// Trust & Security Report
Retool, Inc.
Low-code internal app builder platform; sub-products include Retool Cloud (multi-tenant SaaS), Retool Self-Hosted (VPC or on-premises), Retool Database (managed hosted DB), Retool Workflows (automation), Retool AI/AppGen (AI-powered app generation), and Retool Mobile Apps
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.retool.com“SOC 2 Type 2 listed as 'Certified' on Retool Trust Center (powered by SafeBase). Security practices page states: 'Retool will align with prevailing industry standards such as SOC 2 Type 2, or any successor or superseding standard.' Full report downloadable via NDA/login.”
Verify on trust.retool.com“ISO/IEC 27001:2022 listed as 'Certified' on Retool Trust Center (powered by SafeBase). Certificate downloadable via NDA/login.”
Verify on trust.retool.com“GDPR listed as 'Compliant' on Retool Trust Center. DPA available to all plan customers, incorporating EEA SCCs (Controller-to-Processor and Processor-to-Processor modules), UK International Data Transfer Addendum, and Swiss SCCs. Legal basis for each processing activity documented in privacy policy.”
Verify on trust.retool.com“CCPA listed as 'Compliant' on Retool Trust Center. California Privacy Rights section included in privacy policy with opt-out and deletion rights.”
> Show 5 unconfirmed / not-held certifications
source: docs.retool.comRetool MSA explicitly states: 'Customer acknowledges that Retool is not a Business Associate or subcontractor (as those terms are defined in the Health Insurance Portability and Accountability Act).' Cloud platform directs customers: 'Customer should not submit, collect or use any protected health information to the Retool Cloud Platform.' Retool does not sign BAAs for cloud deployments. Note: multiple third-party profiles incorrectly list Retool as HIPAA Compliant - this conflicts with Retool's own legal documentation.
source: trust.retool.comNo evidence of FedRAMP authorization on retool.com, trust.retool.com, or the public FedRAMP marketplace. Not listed in Retool trust center overview alongside SOC 2 and ISO 27001. Nudge Security lists 'FedRAMP: Compliant' but this cannot be confirmed from any Retool-domain source.
source: trust.retool.comNo evidence of PCI DSS certification on retool.com, trust.retool.com, or docs.retool.com. Not listed in Retool trust center overview. Third-party profile (Nudge Security) shows 'PCI DSS: Compliant' but this cannot be confirmed from any Retool-domain source.
source: trust.retool.comNo evidence of CSA STAR certification on retool.com or trust.retool.com. Not listed in Retool trust center overview. Third-party profile (Nudge Security) shows 'CSA STAR Level 1: Compliant' but this cannot be confirmed from any Retool-domain source.
source: trust.retool.comNo public evidence of ISO 42001 AI governance certification on retool.com or trust.retool.com.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
AWS US-East by default; Enterprise plan offers EU data residency option. Self-hosted customers control their own region entirely.
Retool AI Terms state: 'Retool does not currently use Customer Materials or AI Output to train or fine-tune its own artificial intelligence models or algorithms.' If Retool ever changes this, it must provide advance written notice and a meaningful opt-out opportunity before any such use begins. Additionally, 'Retool will maintain contractual agreements with the providers of Retool-Managed Models that prohibit such providers from using Customer Materials or AI Output for their own model training or fine-tuning purposes.' No current training on customer data; LLM providers contractually prohibited from doing so as well.
// Security controls
Encryption in transit
TLS using latest recommended secure cipher suites; continuously monitored and updated for new cryptographic weaknesses
docs.retool.comMFA / 2FA
Supported; administrators can enforce team-wide 2FA; 2FA required for all production server access
docs.retool.comAudit logging
Detailed audit logs for administrators on Business and Enterprise plans; every sign-in logged with device type and IP address
docs.retool.comAccess control
RBAC with column-level data control; remote user disabling on demand; administrator-managed permission tiers
docs.retool.comVulnerability disclosure
Active program at retool.com/vulnerability-reporting; external security firms perform regular audits; continuous automated hybrid scanning
docs.retool.comPenetration testing
Regular external audits by independent security firms; pentest report available via trust center (NDA required)
trust.retool.comData backup
Daily automated backups with 7-day retention; tested at least every 90 days; multi-region redundancy within AWS; hard delete within 24h of admin request, backups purged within 30 days
docs.retool.comPersonnel security
Background checks on all employees before employment; privacy and security training during onboarding and on an ongoing basis
docs.retool.comIncident response
Security incident management policies in place; impacted customers notified without undue delay; 24/7 on-call operations team
docs.retool.comInfrastructure hosting
Amazon Web Services (AWS); fault-tolerant architecture; network segmentation; AWS security groups; real-time intrusion monitoring
docs.retool.comRecent CVEs
CVE-2025-29774 and CVE-2025-29775 (SAML authentication); CVE-2025-47424 (self-hosted deployments) - all documented in trust center with remediation guidance
trust.retool.com// Products & data scope
data: Multi-tenant AWS-hosted; Retool proxies queries to customer data sources server-side but does not store Customer Data unless Retool Database is used; query/workflow caching is optional and can be disabled
Not suitable for HIPAA workloads on cloud (Retool disclaims Business Associate status). SOC 2 T2 and ISO 27001:2022 apply. Pre-signed DPA available.
data: Customer controls all infrastructure; no Retool personnel have technical or logical access to Customer Data; only usage metadata (not Customer Data) is shared with Retool
Most suitable for regulated industries or customers requiring data sovereignty. Retool provides daily-updated Debian base image with latest security patches. Retool still does not sign BAAs even for self-hosted.
data: Prompts and generated output collected; customer controls which model provider receives data; governed by Retool AI Terms
No Retool training on customer data; LLM providers contractually prohibited from training on customer data. If Retool's policy changes, advance notice and opt-out are required.
data: Customer Data stored by Retool in AWS; encryption at rest and in transit; subject to SOC 2 T2 and ISO 27001 controls
Hard delete within 24h of admin-initiated request; backup purge within 30 days. Not suitable for PHI storage.
data: If using Retool-managed Temporal cluster, only orchestration metadata (workflow IDs, encrypted block names, user IDs, host and domain) shared with Temporal Technologies; Customer Data itself is not stored by Temporal
Self-hosted Workflows option avoids Temporal data sharing entirely. Sub-processor list published on Retool docs site.
// What to watch
- HIPAA over-claim in third-party sources: Multiple third-party profiles (Nudge Security, some review sites) list Retool as HIPAA Compliant, but Retool's own MSA explicitly states it is NOT a HIPAA Business Associate and advises against submitting PHI to the cloud platform. Retool does not sign BAAs. AIFOXX must not list HIPAA as a held cert for Retool.
- FedRAMP and PCI DSS unverifiable from vendor domain: Third-party profiles (Nudge Security) list these as compliant, but neither appears in Retool's own trust center overview or any retool.com documentation. Treated as held=false due to absence of vendor-domain evidence.
- CSA STAR unverifiable: Nudge Security lists 'CSA STAR Level 1: Compliant' but no Retool-domain evidence confirms this. Treated as held=false.
- Trust center documents gated: SOC 2 Type 2 report, ISO 27001 certificate, and pentest report are confirmed to exist but require NDA/login at trust.retool.com to access. This is standard enterprise practice.
- CVE risk for self-hosted deployments: CVE-2025-29774 and CVE-2025-29775 (SAML auth) and CVE-2025-47424 (self-hosted) disclosed in 2025. Enterprise buyers should confirm their Retool version is patched.
- AI Terms carve-out in MSA is benign: The MSA language 'except as expressly set forth in the AI Terms' is resolved by the AI Terms themselves - the carve-out refers only to a future opt-out scenario requiring advance written notice, not a current AI training exception.
// At a glance
Pricing model
Free tier + Team (~$10/user/mo) + Business (~$50/user/mo) + Enterprise (custom). Audit logging and RBAC gated to Business/Enterprise.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Retool, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.retool.com