// Trust & Security Report
Rasa Technologies Inc. (Rasa Technologies GmbH in the EU)
Enterprise developer platform for building AI agents: the flagship self-hosted/private-cloud Rasa Platform (with Rasa Studio for design/observability), the legacy open-source Rasa Open Source framework, and Rasa-hosted trial/sandbox environments used for evaluation.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on rasa.com“'The DPA only applies to Personal Data which are subject to the GDPR' (rasa.com/dpa); Rasa's Website Privacy Policy states EU-hosted Services and names a Data Protection Officer/Privacy Officer overseeing the data-protection program, with defined data-subject rights and a 30-day response commitment.”
> Show 8 unconfirmed / not-held certifications
source: rasa.comrasa.com/industries/finance-and-banking (marketing FAQ) states: 'Is Rasa compliant for financial services use cases? Yes. Rasa supports SOC 2 Type II compliance, on-premise and private cloud deployment, data residency controls, and full audit logging for every automated interaction.' However, the vendor's own dedicated security page (rasa.com/security-at-rasa) makes no SOC 2 claim anywhere and no SOC 2 attestation report, audit date, or auditor is referenced on any vendor-domain page. 'Supports SOC 2 compliance' describes product features (deployment control, audit logs) that help a customer achieve their own compliance, not a confirmed SOC 2 Type II certification of Rasa itself. Treated as unverified.
source: rasa.com'Although our controls are aligned with the requirements of ISO 27002, we have broken down the sections below to align with the ISO 27001 domains to allow for customers and prospects to easily cross reference with their requirements.' This is a self-attestation of control alignment, not a certified ISMS audited against ISO 27001; no certificate number, registrar, or audit date is published.
source: rasa.com'We have worked to ensure our security controls are aligned with ISO 27002 and we apply industry best practises wherever applicable.' Listed for transparency: this is a stated best-practice alignment, not an issued ISO certificate.
source: rasa.comNo public evidence of a HIPAA compliance program, BAA offering, or HIPAA-eligible hosting tier on any vendor-domain page found.
source: rasa.comNo public evidence of PCI DSS certification on any vendor-domain page found.
source: rasa.comNo public evidence of ISO 42001 certification found on the vendor's own pages.
source: rasa.comNo public evidence of a CSA STAR registration or CSA STAR AI attestation found on the vendor's own pages.
source: rasa.comNo public evidence of FedRAMP authorization found on the vendor's own pages.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Hosted Services: European Union. Online Services (website/account infra): United States and European Union. Self-hosted Rasa Platform / Rasa Open Source deployments: fully customer-controlled (on-prem or customer's own cloud/private cloud).
Posture differs by product tier. For the self-hosted Rasa Platform / Rasa Open Source product, the Product Privacy Policy states Rasa 'do[es] not process personal data as part of the Products' beyond customer instruction (e.g. support/deployment assistance) - customers host their own instance and control their own data. For Rasa-hosted Online Services and Hosted Trial Environments, the Website Privacy Policy states conversation logs, prompts, transcripts and configurations 'may be deidentified and used for research and development, including training and improving our algorithms.' No explicit self-serve opt-out mechanism for this deidentified R&D use is documented on the vendor's pages; prospects evaluating via a Rasa-hosted trial should confirm current opt-out options directly with Rasa.
// Security controls
Encryption
Vendor states use of NIST-recommended ciphers only (AES, RSA, SHA), with minimum key lengths of 128-bit AES, 2048-bit RSA, 256-bit SHA; weak/legacy cryptographic algorithms are disabled per CIS/OWASP guidance.
rasa.comPersonnel security
Employee background/screening checks performed for roles that meet defined criteria.
rasa.comVulnerability disclosure
Published Responsible Disclosure Policy for reporting security issues.
rasa.comProduct hosting model
Rasa Platform / Rasa Open Source is deployed by the customer (on-prem, private cloud, or customer's own cloud); Rasa states it does not host customer instances or customer data as part of the core product. Rasa's own corporate/SaaS surfaces (marketing site, docs, hosted trial) are cloud-only and hosted in the EU and/or US.
rasa.comIndependent audit reports
Vendor states 'Security audits are conducted to identify and address any vulnerabilities by our external Data Protection agencies' but publishes no downloadable third-party audit report, penetration-test summary, or attestation letter on any vendor-domain page found.
rasa.com// Products & data scope
data: Self-hosted by the customer (on-prem or private/customer cloud); per the Product Privacy Policy, Rasa does not process personal data as part of the product outside of customer-instructed support/deployment assistance.
Flagship product; homepage highlights patented dialogue management, on-prem/private-cloud deployment, multi-agent orchestration, and real-time observability. Includes Rasa Studio for design and monitoring.
data: Fully self-hosted by the adopter; no Rasa-side data processing.
Legacy docs remain live at legacy-docs-oss.rasa.com; company focus has shifted to the commercial Rasa Platform.
data: Rasa-hosted; conversation logs, prompts, transcripts and configurations may be collected and deidentified data may be used for R&D and model improvement.
Distinct privacy posture from the self-hosted Rasa Platform - this is the tier where Rasa itself processes and may train on data.
// What to watch
- Marketing FAQ (rasa.com/industries/finance-and-banking) claims 'Rasa supports SOC 2 Type II compliance' while the vendor's dedicated security page (rasa.com/security-at-rasa) makes no SOC 2 claim at all and no attestation report is referenced anywhere on the site - graded held=false as an unverified/ambiguous claim rather than a confirmed certification. AIFOXX should not display a SOC 2 badge based on this marketing sentence alone.
- No formal ISO 27001 certificate found; vendor only claims control alignment with ISO 27002, which is a lower bar than a certified, audited ISMS.
- AI-training posture is tier-dependent: the self-hosted Rasa Platform product does not have Rasa processing customer data, but Rasa-hosted trial/online services may use deidentified conversation data for model training with no documented opt-out - worth calling out to prospective enterprise buyers evaluating via a hosted trial.
- Identity note: excluded 'rasa.io' (an unrelated newsletter/marketing company) and 'rasa.li' (an unrelated food-sourcing app) from this assessment - all facts here are sourced only from the rasa.com domain (Rasa Technologies Inc. / Rasa Technologies GmbH).
// At a glance
Pricing model
Enterprise/custom, demo-gated (no public self-serve pricing observed; site funnels to 'Get a demo')
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Rasa Technologies Inc. (Rasa Technologies GmbH in the EU)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
rasa.com