// Trust & Security Report

    Raycast Technologies, Ltd. logo

    Raycast Technologies, Ltd.

    Raycast macOS/Windows productivity launcher, with Raycast Pro (AI features, cloud sync), Raycast for Teams (private extension store, shared quicklinks/snippets), Raycast AI (multi-model chat/commands), and a public developer API/extensions store

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Compliance SOC 2 Resources View all Compliance Documentation 2025 - SOC 2 Type II Report 2025 - Penetration Test Report

    Verify on trust.raycast.com
    GDPR (posture, not a certification)
    HELD

    Raycast and the customer acknowledge that the customer is the controller and Raycast is the processor of customer personal data... The addendum covers GDPR, the California Consumer Privacy Act (CCPA), and the UK GDPR, along with any national implementing laws.

    Verify on raycast.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Trust Center's Compliance section lists only 'SOC 2' as a compliance framework; no ISO 27001 badge, certificate, or report is listed anywhere on trust.raycast.com. A third-party aggregator (Nudge Security) claims Raycast is 'ISO 27001 Compliant, PCI Compliant, HIPAA Compliant, FedRAMP Compliant, CSA Star Level 1 Compliant' but this appears to be generic templated boilerplate not sourced from Raycast's own trust center, and it directly contradicts confirmed vendor statements on HIPAA (see below). Treated as no public evidence.

    source: trust.raycast.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA support on a Raycast-owned domain. The trust center lists only 'SOC 2' under Compliance and makes no mention of HIPAA or a Business Associate Agreement (BAA); as a consumer/SMB productivity tool this is most likely out of scope. A third-party page (hipaatimes.com) asserts Raycast 'will not sign a BAA', but that definitive claim is not corroborated by any statement on raycast.com or trust.raycast.com and is not treated as vendor-verified.

    source: trust.raycast.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of a PCI DSS attestation on trust.raycast.com or elsewhere on raycast.com; Raycast does not directly process cardholder payment data itself (billing is handled via a payment processor), so this is likely out of scope rather than a gap.

    source: trust.raycast.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Not listed on trust.raycast.com and no mention found on raycast.com or manual.raycast.com.

    source: trust.raycast.com
    CSA STAR
    NOT CONFIRMED

    No public evidence on trust.raycast.com. Not listed as an available framework/badge on the trust center.

    source: trust.raycast.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not applicable; Raycast is a consumer/SMB productivity tool with no FedRAMP marketplace listing found.

    source: trust.raycast.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Personal data is stored primarily on servers in the United States, with transfers to service providers in other jurisdictions relying on EU/UK adequacy decisions or SCCs/UK Addendum. Subprocessors listed on the trust center include AWS (Luxembourg), Heroku (United Kingdom), Crunchy Data (United States, primary database hosting), and Sentry (United States, error tracking).

    Raycast states 'Your data is not used to train AI models.' It configures third-party AI providers (OpenAI, Anthropic, Perplexity, Groq, Together AI, Mistral AI, Google Gemini, xAI, Replicate, Baseten, Cerebras) so that 'inputs and outputs are not used to train their models and are subject to zero data retention' where available, falling back to minimum retention settings otherwise. Raycast also states it does not log or retain user AI prompts server-side; dictation audio is not retained after the request completes. No tier-based (free vs Pro vs Teams) exception to this policy was found in the documentation reviewed.

    // Security controls

    SOC 2 Type II report

    2025 SOC 2 Type II report and 2025 penetration test report available on request via trust center

    trust.raycast.com

    Infrastructure security controls

    Unique production database authentication enforced, encryption key access restricted, unique account authentication enforced (17 more controls listed)

    trust.raycast.com

    Data encryption

    Data encryption utilized in product security controls; extension data stored in a local encrypted database, with sensitive credentials stored via the system Keychain

    trust.raycast.com

    Business continuity

    Continuity and Disaster Recovery plans established and tested; cybersecurity insurance maintained

    trust.raycast.com

    Extension sandboxing

    Third-party extensions reviewed by Raycast/community before publication, run in isolated v8 isolates, with Node.js runtime integrity verification

    developers.raycast.com

    Data deletion on account closure

    Customer data deleted upon leaving, per data and privacy controls

    trust.raycast.com

    // Products & data scope

    Raycast (free)Productivity launcher (macOS/Windows)

    data: Local clipboard history, file search, quicklinks, extension data stored in local encrypted database

    Core app is free; most data stays local to the device unless cloud sync/AI features are enabled.

    Raycast ProIndividual subscription add-on

    data: Adds AI features and encrypted cloud sync of settings, snippets, and AI chat history

    Subject to the same AI zero-retention/no-training posture described in the privacy policy.

    Raycast for TeamsTeam/organization collaboration

    data: Private extension store, shared quicklinks and snippets across an organization

    Public marketing pages reviewed did not disclose specific admin controls, SSO, or data-handling detail beyond the general privacy policy and DPA; contact with Raycast sales appears required for enterprise-specific security documentation.

    Raycast AIAI chat/commands across multiple model providers

    data: User prompts routed to third-party model providers (OpenAI, Anthropic, Google, Mistral, xAI, and others) under zero/minimum data retention terms; prompts not logged by Raycast

    Users can also bring their own API keys (BYOK) for some providers, shifting the data relationship directly to the provider.

    Raycast Developer/Extensions StorePublic extensions marketplace and API

    data: Open-source, community-reviewed extensions; extension-specific data stays local unless an extension calls an external service

    Security posture documented separately at developers.raycast.com/information/security, distinct from the org-wide SOC 2 trust center.

    // What to watch

    • A third-party aggregator (Nudge Security) publishes a generic-looking claim that Raycast holds ISO 27001, PCI, HIPAA, FedRAMP, and CSA STAR certifications. This directly contradicts confirmed vendor statements (Raycast will not sign a HIPAA BAA) and is not corroborated by Raycast's own trust center, which lists only SOC 2 under Compliance. Graded as an over-claim risk from an unreliable third-party source; do not surface those extra certs in the listing.
    • Raycast for Teams enterprise-specific controls (SSO, admin/audit logs, data residency options) were not disclosed on public marketing pages; these may exist behind a sales conversation and were not verifiable from public vendor sources.

    // At a glance

    Pricing model

    Freemium: free core app, paid Pro tier (individual, adds AI + cloud sync), and Teams/organization plans; pricing tiers not itemized on public marketing pages reviewed

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Raycast Technologies, Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.raycast.com

    > Browse all vendor trust reports