// Trust & Security Report

    Omnisend, UAB logo

    Omnisend, UAB

    Email and SMS marketing automation platform for ecommerce (campaigns, automation workflows, segmentation, forms/popups, push notifications, and Omnisend AI copy/segmentation assistant, plus a newer MCP integration for AI agents)

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture, not a certification)
    HELD

    Privacy Policy states, verbatim, that 'We process Personal Data in accordance with the provisions of the General Data Protection Regulation No. 2016/679 (EU) (the "GDPR")' and that EU Standard Contractual Clauses are signed with partners for transfers, with a signed DPA offered at /data-processing-agreement/. Omnisend, UAB is itself an EU (Lithuania) entity, which is a strong structural indicator of GDPR applicability and posture. This is a compliance posture, not a third-party-audited certification.

    Verify on omnisend.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1 or 2)
    NOT CONFIRMED

    No public evidence. No dedicated trust/security center exists on omnisend.com, and neither the Privacy Policy nor the Data Processing Agreement (DPA) references a SOC 2 report. Web search for a vendor-issued SOC 2 report returned nothing on omnisend.com; the only SOC 2 hits were for an unrelated company ('Omni Analytics').

    source: omnisend.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. The DPA describes security measures (encryption, access controls, logging, vulnerability testing, incident response, annual staff security training) in narrative form but does not cite ISO/IEC 27001 or any independent certification body.

    source: omnisend.com
    ISO 27017 / 27018
    NOT CONFIRMED

    No public evidence found on any Omnisend-owned page.

    source: omnisend.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. Omnisend does not process card payments directly (it is an email/SMS marketing tool, not a checkout/payment processor), and no PCI DSS attestation is referenced anywhere on the vendor's site.

    source: omnisend.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA support and no Business Associate Agreement (BAA) is advertised on the marketing site or DPA page. Omnisend is a general ecommerce email/SMS marketing tool, not positioned for protected health information. The Terms of Use do not name HIPAA specifically; they contain only a general regulatory-suitability disclaimer (Section 15.3.2: 'If you're subject to regulations and you use our Services, then we won't be liable if our Services doesn't meet those requirements'), which places responsibility for any regulated use on the customer.

    source: omnisend.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of an AI-governance certification despite Omnisend actively marketing 'Omnisend AI' features (copy generation, send-time optimization, segmentation) and a new MCP integration ('Your AI can now talk to Omnisend. Explore MCP' on the homepage).

    source: omnisend.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any Omnisend-owned page or via search.

    source: omnisend.com
    EU-U.S. Data Privacy Framework (DPF)
    NOT CONFIRMED

    No public evidence. The Omnisend Privacy Policy names only 'EU Standard Contractual Clauses' as its cross-border transfer safeguard and never mentions the 'Data Privacy Framework' by name; no Omnisend-owned page asserts DPF participation, and no Omnisend self-certification was located on the official DPF registry. (The 'Data Privacy Framework' language present in the raw evidence originated from an incidentally captured Microsoft privacy page, not from Omnisend, and was discarded.) Omnisend's transfer mechanism is SCC-based, and as a Lithuania (EEA) entity Omnisend is a data exporter rather than a US importer that would self-certify to the DPF.

    source: omnisend.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Company is registered in Lithuania (EU) with additional UK and US entities; Privacy Policy states data is 'normally processed within the EEA' but the DPA identifies Google Cloud Platform (GCP) as primary infrastructure and international sub-processors (e.g., Mailgun, Twilio) which may process data outside the EEA under Standard Contractual Clauses.

    The Privacy Policy states Omnisend 'will not sell, rent, loan, or invite external access to any data trusted to us' but separately reserves the right to 'scan the content of your campaigns... to develop and test algorithms, heuristics and other methods and tools,' which is used for abuse/deliverability detection, not clearly disclosed as generative-AI model training. Neither the dedicated Omnisend AI feature page (/features/omnisend-ai/) nor the AI info page (/ai-info-page/) discloses which AI provider/model powers 'Omnisend AI', whether customer campaign content is used to train any model, or an opt-out mechanism. This is a real disclosure gap given Omnisend actively markets AI copywriting, segmentation, and an MCP agent integration.

    // Security controls

    Encryption

    DPA references encryption/pseudonymization of data 'including during transmission' and lists encryption among the technical measures in the DPA's security annex; no detail on at-rest algorithm or key management is publicly disclosed.

    omnisend.com

    Two-factor authentication (account login)

    Omnisend offers optional 2FA via authenticator app for customer account logins.

    support.omnisend.com

    Cloud infrastructure

    Primary infrastructure runs on Google Cloud Platform (GCP); DPA states 'The Services rely on the Google Cloud Platform who is responsible for implementing controls for physical security of data center facilities.'

    omnisend.com

    Vulnerability disclosure / bug bounty

    Published security.txt lists a security contact (security@omnisend.com) and a bug bounty policy page; independent reporting also references a Patchstack-run vulnerability disclosure program for Omnisend's WordPress plugin specifically.

    omnisend.com

    Access controls / employee training

    DPA states authorized employees are bound by confidentiality obligations and undergo annual security awareness training; employee workstations are treated as ephemeral with primary work 'in the cloud.'

    omnisend.com

    Sub-processors

    DPA Annex III lists roughly 18 named sub-processors including Google Cloud EMEA Limited (Ireland), Mailgun Technologies (US), Twilio Ireland Limited (Ireland), plus Slack, Microsoft, and Cloudflare for support/analytics functions.

    omnisend.com

    Data subject rights / breach notification

    DPA commits to notifying customers 'promptly and without undue delay' of a personal data breach, including categories and approximate number of records affected; Privacy Policy documents data retention periods (e.g., account data retained 5 years after last login, financial records 10 years).

    omnisend.com

    // Products & data scope

    Omnisend core platform (email + SMS + push marketing automation)Ecommerce marketing automation

    data: Customer/subscriber PII (email, phone, purchase and behavioral data) synced from ecommerce platforms (Shopify, BigCommerce, WooCommerce, etc.)

    Primary product; positioned as a lower-cost alternative to Klaviyo with a free 5-day migration offer.

    Omnisend AIGenerative AI assistant embedded in the core product

    data: Campaign copy, brand assets, customer segments, and send-time behavioral data

    Marketed for subject-line/copy generation, send-time optimization, AI segmentation, and a Forms AI assistant. No public disclosure of underlying model provider or whether customer content is used for training.

    Omnisend MCP integrationAI agent connectivity (Model Context Protocol)

    data: Account/campaign data exposed to a connected AI agent

    New feature ('Your AI can now talk to Omnisend. Explore MCP') advertised on the homepage as of this assessment; no separate security/data-handling documentation was found specific to this integration, which is itself a gap given it exposes account data to third-party AI agents.

    // What to watch

    • No SOC 2, ISO 27001, or any independent third-party security certification found on any Omnisend-owned page despite the company being a well-established, revenue-generating platform (reported 2024 revenue of approximately EUR 35.5M and 150k+ customers claimed on the homepage) -- this is a real compliance gap for a company of this size, not just a startup with no budget for audits.
    • These must not be used as Omnisend's own privacy commitments.
    • AI training disclosure gap: Omnisend actively markets 'Omnisend AI' (copy generation, segmentation) and a new MCP agent integration, but no vendor-owned page discloses whether customer campaign/content data is used to train or fine-tune any AI model, which provider powers the feature, or whether an opt-out exists.
    • HIPAA is not supported: no BAA is offered and no HIPAA capability is advertised anywhere on the vendor's site. Note the Terms of Use do not name HIPAA specifically; they carry only a general regulatory-suitability disclaimer (Section 15.3.2) that places compliance responsibility on the customer. AIFOXX should not list Omnisend as HIPAA-suitable.
    • EU-U.S. Data Privacy Framework participation is inferred from a secondary summary and the vendor's SCC-based transfer language rather than a direct citation from the official DPF registry or an omnisend.com page explicitly naming 'Data Privacy Framework' certification; treat this claim as medium-confidence, not equivalent to a verified registry entry.

    // At a glance

    Pricing model

    Freemium / usage-tiered SaaS subscription (free plan plus paid tiers scaling with contacts and email/SMS volume)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Omnisend, UAB's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    omnisend.com

    > Browse all vendor trust reports