// Trust & Security Report
Raycast Technologies, Ltd.
Raycast macOS/Windows productivity launcher, with Raycast Pro (AI features, cloud sync), Raycast for Teams (private extension store, shared quicklinks/snippets), Raycast AI (multi-model chat/commands), and a public developer API/extensions store
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.raycast.com“Compliance SOC 2 Resources View all Compliance Documentation 2025 - SOC 2 Type II Report 2025 - Penetration Test Report”
Verify on raycast.com“Raycast and the customer acknowledge that the customer is the controller and Raycast is the processor of customer personal data... The addendum covers GDPR, the California Consumer Privacy Act (CCPA), and the UK GDPR, along with any national implementing laws.”
> Show 6 unconfirmed / not-held certifications
source: trust.raycast.comTrust Center's Compliance section lists only 'SOC 2' as a compliance framework; no ISO 27001 badge, certificate, or report is listed anywhere on trust.raycast.com. A third-party aggregator (Nudge Security) claims Raycast is 'ISO 27001 Compliant, PCI Compliant, HIPAA Compliant, FedRAMP Compliant, CSA Star Level 1 Compliant' but this appears to be generic templated boilerplate not sourced from Raycast's own trust center, and it directly contradicts confirmed vendor statements on HIPAA (see below). Treated as no public evidence.
source: trust.raycast.comNo public evidence of HIPAA support on a Raycast-owned domain. The trust center lists only 'SOC 2' under Compliance and makes no mention of HIPAA or a Business Associate Agreement (BAA); as a consumer/SMB productivity tool this is most likely out of scope. A third-party page (hipaatimes.com) asserts Raycast 'will not sign a BAA', but that definitive claim is not corroborated by any statement on raycast.com or trust.raycast.com and is not treated as vendor-verified.
source: trust.raycast.comNo public evidence of a PCI DSS attestation on trust.raycast.com or elsewhere on raycast.com; Raycast does not directly process cardholder payment data itself (billing is handled via a payment processor), so this is likely out of scope rather than a gap.
source: trust.raycast.comNo public evidence. Not listed on trust.raycast.com and no mention found on raycast.com or manual.raycast.com.
source: trust.raycast.comNo public evidence on trust.raycast.com. Not listed as an available framework/badge on the trust center.
source: trust.raycast.comNo public evidence. Not applicable; Raycast is a consumer/SMB productivity tool with no FedRAMP marketplace listing found.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Personal data is stored primarily on servers in the United States, with transfers to service providers in other jurisdictions relying on EU/UK adequacy decisions or SCCs/UK Addendum. Subprocessors listed on the trust center include AWS (Luxembourg), Heroku (United Kingdom), Crunchy Data (United States, primary database hosting), and Sentry (United States, error tracking).
Raycast states 'Your data is not used to train AI models.' It configures third-party AI providers (OpenAI, Anthropic, Perplexity, Groq, Together AI, Mistral AI, Google Gemini, xAI, Replicate, Baseten, Cerebras) so that 'inputs and outputs are not used to train their models and are subject to zero data retention' where available, falling back to minimum retention settings otherwise. Raycast also states it does not log or retain user AI prompts server-side; dictation audio is not retained after the request completes. No tier-based (free vs Pro vs Teams) exception to this policy was found in the documentation reviewed.
// Security controls
SOC 2 Type II report
2025 SOC 2 Type II report and 2025 penetration test report available on request via trust center
trust.raycast.comInfrastructure security controls
Unique production database authentication enforced, encryption key access restricted, unique account authentication enforced (17 more controls listed)
trust.raycast.comData encryption
Data encryption utilized in product security controls; extension data stored in a local encrypted database, with sensitive credentials stored via the system Keychain
trust.raycast.comBusiness continuity
Continuity and Disaster Recovery plans established and tested; cybersecurity insurance maintained
trust.raycast.comExtension sandboxing
Third-party extensions reviewed by Raycast/community before publication, run in isolated v8 isolates, with Node.js runtime integrity verification
developers.raycast.comData deletion on account closure
Customer data deleted upon leaving, per data and privacy controls
trust.raycast.com// Products & data scope
data: Local clipboard history, file search, quicklinks, extension data stored in local encrypted database
Core app is free; most data stays local to the device unless cloud sync/AI features are enabled.
data: Adds AI features and encrypted cloud sync of settings, snippets, and AI chat history
Subject to the same AI zero-retention/no-training posture described in the privacy policy.
data: Private extension store, shared quicklinks and snippets across an organization
Public marketing pages reviewed did not disclose specific admin controls, SSO, or data-handling detail beyond the general privacy policy and DPA; contact with Raycast sales appears required for enterprise-specific security documentation.
data: User prompts routed to third-party model providers (OpenAI, Anthropic, Google, Mistral, xAI, and others) under zero/minimum data retention terms; prompts not logged by Raycast
Users can also bring their own API keys (BYOK) for some providers, shifting the data relationship directly to the provider.
data: Open-source, community-reviewed extensions; extension-specific data stays local unless an extension calls an external service
Security posture documented separately at developers.raycast.com/information/security, distinct from the org-wide SOC 2 trust center.
// What to watch
- A third-party aggregator (Nudge Security) publishes a generic-looking claim that Raycast holds ISO 27001, PCI, HIPAA, FedRAMP, and CSA STAR certifications. This directly contradicts confirmed vendor statements (Raycast will not sign a HIPAA BAA) and is not corroborated by Raycast's own trust center, which lists only SOC 2 under Compliance. Graded as an over-claim risk from an unreliable third-party source; do not surface those extra certs in the listing.
- Raycast for Teams enterprise-specific controls (SSO, admin/audit logs, data residency options) were not disclosed on public marketing pages; these may exist behind a sales conversation and were not verifiable from public vendor sources.
// At a glance
Pricing model
Freemium: free core app, paid Pro tier (individual, adds AI + cloud sync), and Teams/organization plans; pricing tiers not itemized on public marketing pages reviewed
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Raycast Technologies, Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.raycast.com