// Trust & Security Report
ReturnGO Ltd.
Post-purchase / returns and exchanges management platform for e-commerce brands (primarily Shopify), covering Returns, Exchanges, Return Coverage (paid return protection), Shipping label generation, Tracking & Notifications, the 'Edge' self-service customer portal, and an API / OEM white-label solution for logistics and platform partners.
Certifications held
3
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on returngo.ai“ReturnGO is now recognized as SOC 2 Type II compliant, meeting the highest standards of security and data privacy.”
Verify on returngo.ai“SOC 2 Enterprise-Grade Security. Don't skimp on post-purchase security. With ReturnGO's secure SOC 2 certified platform, you can streamline returns while protecting customer data.”
Verify on returngo.ai“ReturnGo is headquartered in Israel, a jurisdiction which is considered by the European Commission to be offering an adequate level of protection ... you may request access to, and rectification or erasure of your Personal Data.”
> Show 7 unconfirmed / not-held certifications
source: returngo.aiNo public evidence: ISO 27001 is not mentioned anywhere on the vendor's site (homepage, SOC 2 announcement, privacy policy, or terms of service), and no independent trust center exists to check.
source: returngo.aiNo public evidence: HIPAA is not referenced on the vendor's site. ReturnGO processes e-commerce order/return data, not health records, so HIPAA is likely out of scope for the product rather than an unmet requirement.
source: returngo.aiNo public evidence: not mentioned on the vendor's site. ReturnGO integrates with third-party carriers/payment rails for shipping labels and return coverage fees rather than stating it directly handles cardholder data itself.
source: returngo.aiNo public evidence: none of these cloud-security or privacy-information ISO extensions are mentioned anywhere on the vendor's site.
source: returngo.aiNo public evidence: no AI-governance certification is referenced, despite the product using 'algorithms' trained on customer usage data.
source: returngo.aiNo public evidence: not mentioned on the vendor's site.
source: returngo.aiNo public evidence and not applicable: ReturnGO is a commercial e-commerce SaaS with no indication of US federal government customers or FedRAMP authorization.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
US (AWS servers), per privacy policy: 'Your Personal Data is maintained, processed and stored by us and our authorized Service Providers in the AWS servers in US' plus other locations 'as reasonably necessary.' Company is headquartered in Israel.
Privacy policy states User Data ('profile and contact details, and usage, preferences, engagement, analytics data and data obtained from the Solution') is 'used by us to train our algorithms and create better services.' Terms of Service separately permit ReturnGO to 'aggregate, de-identify and/or anonymize Data' for service improvement. No explicit customer opt-out mechanism for algorithm training was found in either document, and no dedicated Data Processing Agreement (DPA) was located, so enterprise buyers should confirm training/opt-out terms contractually before onboarding.
// Security controls
Certification
SOC 2 Type II compliant (announced April 2024); no named audit firm in vendor materials reviewed.
returngo.aiEncryption
"Industry-standard physical, procedural and technical security measures, including encryption as appropriate" — no specifics on in-transit vs at-rest algorithms disclosed.
returngo.aiHosting / infrastructure
Data hosted on AWS servers in the US, per privacy policy; underlying AWS SOC 2/ISO certifications belong to AWS as host, not to ReturnGO directly.
returngo.aiEmail authentication
DKIM and SPF protocols used for outbound notification emails; CAN-SPAM compliant; emails sent via Amazon SES.
support.returngo.aiData retention
Personal data retained "for not more than 7 years from termination" of the customer engagement, subject to legal/dispute exceptions.
returngo.aiData ownership / liability
Terms of Service cap ReturnGO's liability at 12 months of subscription fees and exclude indirect/consequential damages; ToS also states ReturnGO has 'no obligation to meet any service level or uptime availability parameters.'
returngo.ai// Products & data scope
data: Order data, customer contact/profile data, return reason/analytics data
Primary product; integrates with Shopify and other e-commerce platforms plus carriers, 3PL, ERP, helpdesk and loyalty systems.
data: Customer order lookup, exchange selection data
Branded self-service portal layered on the core platform; no separate compliance scope disclosed.
data: Order value, coverage purchase/claim data
Shifts return cost to shoppers via an optional paid coverage fee; no separate financial/insurance compliance disclosure (e.g., no PCI or insurance-regulatory certification) found.
data: Same underlying return/shipment data, exposed to logistics and platform partners
Marketed to 'Innovators' and 'Logistics Partners' to embed ReturnGO functionality; no distinct security documentation found for this surface, so the same SOC 2 Type II claim should be treated as covering the whole platform unless a report scope letter says otherwise.
// What to watch
- No independent trust center found (trust.returngo.ai does not resolve); SOC 2 Type II claim is corroborated by two vendor-domain pages (homepage badge + dedicated announcement post) but no downloadable report, auditor name, or report date range was accessible to verify scope and freshness.
- Company was reportedly acquired in July 2025 (per TechCrunch/Dealroom coverage found via search, not vendor-confirmed) — post-acquisition ownership/security posture should be reconfirmed before listing as current.
- Privacy policy confirms customer usage data is used to 'train our algorithms' with no explicit opt-out documented in the evidence reviewed; enterprise buyers handling sensitive order data should request a DPA, none was found publicly.
- AWS hosting is disclosed, but ReturnGO does not claim AWS's certifications as its own in the pages reviewed — no host-vs-vendor conflation observed, noted here for transparency.
- No ISO 27001, HIPAA, PCI DSS, or AI-governance (ISO 42001 / CSA STAR) certifications found; product is positioned as using 'algorithms' but carries no AI-specific governance certification.
// At a glance
Pricing model
Subscription SaaS
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on ReturnGO Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
returngo.ai