// Trust & Security Report
OnSearch Pty Ltd (T/A Relevance AI)
Agentic AI platform ("AI Workforce") for building, deploying, and governing autonomous AI agents; includes a no-code/low-code agent builder, "Invent" AI-assisted agent generation, an agent marketplace of pre-built templates, an evals/monitoring layer, and API/MCP access for programmatic agent building, with a separate gated Enterprise tier (SSO/SAML, RBAC, fine-grained access control, dedicated data residency).
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.relevanceai.com“Compliance SOC 2 Type II GDPR ... Audit reports and tests ... SOC 2 Type II 2025”
Verify on trust.relevanceai.com“Compliance SOC 2 Type II GDPR ... Other: Data Processing Addendum”
> Show 6 unconfirmed / not-held certifications
source: trust.relevanceai.comAudit reports and tests: 'ISO 27001:2022 Engagement Letter' - this is an auditor engagement letter (work in progress toward certification), not an issued ISO 27001 certificate. No ISO 27001 certificate is listed or referenced anywhere on the vendor's own domain.
source: trust.relevanceai.comNo public evidence of HIPAA compliance or a signed BAA program anywhere on trust.relevanceai.com, relevanceai.com/docs/admin/security, or the FAQ. Note: the trust center's 'Data and privacy' control lists 'Personal health information' under 'Data collected', which is a Vanta/Drata-style control-catalog checkbox, not a HIPAA attestation -- flagged for advisor review.
source: trust.relevanceai.comTrust center lists 'Credit card information' under 'Data collected', consistent with routing payments through a third-party processor (e.g. Stripe); no PCI DSS attestation, AOC, or SAQ is published by the vendor itself.
source: trust.relevanceai.comno public evidence -- not listed under the trust center's Compliance or Resources sections
source: trust.relevanceai.comno public evidence -- not listed on trust.relevanceai.com or relevanceai.com
source: trust.relevanceai.comno public evidence -- product is marketed to commercial GTM/enterprise teams, no FedRAMP marketplace listing or vendor claim found
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Customer-selectable at signup, permanent once chosen: US (AWS us-east-1, N. Virginia), EU/UK (AWS eu-west-2, London), or AU (AWS ap-southeast-2, Sydney).
Vendor's own documentation states: "We do not use your data to train our models or improve our services unless you have a specific partnership agreement" and, regarding underlying LLM providers, "No data is stored or trained on during this process." The public privacy policy itself does not separately restate this AI-training commitment (it only describes standard processor relationships and cross-border transfer mechanisms), so the strongest AI-training assurance sits in the security docs, not the privacy policy -- a minor inconsistency worth flagging but not a contradiction.
// Security controls
SSO / SAML
SAML 2.0 SSO and MFA supported via customer identity provider; marketed as an Enterprise-tier feature
relevanceai.comRBAC / fine-grained access control
Role-based access controls for team members and agents; FGA noted as Enterprise-exclusive
relevanceai.comAudit logging
Every agent action, decision, and tool call logged and exportable; OpenTelemetry export and Delta Sharing supported
relevanceai.comPII masking
Automatic detection/redaction of PII before it reaches the model (as marketed on the homepage)
relevanceai.comPenetration testing
Penetration Test Report 2025 listed as an available trust-center resource
trust.relevanceai.comSubprocessors
Disclosed subprocessors include Amazon Web Services (US/EU/AU, cloud hosting), MongoDB Atlas (US/EU/AU, database hosting), Google Cloud (global, cloud APIs/AI models), Slack (global, messaging); most recent update added ledgerup.ai and Databricks (published March 23, 2026)
trust.relevanceai.com// Products & data scope
data: Customer business data connected via 1,000+ integrations (CRM, email, calendar, etc.), agent prompts and configuration
Standard SOC 2 Type II and GDPR controls apply; region selectable at signup.
data: Same data plus centralized RBAC/FGA scope, SSO/SAML-authenticated user directory, audit-log exports
SSO/SAML, RBAC, and fine-grained access control are gated to this tier per vendor docs; likely tier where BAAs/custom data-processing terms would be negotiated ("unless you have a specific partnership agreement").
data: Same backend data plane as the core platform, accessed via API keys or MCP from tools like Claude Code / Codex
No separate certification scope disclosed; assumed to inherit platform-level SOC 2/GDPR controls.
data: Public template metadata; execution still runs on core platform
No distinct compliance posture found; treated as a storefront on top of the core platform.
// What to watch
- ISO 27001 is NOT a held certification -- the trust center lists only an 'ISO 27001:2022 Engagement Letter' (an auditor engagement, i.e. work-in-progress toward certification), not an issued certificate. Do not list ISO 27001 as held.
- Trust center's 'Data and privacy' control panel lists 'Personal health information' and 'Credit card information' under 'Data collected', but there is no HIPAA or PCI DSS attestation anywhere on the vendor's own domain -- if the vendor is marketed for use cases touching PHI, this is a gap worth surfacing to prospective healthcare customers.
- The strongest 'we do not train on your data' commitment appears in developer/security documentation and search-engine-summarized FAQ content, not verbatim in the public privacy policy itself -- recommend the vendor's own privacy policy be re-checked at time of listing since only a fetched summary (not the full raw HTML) was reviewed here.
- DPA availability is inferred from the trust center's Resources list ('Data Processing Addendum') which is gated behind 'Request access' -- could not confirm its exact contents or whether it is auto-issued vs. sales-negotiated.
- Company name on-site is a trading name: legal entity is 'OnSearch Pty Ltd T/A Relevance AI' (Australian entity, per site footer) -- listing should not be conflated with any unrelated company using a similar 'Relevance' brand name.
// At a glance
Pricing model
Freemium self-serve plans plus custom-quoted Enterprise pricing (per public marketing; exact tiers/usage metering not independently verified)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on OnSearch Pty Ltd (T/A Relevance AI)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.relevanceai.com