// Trust & Security Report
Omnisend, UAB
Email and SMS marketing automation platform for ecommerce (campaigns, automation workflows, segmentation, forms/popups, push notifications, and Omnisend AI copy/segmentation assistant, plus a newer MCP integration for AI agents)
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on omnisend.com“Privacy Policy states, verbatim, that 'We process Personal Data in accordance with the provisions of the General Data Protection Regulation No. 2016/679 (EU) (the "GDPR")' and that EU Standard Contractual Clauses are signed with partners for transfers, with a signed DPA offered at /data-processing-agreement/. Omnisend, UAB is itself an EU (Lithuania) entity, which is a strong structural indicator of GDPR applicability and posture. This is a compliance posture, not a third-party-audited certification.”
> Show 8 unconfirmed / not-held certifications
source: omnisend.comNo public evidence. No dedicated trust/security center exists on omnisend.com, and neither the Privacy Policy nor the Data Processing Agreement (DPA) references a SOC 2 report. Web search for a vendor-issued SOC 2 report returned nothing on omnisend.com; the only SOC 2 hits were for an unrelated company ('Omni Analytics').
source: omnisend.comNo public evidence. The DPA describes security measures (encryption, access controls, logging, vulnerability testing, incident response, annual staff security training) in narrative form but does not cite ISO/IEC 27001 or any independent certification body.
source: omnisend.comNo public evidence found on any Omnisend-owned page.
source: omnisend.comNo public evidence. Omnisend does not process card payments directly (it is an email/SMS marketing tool, not a checkout/payment processor), and no PCI DSS attestation is referenced anywhere on the vendor's site.
source: omnisend.comNo public evidence of HIPAA support and no Business Associate Agreement (BAA) is advertised on the marketing site or DPA page. Omnisend is a general ecommerce email/SMS marketing tool, not positioned for protected health information. The Terms of Use do not name HIPAA specifically; they contain only a general regulatory-suitability disclaimer (Section 15.3.2: 'If you're subject to regulations and you use our Services, then we won't be liable if our Services doesn't meet those requirements'), which places responsibility for any regulated use on the customer.
source: omnisend.comNo public evidence of an AI-governance certification despite Omnisend actively marketing 'Omnisend AI' features (copy generation, send-time optimization, segmentation) and a new MCP integration ('Your AI can now talk to Omnisend. Explore MCP' on the homepage).
source: omnisend.comNo public evidence found on any Omnisend-owned page or via search.
source: omnisend.comNo public evidence. The Omnisend Privacy Policy names only 'EU Standard Contractual Clauses' as its cross-border transfer safeguard and never mentions the 'Data Privacy Framework' by name; no Omnisend-owned page asserts DPF participation, and no Omnisend self-certification was located on the official DPF registry. (The 'Data Privacy Framework' language present in the raw evidence originated from an incidentally captured Microsoft privacy page, not from Omnisend, and was discarded.) Omnisend's transfer mechanism is SCC-based, and as a Lithuania (EEA) entity Omnisend is a data exporter rather than a US importer that would self-certify to the DPF.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Company is registered in Lithuania (EU) with additional UK and US entities; Privacy Policy states data is 'normally processed within the EEA' but the DPA identifies Google Cloud Platform (GCP) as primary infrastructure and international sub-processors (e.g., Mailgun, Twilio) which may process data outside the EEA under Standard Contractual Clauses.
The Privacy Policy states Omnisend 'will not sell, rent, loan, or invite external access to any data trusted to us' but separately reserves the right to 'scan the content of your campaigns... to develop and test algorithms, heuristics and other methods and tools,' which is used for abuse/deliverability detection, not clearly disclosed as generative-AI model training. Neither the dedicated Omnisend AI feature page (/features/omnisend-ai/) nor the AI info page (/ai-info-page/) discloses which AI provider/model powers 'Omnisend AI', whether customer campaign content is used to train any model, or an opt-out mechanism. This is a real disclosure gap given Omnisend actively markets AI copywriting, segmentation, and an MCP agent integration.
// Security controls
Encryption
DPA references encryption/pseudonymization of data 'including during transmission' and lists encryption among the technical measures in the DPA's security annex; no detail on at-rest algorithm or key management is publicly disclosed.
omnisend.comTwo-factor authentication (account login)
Omnisend offers optional 2FA via authenticator app for customer account logins.
support.omnisend.comCloud infrastructure
Primary infrastructure runs on Google Cloud Platform (GCP); DPA states 'The Services rely on the Google Cloud Platform who is responsible for implementing controls for physical security of data center facilities.'
omnisend.comVulnerability disclosure / bug bounty
Published security.txt lists a security contact (security@omnisend.com) and a bug bounty policy page; independent reporting also references a Patchstack-run vulnerability disclosure program for Omnisend's WordPress plugin specifically.
omnisend.comAccess controls / employee training
DPA states authorized employees are bound by confidentiality obligations and undergo annual security awareness training; employee workstations are treated as ephemeral with primary work 'in the cloud.'
omnisend.comSub-processors
DPA Annex III lists roughly 18 named sub-processors including Google Cloud EMEA Limited (Ireland), Mailgun Technologies (US), Twilio Ireland Limited (Ireland), plus Slack, Microsoft, and Cloudflare for support/analytics functions.
omnisend.comData subject rights / breach notification
DPA commits to notifying customers 'promptly and without undue delay' of a personal data breach, including categories and approximate number of records affected; Privacy Policy documents data retention periods (e.g., account data retained 5 years after last login, financial records 10 years).
omnisend.com// Products & data scope
data: Customer/subscriber PII (email, phone, purchase and behavioral data) synced from ecommerce platforms (Shopify, BigCommerce, WooCommerce, etc.)
Primary product; positioned as a lower-cost alternative to Klaviyo with a free 5-day migration offer.
data: Campaign copy, brand assets, customer segments, and send-time behavioral data
Marketed for subject-line/copy generation, send-time optimization, AI segmentation, and a Forms AI assistant. No public disclosure of underlying model provider or whether customer content is used for training.
data: Account/campaign data exposed to a connected AI agent
New feature ('Your AI can now talk to Omnisend. Explore MCP') advertised on the homepage as of this assessment; no separate security/data-handling documentation was found specific to this integration, which is itself a gap given it exposes account data to third-party AI agents.
// What to watch
- No SOC 2, ISO 27001, or any independent third-party security certification found on any Omnisend-owned page despite the company being a well-established, revenue-generating platform (reported 2024 revenue of approximately EUR 35.5M and 150k+ customers claimed on the homepage) -- this is a real compliance gap for a company of this size, not just a startup with no budget for audits.
- These must not be used as Omnisend's own privacy commitments.
- AI training disclosure gap: Omnisend actively markets 'Omnisend AI' (copy generation, segmentation) and a new MCP agent integration, but no vendor-owned page discloses whether customer campaign/content data is used to train or fine-tune any AI model, which provider powers the feature, or whether an opt-out exists.
- HIPAA is not supported: no BAA is offered and no HIPAA capability is advertised anywhere on the vendor's site. Note the Terms of Use do not name HIPAA specifically; they carry only a general regulatory-suitability disclaimer (Section 15.3.2) that places compliance responsibility on the customer. AIFOXX should not list Omnisend as HIPAA-suitable.
- EU-U.S. Data Privacy Framework participation is inferred from a secondary summary and the vendor's SCC-based transfer language rather than a direct citation from the official DPF registry or an omnisend.com page explicitly naming 'Data Privacy Framework' certification; treat this claim as medium-confidence, not equivalent to a verified registry entry.
// At a glance
Pricing model
Freemium / usage-tiered SaaS subscription (free plan plus paid tiers scaling with contacts and email/SMS volume)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Omnisend, UAB's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
omnisend.com