// Trust & Security Report
Parabola Technologies, Inc.
AI agent / workflow automation platform for operations and finance teams (Parabola "Flows" builder plus AI-powered steps); single core product with a self-serve tier and an Enterprise tier (SSO/SAML, dedicated automation-engineer implementation, role-based access). Not to be confused with the unrelated product "Parabol" (parabol.co), a meeting-notes tool.
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on parabola.io“"SOC2 Compliant" badge (image labeled "SOC 2 type II badge"); elsewhere on the vendor's own site: "Parabola is SOC 2 compliant" and the Enterprise page lists "SOC 2 Type II" as an included capability.”
Verify on parabola.io“"Parabola offers a Data Protection Agreement as a means of meeting the adequacy and security requirements of the European Parliament and Council of the European Union's Data Protection Directive and the General Data Protection Regulation (GDPR)." The DPA itself: "AES 256-bit encryption for Customer Data stored in Parabola's production environment" and commits to a maintained subprocessor list with 14 days' notice of changes.”
> Show 7 unconfirmed / not-held certifications
source: parabola.ioNo public evidence on parabola.io. The security page, security FAQs, shared-data-responsibility page, and privacy policy make no mention of ISO 27001. (A third-party aggregator, nudgesecurity.com, lists Parabola as "ISO 27001 Compliant" but this is not a vendor-domain source and could not be corroborated on parabola.io.)
source: parabola.io"Customer acknowledges that the Services are not intended to meet any legal obligations for these uses, including HIPAA requirements, and that Parabola is not a Business Associate as defined under HIPAA." Protected health information is explicitly listed as "Prohibited Data."
source: parabola.io"All payments made to Parabola go through our payment processing partner, Stripe." Payment-card data is listed as "Prohibited Data" for use within the product itself ("credit, debit or other payment card data subject to the Payment Card Industry Data Security Standards (PCI DSS)..."); any PCI compliance is Stripe's, not Parabola's own certification.
source: parabola.ioNo public evidence on parabola.io. Not mentioned on the security page, security FAQs, or legal pages. (Third-party aggregator nudgesecurity.com claims "FedRamp Compliant" but this is unverifiable on the vendor's own domain and is treated as an over-claim risk, not fact.)
source: parabola.ioNo public evidence on parabola.io. (Third-party aggregator nudgesecurity.com claims "CSA Star Level 1 Compliant" but this is not corroborated on the vendor's own domain.)
source: parabola.ioNo public evidence of an AI-governance certification on the vendor's own domain.
source: parabola.ioNo public evidence of CSA STAR AI on the vendor's own domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US-hosted (AWS, servers in the United States); EU/Swiss personal data transfers use safeguards such as EU Commission Model Contracts per the privacy policy.
Vendor documentation states Parabola does not train its own AI models on customer data, and that its third-party LLM providers are used under enterprise agreements: "Parabola maintains enterprise-level agreements with its third-party AI model providers (incl. OpenAI and Anthropic) that include Data Processing Agreements" which "contractually prohibit the providers from using the contents of any data sent through Parabola's AI steps as training data for their models." No opt-out toggle or tier distinction is described in the available documentation; the posture is stated as a blanket contractual guarantee rather than a per-account opt-out control, which is a minor gap in transparency for enterprise buyers who want to self-verify.
// Security controls
Encryption at rest
AES-256 for data stored by Parabola, including production Customer Data
parabola.ioHosting
Runs fully on AWS, servers in the United States, within a segregated VPC with firewalled subnets
parabola.ioPassword storage
Never stored in plaintext; SHA-256 hashing derived from PBKDF2 with salts
parabola.ioPenetration testing
Annual independent third-party security assessments and penetration testing
parabola.ioData handling in flows
Data passed through an automation flow is stored in memory and never written to disk; uploaded files are stored in secured Amazon S3 buckets
parabola.ioSubprocessors
Maintains a subprocessor list with 14 days' advance notice of changes to customers under DPA
parabola.io// Products & data scope
data: Connects to and processes customer business data pulled from source systems (e.g. Shopify, NetSuite, ERP/3PL/warehouse systems) to build automated data flows
Standard SOC 2 Type II, encryption, and DPA protections apply per the vendor's security page; no evidence of tier-gated security controls beyond SSO/SAML and role-based access.
data: Same data scope as self-serve, plus dedicated automation-engineer implementation (8-12 week onboarding) and account-level access controls
Adds SSO & SAML, role-based access, and usage analytics; enterprise page explicitly restates SOC 2 Type II as an included capability.
// What to watch
- A third-party aggregator (nudgesecurity.com) claims Parabola is ISO 27001, HIPAA, PCI, FedRAMP, and CSA STAR compliant. None of these claims could be corroborated on parabola.io's own security, FAQ, DPA, or legal pages, and the vendor's own Terms/OMSA explicitly disclaim HIPAA Business Associate status and treat PCI/PHI data as 'Prohibited Data.' Treat the aggregator's claims as unverified over-claims, not fact, until Parabola's own trust center lists them.
- Name-collision risk: a different, unrelated company 'Parabol' (parabol.co, a meeting/retro tool) has its own security FAQ page that could be confused with Parabola (parabola.io) in search results. All findings here were sourced strictly from parabola.io.
- No formal hosted trust-center portal (e.g. Vanta/Drata/SafeBase Trust Center) was found; parabola.io/security is a self-authored security page, not an independently-hosted, continuously-updated trust portal.
- AI-training no-train guarantee rests on vendor's own statement plus asserted DPAs with OpenAI and Anthropic; no opt-out control or tier distinction is documented for teams wanting to restrict AI steps entirely.
// At a glance
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Parabola Technologies, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
parabola.io