// Trust & Security Report

    Rasa Technologies Inc. (Rasa Technologies GmbH in the EU) logo

    Rasa Technologies Inc. (Rasa Technologies GmbH in the EU)

    Enterprise developer platform for building AI agents: the flagship self-hosted/private-cloud Rasa Platform (with Rasa Studio for design/observability), the legacy open-source Rasa Open Source framework, and Rasa-hosted trial/sandbox environments used for evaluation.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture / DPA)
    HELD

    'The DPA only applies to Personal Data which are subject to the GDPR' (rasa.com/dpa); Rasa's Website Privacy Policy states EU-hosted Services and names a Data Protection Officer/Privacy Officer overseeing the data-protection program, with defined data-subject rights and a 30-day response commitment.

    Verify on rasa.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type I/II)
    NOT CONFIRMED

    rasa.com/industries/finance-and-banking (marketing FAQ) states: 'Is Rasa compliant for financial services use cases? Yes. Rasa supports SOC 2 Type II compliance, on-premise and private cloud deployment, data residency controls, and full audit logging for every automated interaction.' However, the vendor's own dedicated security page (rasa.com/security-at-rasa) makes no SOC 2 claim anywhere and no SOC 2 attestation report, audit date, or auditor is referenced on any vendor-domain page. 'Supports SOC 2 compliance' describes product features (deployment control, audit logs) that help a customer achieve their own compliance, not a confirmed SOC 2 Type II certification of Rasa itself. Treated as unverified.

    source: rasa.com
    ISO 27001
    NOT CONFIRMED

    'Although our controls are aligned with the requirements of ISO 27002, we have broken down the sections below to align with the ISO 27001 domains to allow for customers and prospects to easily cross reference with their requirements.' This is a self-attestation of control alignment, not a certified ISMS audited against ISO 27001; no certificate number, registrar, or audit date is published.

    source: rasa.com
    ISO 27002 (control alignment, not a certification)
    NOT CONFIRMED

    'We have worked to ensure our security controls are aligned with ISO 27002 and we apply industry best practises wherever applicable.' Listed for transparency: this is a stated best-practice alignment, not an issued ISO certificate.

    source: rasa.com
    HIPAA
    NOT CONFIRMED

    No public evidence of a HIPAA compliance program, BAA offering, or HIPAA-eligible hosting tier on any vendor-domain page found.

    source: rasa.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on any vendor-domain page found.

    source: rasa.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification found on the vendor's own pages.

    source: rasa.com
    CSA STAR / CSA STAR for AI
    NOT CONFIRMED

    No public evidence of a CSA STAR registration or CSA STAR AI attestation found on the vendor's own pages.

    source: rasa.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on the vendor's own pages.

    source: rasa.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Hosted Services: European Union. Online Services (website/account infra): United States and European Union. Self-hosted Rasa Platform / Rasa Open Source deployments: fully customer-controlled (on-prem or customer's own cloud/private cloud).

    Posture differs by product tier. For the self-hosted Rasa Platform / Rasa Open Source product, the Product Privacy Policy states Rasa 'do[es] not process personal data as part of the Products' beyond customer instruction (e.g. support/deployment assistance) - customers host their own instance and control their own data. For Rasa-hosted Online Services and Hosted Trial Environments, the Website Privacy Policy states conversation logs, prompts, transcripts and configurations 'may be deidentified and used for research and development, including training and improving our algorithms.' No explicit self-serve opt-out mechanism for this deidentified R&D use is documented on the vendor's pages; prospects evaluating via a Rasa-hosted trial should confirm current opt-out options directly with Rasa.

    // Security controls

    Encryption

    Vendor states use of NIST-recommended ciphers only (AES, RSA, SHA), with minimum key lengths of 128-bit AES, 2048-bit RSA, 256-bit SHA; weak/legacy cryptographic algorithms are disabled per CIS/OWASP guidance.

    rasa.com

    Access control

    Multi-factor authentication enforced company-wide.

    rasa.com

    Personnel security

    Employee background/screening checks performed for roles that meet defined criteria.

    rasa.com

    Vulnerability disclosure

    Published Responsible Disclosure Policy for reporting security issues.

    rasa.com

    Product hosting model

    Rasa Platform / Rasa Open Source is deployed by the customer (on-prem, private cloud, or customer's own cloud); Rasa states it does not host customer instances or customer data as part of the core product. Rasa's own corporate/SaaS surfaces (marketing site, docs, hosted trial) are cloud-only and hosted in the EU and/or US.

    rasa.com

    Independent audit reports

    Vendor states 'Security audits are conducted to identify and address any vulnerabilities by our external Data Protection agencies' but publishes no downloadable third-party audit report, penetration-test summary, or attestation letter on any vendor-domain page found.

    rasa.com

    // Products & data scope

    Rasa PlatformEnterprise AI agent builder (chat, voice/IVR, multi-agent orchestration)

    data: Self-hosted by the customer (on-prem or private/customer cloud); per the Product Privacy Policy, Rasa does not process personal data as part of the product outside of customer-instructed support/deployment assistance.

    Flagship product; homepage highlights patented dialogue management, on-prem/private-cloud deployment, multi-agent orchestration, and real-time observability. Includes Rasa Studio for design and monitoring.

    Rasa Open SourceOpen-source conversational AI framework (legacy)

    data: Fully self-hosted by the adopter; no Rasa-side data processing.

    Legacy docs remain live at legacy-docs-oss.rasa.com; company focus has shifted to the commercial Rasa Platform.

    Hosted Trial / Online ServicesRasa-operated evaluation/sandbox environment and account/marketing infrastructure

    data: Rasa-hosted; conversation logs, prompts, transcripts and configurations may be collected and deidentified data may be used for R&D and model improvement.

    Distinct privacy posture from the self-hosted Rasa Platform - this is the tier where Rasa itself processes and may train on data.

    // What to watch

    • Marketing FAQ (rasa.com/industries/finance-and-banking) claims 'Rasa supports SOC 2 Type II compliance' while the vendor's dedicated security page (rasa.com/security-at-rasa) makes no SOC 2 claim at all and no attestation report is referenced anywhere on the site - graded held=false as an unverified/ambiguous claim rather than a confirmed certification. AIFOXX should not display a SOC 2 badge based on this marketing sentence alone.
    • No formal ISO 27001 certificate found; vendor only claims control alignment with ISO 27002, which is a lower bar than a certified, audited ISMS.
    • AI-training posture is tier-dependent: the self-hosted Rasa Platform product does not have Rasa processing customer data, but Rasa-hosted trial/online services may use deidentified conversation data for model training with no documented opt-out - worth calling out to prospective enterprise buyers evaluating via a hosted trial.
    • Identity note: excluded 'rasa.io' (an unrelated newsletter/marketing company) and 'rasa.li' (an unrelated food-sourcing app) from this assessment - all facts here are sourced only from the rasa.com domain (Rasa Technologies Inc. / Rasa Technologies GmbH).

    // At a glance

    Pricing model

    Enterprise/custom, demo-gated (no public self-serve pricing observed; site funnels to 'Get a demo')

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Rasa Technologies Inc. (Rasa Technologies GmbH in the EU)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    rasa.com

    > Browse all vendor trust reports