// Trust & Security Report

    Redash (open-source project; originally Redash Ltd., acquired by Databricks, Inc. in June 2020, rebooted as a community-led project since April 2023) logo

    Redash (open-source project; originally Redash Ltd., acquired by Databricks, Inc. in June 2020, rebooted as a community-led project since April 2023)

    Open-source SQL client and dashboarding/BI tool for connecting to and visualizing data from SQL, NoSQL, Big Data, and API data sources. Historically also offered a managed hosted service (app.redash.io), which was discontinued; today it is distributed solely as self-hosted, community-maintained software.

    Certifications held

    0

    Maturity

    Unknown

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 9 unconfirmed / not-held certifications
    SOC 2 Type I
    NOT CONFIRMED

    No public evidence: redash.io has no trust center or security page; the Privacy Policy (redash.io/privacy) and Terms of Service (redash.io/terms) contain no mention of SOC 2, and the GitHub security policy (getredash/redash) covers only vulnerability disclosure via email, with no compliance certifications mentioned.

    source: redash.io
    SOC 2 Type II
    NOT CONFIRMED

    No public evidence: same as SOC 2 Type I above; no trust center, security page, or SOC 2 report exists on redash.io.

    source: redash.io
    ISO 27001
    NOT CONFIRMED

    No public evidence on redash.io, redash.io/privacy, redash.io/terms, or the GitHub security policy. No ISO 27001 certificate or statement is published by the vendor.

    source: redash.io
    HIPAA
    NOT CONFIRMED

    No public evidence of a HIPAA attestation, BAA offering, or compliance statement on any redash.io page reviewed. Note: the hosted service that would have processed customer data on Redash's own servers (app.redash.io) was shut down effective November 30, 2021, so today's self-hosted-only distribution model places HIPAA responsibility entirely on the customer's own deployment.

    source: redash.io
    PCI DSS
    NOT CONFIRMED

    No public evidence Redash itself holds PCI DSS. The Privacy Policy lists Stripe as a third-party payment processor ('Redash uses selected third parties... Stripe...'); PCI DSS, if applicable, belongs to Stripe as the payment subprocessor, not Redash.

    source: redash.io
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence. Redash is a SQL/BI dashboarding tool, not an AI model provider, and no AI-governance certification is referenced anywhere on redash.io.

    source: redash.io
    CSA STAR
    NOT CONFIRMED

    No public evidence of a CSA STAR registry entry or self-assessment for Redash on redash.io or the GitHub project pages.

    source: redash.io
    FedRAMP
    NOT CONFIRMED

    No public evidence of a FedRAMP authorization for Redash.

    source: redash.io
    GDPR (posture, not a certification)
    NOT CONFIRMED

    No public evidence of a formal GDPR compliance statement on the current redash.io/privacy page itself (it does not use the word 'GDPR'). A now-unreachable Redash blog post (blog.redash.io, subdomain no longer resolves) was previously reported by third parties as saying the privacy policy was already GDPR-compliant, but this could not be independently re-verified on a live vendor page, so it is graded held=false with an honest 'could not confirm on vendor domain' note rather than treated as evidence.

    source: redash.io

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    not verified - Redash is distributed as self-hosted software; the customer's own infrastructure determines data region. The Privacy Policy names AWS and Google Cloud among third-party service providers used for redash.io's own web properties, but no specific region commitment is stated.

    Not applicable in the conventional sense: Redash is a SQL client / BI dashboarding tool, not an AI model, and there is no evidence it trains any AI/ML model on customer data. No DPA is offered on the current site; the only past DPA-relevant context was for the now-discontinued hosted service (app.redash.io, shut down November 30, 2021, with all hosted customer data deleted within 30 days per the vendor's own EOL FAQ). For today's self-hosted-only distribution, there is no ongoing customer data relationship with the vendor to process, so no DPA is published.

    // Security controls

    Encryption in transit

    not verified - Redash is self-hosted; the vendor publishes an HTTPS/SSL setup guide for admins to configure TLS on their own instance, but does not itself guarantee encryption in transit since it does not operate the customer's deployment

    redash.io

    Password/credential storage

    Terms of Service state passwords are 'retained at Redash's servers using standard security practices' for accounts on Redash-operated properties; database connection credentials entered into a self-hosted instance are stored by that instance per the admin's own configuration (see Secret Keys documentation)

    redash.io

    Data retention

    Terms of Service state Redash 'may not retain information for more than 30 days' except as specified in membership plans, for data on Redash-operated web properties

    redash.io

    Vulnerability disclosure

    Security issues can be reported to security@redash.io, with PGP encryption available via a published key; the policy is limited in scope to disclosure handling and does not describe pen testing cadence or formal compliance controls

    github.com

    Historical security incident disclosure

    Vendor has publicly disclosed at least one past security release (v4.0.2) via its own blog, indicating a practice of public vulnerability disclosure for the open-source project

    blog.redash.io

    Hosted service status

    The only Redash-operated hosted/managed service (app.redash.io) was shut down effective November 30, 2021, with all customer data deleted within 30 days; there is currently no Redash-operated production hosting of customer data

    redash.io

    // Products & data scope

    Redash (self-hosted, open source)Self-hosted SQL client and BI/dashboarding tool

    data: Runs entirely on customer-controlled infrastructure; the Redash project/maintainers have no access to customer data or database credentials by default

    BSD-2-Clause licensed; the only actively distributed edition since the hosted service EOL'd in Nov 2021; development is community-led (volunteer maintainers) as of April 2023 and described by third-party sources as largely frozen/slow-moving compared to alternatives like Metabase or Apache Superset

    Redash Cloud / app.redash.io (hosted, discontinued)Formerly a Redash-managed hosted SQL/BI service

    data: Previously ran on Redash-operated servers; customer data was stored on Redash infrastructure

    Shut down effective November 30, 2021; all hosted customer data was deleted within 30 days thereafter per the vendor's own FAQ. Not a currently purchasable or usable product. Any certification claims tied to this legacy hosted service should be treated as historical/inapplicable, not current.

    // What to watch

    • Identity/ownership caveat: Redash was acquired by Databricks, Inc. in 2020, but is now a community-led open-source project (as of an April 2023 GitHub announcement) with no clear ongoing formal commercial backing. Databricks' own enterprise certifications (SOC 2, ISO 27001, HIPAA, etc., for the Databricks platform) do NOT extend to the standalone Redash open-source project and must not be attributed to it - this is a clear host/parent-vendor-vs-product conflation risk that AIFOXX should actively guard against.
    • The only Redash-operated hosted service that would have made vendor-side certifications meaningful (app.redash.io) was discontinued in November 2021; today's self-hosted-only distribution model means most security/compliance posture (encryption, access control, HIPAA suitability, data residency) is entirely determined by each customer's own deployment, not by Redash the vendor.
    • A third-party-referenced Redash blog post claiming pre-existing GDPR compliance could not be independently verified because the blog.redash.io subdomain no longer resolves; graded as unconfirmed rather than accepted on secondary-source authority.
    • Project momentum is a listing consideration, not a security cert per se: multiple 2025-2026 third-party sources describe Redash open-source development as largely frozen/slow compared to actively maintained alternatives (e.g., Metabase, Apache Superset), which may affect how promptly any future vulnerability would be patched.

    // At a glance

    Pricing model

    Free, open-source, self-hosted software (BSD-2-Clause license); no current paid hosted tier since app.redash.io was discontinued in 2021

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Redash (open-source project; originally Redash Ltd., acquired by Databricks, Inc. in June 2020, rebooted as a community-led project since April 2023)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    redash.io

    > Browse all vendor trust reports