of Nosto infrastructure performed at multiple levels covering Nosto personnel, customer, and system-component activity

    nosto.com

    Sensitive data collection

    Nosto states it does not collect payment card details or personal data beyond an email address as part of core tracking, reducing cardholder-data / high-sensitivity exposure

    help.nosto.com

    Sub-processors

    Amazon Web Services, Inc. and Amazon Web Services Australia Pty Ltd (hosting/storage), MongoDB, Inc. (backup storage), Iron.io, Inc. (webhook transport), plus Nosto's own regional affiliates

    nosto.com

    // Products & data scope

    Predictive Product RecommendationsAI/ML ecommerce personalization

    data: Shopper behavioral/browsing/transaction data on the customer's storefront

    Core product; ML model trained on each customer's real-time behavioral data

    On-site Search PersonalizationAI-powered search

    data: Search queries, product catalog, shopper behavior data

    Same underlying data/infra as recommendations

    Category MerchandisingRules/AI-driven merchandising automation

    data: Product performance metrics and attributes

    Rules-based plus AI signals

    Huginn (Agentic AI)Agentic AI layer

    data: Behavioral/transactional data feeding a 'Large Intent Model'; operates under brand supervision per vendor marketing

    Newest product (2026 launch, early access program); least amount of public security/privacy documentation of any Nosto product - no dedicated AI governance page or opt-out mechanism found

    Legacy Stackla UGC PlatformUser-generated content platform

    data: Social network content and organic advocate data

    Governed by separate legacy Master Subscription Agreement / DPA, distinct from the core Nosto personalization terms

    // What to watch

    • No SOC 2, ISO 27001, PCI DSS, HIPAA, ISO 42001, or CSA STAR certification could be found anywhere on Nosto's own domain despite a fairly mature customer base (1,500+ brands including Marc Jacobs); this is a real gap for an enterprise-facing vendor of this size, not just a startup with no evidence.
    • No dedicated trust center exists; security information is scattered across a Help Center FAQ article and the legal DPA, and the Help Center security FAQ ('we don't collect confidential data... except an e-mail address') reads as outdated/inconsistent with the far broader data types (browsing events, cart, order info, names) listed in the DPA - flagging as a possible legacy-copy vs current-practice contradiction.
    • Huginn (agentic AI feature) is actively marketed as being 'trained on millions of behavioral and transactional data points' but there is no AI-specific governance page, no stated customer opt-out from this training, and no AI-governance certification (ISO 42001, CSA STAR AI) - an over-claim risk if AIFOXX or the vendor implies AI-safety maturity without backing documentation.
    • AWS physical/data-center security controls described in the DPA belong to the host (AWS), not to Nosto directly; do not attribute AWS's SOC/ISO posture to Nosto without Nosto's own attestation.

    // At a glance

    Pricing model

    Enterprise B2B SaaS, quote-based ("Book a demo"); no public self-serve pricing found

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Nosto Solutions Ltd's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    nosto.com

    > Browse all vendor trust reports