// Trust & Security Report

    OneSignal, Inc. logo

    OneSignal, Inc.

    Customer Engagement Platform (push notifications, email, SMS/RCS, in-app messaging, live activities, AI-assisted journeys)

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II certified with an unqualified opinion covering controls around security, confidentiality, and privacy. Our SOC 2 Type II report is available by request on our Enterprise Plan.

    Verify on onesignal.com
    ISO 27001
    HELD

    OneSignal is ISO27001 certified. This certification underscores our commitment to maintaining the highest standards of information security management.

    Verify on documentation.onesignal.com
    ISO 27701
    HELD

    ISO 27701 extends ISO 27001 to include privacy information management...managing privacy controls to reduce the risk to privacy rights. Achieved March 19, 2025.

    Verify on onesignal.com
    HIPAA (BAA available)
    HELD

    OneSignal provides a platform to support HIPAA compliance. A Business Associate Agreement (BAA) is available to customers by request on our Enterprise Plan.

    Verify on onesignal.com
    GDPR (compliance capability)
    HELD

    OneSignal provides the ability for all users to be GDPR compliant, however, you may need to modify your own privacy policy to be covered.

    Verify on onesignal.com
    CCPA (compliance capability)
    HELD

    OneSignal provides the ability for all users to be CCPA compliant, however, you may need to modify your own privacy policy to be covered.

    Verify on onesignal.com
    EU-U.S. Data Privacy Framework (DPF)
    HELD

    Transfers to the US are permitted when OneSignal maintains active DPF certification, eliminating Restricted Transfer classification.

    Verify on onesignal.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Primary infrastructure in Netherlands (europe-west4 GCP region). Data 'hosted and stored in Europe and accessed in the United States.'

    No explicit statement in the privacy policy or terms prohibiting AI training on customer data. The terms grant OneSignal a license to use technical logs and 'learnings about Customer's use of the Services' for operating and improving services, with external disclosure limited to de-identified and aggregated data. The DPA (effective July 1, 2026) specifies that the AI Agent inference layer has zero at-rest retention by default, conversation history retained 30 days in europe-west4, and evaluation/annotation logs retained up to 90 days. OneSignal's privacy policy does state that SDK information is used to 'develop and use predictive models' and create algorithms on behalf of Clients for targeting purposes, not for OneSignal's own foundational model training. No clear opt-out mechanism for AI feature data use was found. Buyers in regulated industries should seek explicit contractual assurance.

    // Security controls

    Encryption in Transit

    TLS 1.2+

    documentation.onesignal.com

    Encryption at Rest

    AES-256

    documentation.onesignal.com

    Penetration Testing

    Annual third-party security assessment; quarterly vulnerability and penetration scans with prompt remediation of critical/high-severity findings

    documentation.onesignal.com

    Bug Bounty

    No public HackerOne or Bugcrowd program found. Vulnerability Disclosure Policy maintained at security@onesignal.com. VDP expiry date listed as January 1, 2030 on Firebounty.

    firebounty.com

    2FA / SSO

    2FA and SSO options available. SSO added as part of Enterprise Security and Legal package.

    documentation.onesignal.com

    Personnel Security

    Background checks and regular security training required for staff.

    documentation.onesignal.com

    Incident Notification

    Security incident notification within 72 hours per DPA obligations.

    onesignal.com

    Sub-processor Transparency

    Sub-processor list maintained at https://onesignal.com/list-of-subprocessors; 30-day advance notice of new sub-processors.

    onesignal.com

    // Products & data scope

    Free PlanPush notifications / basic engagement

    data: Unlimited mobile push subscribers; 10,000 web push subscribers per send. Standard data collection via SDKs. No SOC 2 report access. Data retained 18 months inactive then deleted.

    No compliance reports or BAA available on free tier.

    Growth PlanMulti-channel engagement (push, email, in-app)

    data: Starts at $19/month. Adds email and advanced segmentation. Standard SDK data collection. No compliance report access.

    Intended for growing apps and marketing teams.

    Professional PlanAdvanced automation, personalization

    data: Custom pricing starting ~$999/month (annual). Advanced Journeys automation and personalization. Access to dedicated support.

    Annual contract. No BAA, unclear if SOC 2 report accessible at this tier.

    Enterprise PlanFull compliance, custom SLA, HIPAA

    data: Custom annual pricing. Full compliance package: SOC 2 Type II report, ISO certs, HIPAA BAA, custom contract, SSO, dedicated CSM. Data retained indefinitely for paid plans.

    Only tier with SOC 2 report access by request and BAA for HIPAA use cases.

    OneSignal AIAI-assisted content generation and segmentation (add-on feature across plans)

    data: Uses customer prompts and app context for message generation. Inference layer: zero at-rest retention by default. Conversation history retained 30 days in europe-west4. Evaluation/annotation logs up to 90 days.

    Sub-processor for AI is Google Inc. (Google Cloud/GEAP). No explicit statement on foundational model training from customer data.

    // What to watch

    • AI training stance is ambiguous: no explicit prohibition on using customer data to improve OneSignal's own AI models; buyers should seek contractual clarity, especially on Enterprise plans.
    • SOC 2 Type II report and HIPAA BAA are gated behind Enterprise Plan only: compliance-sensitive buyers must upgrade.
    • No public HackerOne or Bugcrowd bug bounty program: only a private VDP via security@onesignal.com.
    • Data accessed from EU servers but also from US: cross-border transfers covered by SCCs and DPF, but buyers in jurisdictions with strict data-localization requirements should verify.
    • The privacy policy (last updated April 2024) predates the AI Agent feature DPA addendum (effective July 2026): discrepancy in coverage dates.

    // At a glance

    Pricing model

    Freemium with tiered paid plans (Free / Growth $19+/mo / Professional ~$999+/mo annual / Enterprise custom annual)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on OneSignal, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    app.conveyor.com

    > Browse all vendor trust reports