// Trust & Security Report

    Okendo Inc / Okendo Pty Ltd logo

    Okendo Inc / Okendo Pty Ltd

    Shopify-native customer marketing platform: Reviews, Loyalty, Quizzes, Referrals, and Surveys, sold as bundled or standalone modules to merchants ranging from small brands to enterprise Shopify Plus stores.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Compliance SOC 2 Type 2 Request

    Verify on trust.okendo.io
    GDPR (posture, not a certification)
    HELD

    GDPR Visit

    Verify on trust.okendo.io
    CCPA (posture, not a certification)
    HELD

    CCPA Visit

    Verify on trust.okendo.io
    > Show 10 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    Trust center lists only 'SOC 2 Type 2' under Compliance; no separate Type 1 report is listed (Type 2 supersedes Type 1 for an ongoing engagement). No public evidence of a standalone Type 1.

    source: trust.okendo.io
    ISO 27001
    NOT CONFIRMED

    No public evidence. Trust center Compliance section lists only SOC 2 Type 2, GDPR and CCPA; okendo.io/security/ describes an 'Information Security Program' that follows SOC 2 criteria with no mention of ISO 27001.

    source: okendo.io
    ISO 27017 (cloud security)
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: okendo.io
    ISO 27018 (PII in cloud)
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: okendo.io
    ISO 27701 (privacy)
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: okendo.io
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence on vendor domain. Not listed in trust center Compliance section despite Okendo's use of third-party AI providers (Anthropic, OpenAI) as subprocessors.

    source: trust.okendo.io
    CSA STAR
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: trust.okendo.io
    HIPAA
    NOT CONFIRMED

    No public evidence and not applicable: Okendo is a Shopify commerce/reviews platform that does not process protected health information; no HIPAA claim appears anywhere on the vendor site.

    source: okendo.io
    PCI DSS
    NOT CONFIRMED

    No public evidence. Okendo states financial/payment data is handled via 'industry standard encryption technology' but does not claim PCI DSS certification; payment processing itself is handled by Shopify, not Okendo.

    source: okendo.io
    FedRAMP
    NOT CONFIRMED

    No public evidence on vendor domain; not relevant to Okendo's commercial Shopify-merchant customer base.

    source: okendo.io

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Primary infrastructure hosted on Amazon Web Services in the United States (databases described as US-based); Standard Contractual Clauses / UK Addendum used to govern any transfers for GDPR/UK-GDPR purposes.

    Okendo's Enterprise Service Agreement (Clause 6.8, 'Ownership and Intellectual Property Rights') states Okendo 'may use, reproduce, modify, analyse, aggregate, de-identify and otherwise process Content and Merchant Data (and any data derived from Content or Merchant Data) to create, develop, train, fine-tune, test, evaluate, deploy and improve any machine learning or artificial intelligence systems, models, algorithms, technologies, products or services.' Clause 6.8(1) constrains this for personal data specifically: it may only be used for AI/ML purposes if de-identified or aggregated so it no longer identifies a person. No merchant-facing opt-out toggle was found on the vendor site; the only stated recourse is revoking the license grant in writing per Clause 6.4. Okendo also lists Anthropic, PBC and OpenAI, L.L.C. as subprocessors on its GDPR subprocessor list, consistent with AI-powered features (e.g. review summarization) in the product.

    // Security controls

    Encryption in transit

    TLS/SSL for all application traffic

    okendo.io

    Encryption at rest

    All databases encrypted at rest

    okendo.io

    Hosting infrastructure

    Exclusively hosted on AWS, US-based databases, multi-availability-zone deployment

    okendo.io

    Penetration testing

    Independent third-party penetration test performed at least annually

    okendo.io

    Access control

    SSO and two-factor authentication available; quarterly employee access reviews; unique access IDs

    okendo.io

    Continuous monitoring

    Compliance continuously monitored via Secureframe automated platform

    trust.okendo.io

    Incident response

    Documented Incident Response Plan with periodic testing and lessons-learned process

    trust.okendo.io

    Employee vetting

    Background checks on new employees; mandatory security awareness training

    okendo.io

    // Products & data scope

    Okendo ReviewsReviews / UGC

    data: Customer reviews, photos/video UGC, ratings, PII of reviewers (name, email)

    Core product; feeds review syndication to TikTok Shop, Google, Bazaarvoice, Klaviyo integrations.

    Okendo LoyaltyLoyalty / Rewards

    data: Purchase history, points/rewards balances, customer contact data

    Rewards, points and referral-linked customer profile data.

    Okendo QuizzesProduct recommendation quizzes

    data: Quiz responses, inferred shopper preference data

    Used for 1:1 product recommendations.

    Okendo ReferralsReferral marketing

    data: Referrer/referee contact data

    Shares customer contact data across referral chains.

    Okendo SurveysCustomer intelligence / surveys

    data: Survey response data, potentially sensitive customer sentiment data

    Same platform-wide security/privacy terms apply across all five modules per the single Enterprise Service Agreement and Trust Center; no module-specific compliance differences were found.

    // What to watch

    • No ISO 27001, ISO 27701, ISO 42001, HIPAA, PCI DSS, FedRAMP, or CSA STAR evidence found on vendor domain; only SOC 2 Type 2 plus GDPR/CCPA posture pages are backed by direct evidence.
    • SOC 2 Type 2 report itself is gated ('Request' access via the Secureframe-powered trust center) and was not independently viewed; grading relies on the trust center's own listing plus consistent corroboration from okendo.io/security/, which is standard practice but means the underlying audit report was not read.
    • AI-training clause: Okendo's Enterprise Service Agreement grants broad rights to use merchant Content/Merchant Data to train and improve AI/ML systems, with no self-service opt-out found (only a written license revocation path). Personal data specifically is restricted to de-identified/aggregated use for AI purposes, but the underlying data (reviews, images) may still be used in de-identified form. This should be surfaced to prospective merchants as a review item.
    • Anthropic, PBC and OpenAI, L.L.C. are both listed as data subprocessors, indicating Okendo passes some merchant/customer content to third-party LLM providers for AI-powered features; the vendor site does not clearly document which features send data to which provider or under what data-retention terms.
    • A third-party search result (not on Okendo's own domain) claimed Okendo is 'certified and compliant with all major privacy and security regulations including GDPR, CCPA, SOC2, QCGA, and ADA' -- this list includes 'QCGA' and 'ADA' which do not correspond to recognized security/compliance certifications and were not corroborated on any Okendo-owned page; this looks like an unverified marketing aggregator claim and was excluded from the graded certifications.

    // At a glance

    Pricing model

    Tiered SaaS subscription starting at $19/month, scaling with Shopify store order volume; enterprise contract buyout options available.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Okendo Inc / Okendo Pty Ltd's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.okendo.io

    > Browse all vendor trust reports