// Trust & Security Report

    Retool, Inc. logo

    Retool, Inc.

    Low-code internal app builder platform; sub-products include Retool Cloud (multi-tenant SaaS), Retool Self-Hosted (VPC or on-premises), Retool Database (managed hosted DB), Retool Workflows (automation), Retool AI/AppGen (AI-powered app generation), and Retool Mobile Apps

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2 Type 2 listed as 'Certified' on Retool Trust Center (powered by SafeBase). Security practices page states: 'Retool will align with prevailing industry standards such as SOC 2 Type 2, or any successor or superseding standard.' Full report downloadable via NDA/login.

    Verify on trust.retool.com
    ISO/IEC 27001:2022
    HELD

    ISO/IEC 27001:2022 listed as 'Certified' on Retool Trust Center (powered by SafeBase). Certificate downloadable via NDA/login.

    Verify on trust.retool.com
    GDPR
    HELD

    GDPR listed as 'Compliant' on Retool Trust Center. DPA available to all plan customers, incorporating EEA SCCs (Controller-to-Processor and Processor-to-Processor modules), UK International Data Transfer Addendum, and Swiss SCCs. Legal basis for each processing activity documented in privacy policy.

    Verify on trust.retool.com
    CCPA
    HELD

    CCPA listed as 'Compliant' on Retool Trust Center. California Privacy Rights section included in privacy policy with opt-out and deletion rights.

    Verify on trust.retool.com
    > Show 5 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Retool MSA explicitly states: 'Customer acknowledges that Retool is not a Business Associate or subcontractor (as those terms are defined in the Health Insurance Portability and Accountability Act).' Cloud platform directs customers: 'Customer should not submit, collect or use any protected health information to the Retool Cloud Platform.' Retool does not sign BAAs for cloud deployments. Note: multiple third-party profiles incorrectly list Retool as HIPAA Compliant - this conflicts with Retool's own legal documentation.

    source: docs.retool.com
    FedRAMP
    NOT CONFIRMED

    No evidence of FedRAMP authorization on retool.com, trust.retool.com, or the public FedRAMP marketplace. Not listed in Retool trust center overview alongside SOC 2 and ISO 27001. Nudge Security lists 'FedRAMP: Compliant' but this cannot be confirmed from any Retool-domain source.

    source: trust.retool.com
    PCI DSS
    NOT CONFIRMED

    No evidence of PCI DSS certification on retool.com, trust.retool.com, or docs.retool.com. Not listed in Retool trust center overview. Third-party profile (Nudge Security) shows 'PCI DSS: Compliant' but this cannot be confirmed from any Retool-domain source.

    source: trust.retool.com
    CSA STAR
    NOT CONFIRMED

    No evidence of CSA STAR certification on retool.com or trust.retool.com. Not listed in Retool trust center overview. Third-party profile (Nudge Security) shows 'CSA STAR Level 1: Compliant' but this cannot be confirmed from any Retool-domain source.

    source: trust.retool.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 AI governance certification on retool.com or trust.retool.com.

    source: trust.retool.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    AWS US-East by default; Enterprise plan offers EU data residency option. Self-hosted customers control their own region entirely.

    Retool AI Terms state: 'Retool does not currently use Customer Materials or AI Output to train or fine-tune its own artificial intelligence models or algorithms.' If Retool ever changes this, it must provide advance written notice and a meaningful opt-out opportunity before any such use begins. Additionally, 'Retool will maintain contractual agreements with the providers of Retool-Managed Models that prohibit such providers from using Customer Materials or AI Output for their own model training or fine-tuning purposes.' No current training on customer data; LLM providers contractually prohibited from doing so as well.

    // Security controls

    Encryption in transit

    TLS using latest recommended secure cipher suites; continuously monitored and updated for new cryptographic weaknesses

    docs.retool.com

    Encryption at rest

    Industry-accepted encryption via AWS infrastructure

    docs.retool.com

    MFA / 2FA

    Supported; administrators can enforce team-wide 2FA; 2FA required for all production server access

    docs.retool.com

    SSO

    Google, Microsoft, Okta, and other SAML/OIDC providers supported

    docs.retool.com

    Audit logging

    Detailed audit logs for administrators on Business and Enterprise plans; every sign-in logged with device type and IP address

    docs.retool.com

    Access control

    RBAC with column-level data control; remote user disabling on demand; administrator-managed permission tiers

    docs.retool.com

    Vulnerability disclosure

    Active program at retool.com/vulnerability-reporting; external security firms perform regular audits; continuous automated hybrid scanning

    docs.retool.com

    Penetration testing

    Regular external audits by independent security firms; pentest report available via trust center (NDA required)

    trust.retool.com

    Data backup

    Daily automated backups with 7-day retention; tested at least every 90 days; multi-region redundancy within AWS; hard delete within 24h of admin request, backups purged within 30 days

    docs.retool.com

    Personnel security

    Background checks on all employees before employment; privacy and security training during onboarding and on an ongoing basis

    docs.retool.com

    Incident response

    Security incident management policies in place; impacted customers notified without undue delay; 24/7 on-call operations team

    docs.retool.com

    Infrastructure hosting

    Amazon Web Services (AWS); fault-tolerant architecture; network segmentation; AWS security groups; real-time intrusion monitoring

    docs.retool.com

    Recent CVEs

    CVE-2025-29774 and CVE-2025-29775 (SAML authentication); CVE-2025-47424 (self-hosted deployments) - all documented in trust center with remediation guidance

    trust.retool.com

    // Products & data scope

    Retool CloudSaaS / Low-code platform

    data: Multi-tenant AWS-hosted; Retool proxies queries to customer data sources server-side but does not store Customer Data unless Retool Database is used; query/workflow caching is optional and can be disabled

    Not suitable for HIPAA workloads on cloud (Retool disclaims Business Associate status). SOC 2 T2 and ISO 27001:2022 apply. Pre-signed DPA available.

    Retool Self-HostedOn-premises / VPC deployment

    data: Customer controls all infrastructure; no Retool personnel have technical or logical access to Customer Data; only usage metadata (not Customer Data) is shared with Retool

    Most suitable for regulated industries or customers requiring data sovereignty. Retool provides daily-updated Debian base image with latest security patches. Retool still does not sign BAAs even for self-hosted.

    Retool AI / AppGenAI-powered app generation

    data: Prompts and generated output collected; customer controls which model provider receives data; governed by Retool AI Terms

    No Retool training on customer data; LLM providers contractually prohibited from training on customer data. If Retool's policy changes, advance notice and opt-out are required.

    Retool DatabaseManaged database

    data: Customer Data stored by Retool in AWS; encryption at rest and in transit; subject to SOC 2 T2 and ISO 27001 controls

    Hard delete within 24h of admin-initiated request; backup purge within 30 days. Not suitable for PHI storage.

    Retool WorkflowsWorkflow automation

    data: If using Retool-managed Temporal cluster, only orchestration metadata (workflow IDs, encrypted block names, user IDs, host and domain) shared with Temporal Technologies; Customer Data itself is not stored by Temporal

    Self-hosted Workflows option avoids Temporal data sharing entirely. Sub-processor list published on Retool docs site.

    // What to watch

    • HIPAA over-claim in third-party sources: Multiple third-party profiles (Nudge Security, some review sites) list Retool as HIPAA Compliant, but Retool's own MSA explicitly states it is NOT a HIPAA Business Associate and advises against submitting PHI to the cloud platform. Retool does not sign BAAs. AIFOXX must not list HIPAA as a held cert for Retool.
    • FedRAMP and PCI DSS unverifiable from vendor domain: Third-party profiles (Nudge Security) list these as compliant, but neither appears in Retool's own trust center overview or any retool.com documentation. Treated as held=false due to absence of vendor-domain evidence.
    • CSA STAR unverifiable: Nudge Security lists 'CSA STAR Level 1: Compliant' but no Retool-domain evidence confirms this. Treated as held=false.
    • Trust center documents gated: SOC 2 Type 2 report, ISO 27001 certificate, and pentest report are confirmed to exist but require NDA/login at trust.retool.com to access. This is standard enterprise practice.
    • CVE risk for self-hosted deployments: CVE-2025-29774 and CVE-2025-29775 (SAML auth) and CVE-2025-47424 (self-hosted) disclosed in 2025. Enterprise buyers should confirm their Retool version is patched.
    • AI Terms carve-out in MSA is benign: The MSA language 'except as expressly set forth in the AI Terms' is resolved by the AI Terms themselves - the carve-out refers only to a future opt-out scenario requiring advance written notice, not a current AI training exception.

    // At a glance

    Pricing model

    Free tier + Team (~$10/user/mo) + Business (~$50/user/mo) + Enterprise (custom). Audit logging and RBAC gated to Business/Enterprise.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Retool, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.retool.com

    > Browse all vendor trust reports