// Trust & Security Report

    OnSearch Pty Ltd (T/A Relevance AI) logo

    OnSearch Pty Ltd (T/A Relevance AI)

    Agentic AI platform ("AI Workforce") for building, deploying, and governing autonomous AI agents; includes a no-code/low-code agent builder, "Invent" AI-assisted agent generation, an agent marketplace of pre-built templates, an evals/monitoring layer, and API/MCP access for programmatic agent building, with a separate gated Enterprise tier (SSO/SAML, RBAC, fine-grained access control, dedicated data residency).

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Compliance SOC 2 Type II GDPR ... Audit reports and tests ... SOC 2 Type II 2025

    Verify on trust.relevanceai.com
    GDPR
    HELD

    Compliance SOC 2 Type II GDPR ... Other: Data Processing Addendum

    Verify on trust.relevanceai.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Audit reports and tests: 'ISO 27001:2022 Engagement Letter' - this is an auditor engagement letter (work in progress toward certification), not an issued ISO 27001 certificate. No ISO 27001 certificate is listed or referenced anywhere on the vendor's own domain.

    source: trust.relevanceai.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or a signed BAA program anywhere on trust.relevanceai.com, relevanceai.com/docs/admin/security, or the FAQ. Note: the trust center's 'Data and privacy' control lists 'Personal health information' under 'Data collected', which is a Vanta/Drata-style control-catalog checkbox, not a HIPAA attestation -- flagged for advisor review.

    source: trust.relevanceai.com
    PCI DSS
    NOT CONFIRMED

    Trust center lists 'Credit card information' under 'Data collected', consistent with routing payments through a third-party processor (e.g. Stripe); no PCI DSS attestation, AOC, or SAQ is published by the vendor itself.

    source: trust.relevanceai.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    no public evidence -- not listed under the trust center's Compliance or Resources sections

    source: trust.relevanceai.com
    CSA STAR
    NOT CONFIRMED

    no public evidence -- not listed on trust.relevanceai.com or relevanceai.com

    source: trust.relevanceai.com
    FedRAMP
    NOT CONFIRMED

    no public evidence -- product is marketed to commercial GTM/enterprise teams, no FedRAMP marketplace listing or vendor claim found

    source: trust.relevanceai.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer-selectable at signup, permanent once chosen: US (AWS us-east-1, N. Virginia), EU/UK (AWS eu-west-2, London), or AU (AWS ap-southeast-2, Sydney).

    Vendor's own documentation states: "We do not use your data to train our models or improve our services unless you have a specific partnership agreement" and, regarding underlying LLM providers, "No data is stored or trained on during this process." The public privacy policy itself does not separately restate this AI-training commitment (it only describes standard processor relationships and cross-border transfer mechanisms), so the strongest AI-training assurance sits in the security docs, not the privacy policy -- a minor inconsistency worth flagging but not a contradiction.

    // Security controls

    Encryption in transit

    TLS 1.2+

    relevanceai.com

    Encryption at rest

    AES-256

    relevanceai.com

    SSO / SAML

    SAML 2.0 SSO and MFA supported via customer identity provider; marketed as an Enterprise-tier feature

    relevanceai.com

    RBAC / fine-grained access control

    Role-based access controls for team members and agents; FGA noted as Enterprise-exclusive

    relevanceai.com

    Audit logging

    Every agent action, decision, and tool call logged and exportable; OpenTelemetry export and Delta Sharing supported

    relevanceai.com

    PII masking

    Automatic detection/redaction of PII before it reaches the model (as marketed on the homepage)

    relevanceai.com

    Penetration testing

    Penetration Test Report 2025 listed as an available trust-center resource

    trust.relevanceai.com

    Subprocessors

    Disclosed subprocessors include Amazon Web Services (US/EU/AU, cloud hosting), MongoDB Atlas (US/EU/AU, database hosting), Google Cloud (global, cloud APIs/AI models), Slack (global, messaging); most recent update added ledgerup.ai and Databricks (published March 23, 2026)

    trust.relevanceai.com

    // Products & data scope

    Relevance AI core platform / AI Workforce builderNo-code/low-code AI agent builder

    data: Customer business data connected via 1,000+ integrations (CRM, email, calendar, etc.), agent prompts and configuration

    Standard SOC 2 Type II and GDPR controls apply; region selectable at signup.

    Enterprise tierGoverned multi-agent deployment for large orgs

    data: Same data plus centralized RBAC/FGA scope, SSO/SAML-authenticated user directory, audit-log exports

    SSO/SAML, RBAC, and fine-grained access control are gated to this tier per vendor docs; likely tier where BAAs/custom data-processing terms would be negotiated ("unless you have a specific partnership agreement").

    API / MCP accessDeveloper / programmatic agent building

    data: Same backend data plane as the core platform, accessed via API keys or MCP from tools like Claude Code / Codex

    No separate certification scope disclosed; assumed to inherit platform-level SOC 2/GDPR controls.

    Agent Marketplace (marketplace.relevanceai.com)Template/pre-built agent listings

    data: Public template metadata; execution still runs on core platform

    No distinct compliance posture found; treated as a storefront on top of the core platform.

    // What to watch

    • ISO 27001 is NOT a held certification -- the trust center lists only an 'ISO 27001:2022 Engagement Letter' (an auditor engagement, i.e. work-in-progress toward certification), not an issued certificate. Do not list ISO 27001 as held.
    • Trust center's 'Data and privacy' control panel lists 'Personal health information' and 'Credit card information' under 'Data collected', but there is no HIPAA or PCI DSS attestation anywhere on the vendor's own domain -- if the vendor is marketed for use cases touching PHI, this is a gap worth surfacing to prospective healthcare customers.
    • The strongest 'we do not train on your data' commitment appears in developer/security documentation and search-engine-summarized FAQ content, not verbatim in the public privacy policy itself -- recommend the vendor's own privacy policy be re-checked at time of listing since only a fetched summary (not the full raw HTML) was reviewed here.
    • DPA availability is inferred from the trust center's Resources list ('Data Processing Addendum') which is gated behind 'Request access' -- could not confirm its exact contents or whether it is auto-issued vs. sales-negotiated.
    • Company name on-site is a trading name: legal entity is 'OnSearch Pty Ltd T/A Relevance AI' (Australian entity, per site footer) -- listing should not be conflated with any unrelated company using a similar 'Relevance' brand name.

    // At a glance

    Pricing model

    Freemium self-serve plans plus custom-quoted Enterprise pricing (per public marketing; exact tiers/usage metering not independently verified)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on OnSearch Pty Ltd (T/A Relevance AI)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.relevanceai.com

    > Browse all vendor trust reports