// Trust & Security Report
Okendo Inc / Okendo Pty Ltd
Shopify-native customer marketing platform: Reviews, Loyalty, Quizzes, Referrals, and Surveys, sold as bundled or standalone modules to merchants ranging from small brands to enterprise Shopify Plus stores.
Certifications held
3
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 10 unconfirmed / not-held certifications
source: trust.okendo.ioTrust center lists only 'SOC 2 Type 2' under Compliance; no separate Type 1 report is listed (Type 2 supersedes Type 1 for an ongoing engagement). No public evidence of a standalone Type 1.
source: okendo.ioNo public evidence. Trust center Compliance section lists only SOC 2 Type 2, GDPR and CCPA; okendo.io/security/ describes an 'Information Security Program' that follows SOC 2 criteria with no mention of ISO 27001.
source: trust.okendo.ioNo public evidence on vendor domain. Not listed in trust center Compliance section despite Okendo's use of third-party AI providers (Anthropic, OpenAI) as subprocessors.
source: okendo.ioNo public evidence and not applicable: Okendo is a Shopify commerce/reviews platform that does not process protected health information; no HIPAA claim appears anywhere on the vendor site.
source: okendo.ioNo public evidence. Okendo states financial/payment data is handled via 'industry standard encryption technology' but does not claim PCI DSS certification; payment processing itself is handled by Shopify, not Okendo.
source: okendo.ioNo public evidence on vendor domain; not relevant to Okendo's commercial Shopify-merchant customer base.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Primary infrastructure hosted on Amazon Web Services in the United States (databases described as US-based); Standard Contractual Clauses / UK Addendum used to govern any transfers for GDPR/UK-GDPR purposes.
Okendo's Enterprise Service Agreement (Clause 6.8, 'Ownership and Intellectual Property Rights') states Okendo 'may use, reproduce, modify, analyse, aggregate, de-identify and otherwise process Content and Merchant Data (and any data derived from Content or Merchant Data) to create, develop, train, fine-tune, test, evaluate, deploy and improve any machine learning or artificial intelligence systems, models, algorithms, technologies, products or services.' Clause 6.8(1) constrains this for personal data specifically: it may only be used for AI/ML purposes if de-identified or aggregated so it no longer identifies a person. No merchant-facing opt-out toggle was found on the vendor site; the only stated recourse is revoking the license grant in writing per Clause 6.4. Okendo also lists Anthropic, PBC and OpenAI, L.L.C. as subprocessors on its GDPR subprocessor list, consistent with AI-powered features (e.g. review summarization) in the product.
// Security controls
Hosting infrastructure
Exclusively hosted on AWS, US-based databases, multi-availability-zone deployment
okendo.ioAccess control
SSO and two-factor authentication available; quarterly employee access reviews; unique access IDs
okendo.ioContinuous monitoring
Compliance continuously monitored via Secureframe automated platform
trust.okendo.ioIncident response
Documented Incident Response Plan with periodic testing and lessons-learned process
trust.okendo.io// Products & data scope
data: Customer reviews, photos/video UGC, ratings, PII of reviewers (name, email)
Core product; feeds review syndication to TikTok Shop, Google, Bazaarvoice, Klaviyo integrations.
data: Purchase history, points/rewards balances, customer contact data
Rewards, points and referral-linked customer profile data.
data: Quiz responses, inferred shopper preference data
Used for 1:1 product recommendations.
data: Referrer/referee contact data
Shares customer contact data across referral chains.
data: Survey response data, potentially sensitive customer sentiment data
Same platform-wide security/privacy terms apply across all five modules per the single Enterprise Service Agreement and Trust Center; no module-specific compliance differences were found.
// What to watch
- No ISO 27001, ISO 27701, ISO 42001, HIPAA, PCI DSS, FedRAMP, or CSA STAR evidence found on vendor domain; only SOC 2 Type 2 plus GDPR/CCPA posture pages are backed by direct evidence.
- SOC 2 Type 2 report itself is gated ('Request' access via the Secureframe-powered trust center) and was not independently viewed; grading relies on the trust center's own listing plus consistent corroboration from okendo.io/security/, which is standard practice but means the underlying audit report was not read.
- AI-training clause: Okendo's Enterprise Service Agreement grants broad rights to use merchant Content/Merchant Data to train and improve AI/ML systems, with no self-service opt-out found (only a written license revocation path). Personal data specifically is restricted to de-identified/aggregated use for AI purposes, but the underlying data (reviews, images) may still be used in de-identified form. This should be surfaced to prospective merchants as a review item.
- Anthropic, PBC and OpenAI, L.L.C. are both listed as data subprocessors, indicating Okendo passes some merchant/customer content to third-party LLM providers for AI-powered features; the vendor site does not clearly document which features send data to which provider or under what data-retention terms.
- A third-party search result (not on Okendo's own domain) claimed Okendo is 'certified and compliant with all major privacy and security regulations including GDPR, CCPA, SOC2, QCGA, and ADA' -- this list includes 'QCGA' and 'ADA' which do not correspond to recognized security/compliance certifications and were not corroborated on any Okendo-owned page; this looks like an unverified marketing aggregator claim and was excluded from the graded certifications.
// At a glance
Pricing model
Tiered SaaS subscription starting at $19/month, scaling with Shopify store order volume; enterprise contract buyout options available.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Okendo Inc / Okendo Pty Ltd's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.okendo.io