// Trust & Security Report
Roam Research, Inc.
Roam Research - a graph-based note-taking / knowledge-management tool ('a note-taking tool for networked thought'), with a web app, desktop apps (macOS, Windows, Linux), mobile apps (iOS, Android), and a Chrome extension ('Roam Reader'). Single core product with Pro (subscription) and Believer (lifetime) plans; no separate enterprise or API-only SKU observed.
Certifications held
0
Maturity
Startup
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: roamresearch.comNo public evidence. No trust center, SOC 2 badge, or audit report found on roamresearch.com. A third-party aggregator (Nudge Security) lists Roam Research as 'SOC 2 Compliant', but this is not corroborated by any vendor-domain source and is treated as unreliable (see flags).
source: roamresearch.comNo public evidence on roamresearch.com. Same unverifiable third-party claim as above applies and is not used for grading.
source: roamresearch.comNo public evidence directly confirmed on the vendor's own domain during this verification pass. The homepage footer references a 'T&C/Privacy' link, but the linked privacy/terms pages (e.g. roamresearch.com/privacy, roamresearch.com/terms.html) returned HTTP 404, and the community subdomain (forum.roamresearch.com, which historically hosted the ToS/Privacy pages) failed to resolve (DNS error) during verification. Could not independently confirm GDPR representative or DPA language as belonging to this vendor rather than a similarly-named 'Roam' company.
source: roamresearch.comNo public evidence. No BAA, healthcare-specific terms, or HIPAA statement found for this note-taking product.
source: roamresearch.comNo public evidence. Payment processing appears to be delegated to a third-party processor (Stripe, per third-party supply-chain listing); no vendor-domain PCI statement found.
source: roamresearch.comNo public evidence. No AI governance certification or AI-specific trust page found.
source: roamresearch.comNo public evidence on the vendor's own domain. Unverified third-party aggregator claim not used for grading.
source: roamresearch.comNo public evidence; not applicable/expected for a company of this size and product type.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
not verified
No public AI-training policy found for Roam Research's own product. The homepage advertises a 'Roam Reader for Chrome' extension but provides no data-usage/training disclosure. No opt-out mechanism or tiered AI-training language was located. Not verified.
// Security controls
Vulnerability disclosure
Roam Research's official GitHub organization (github.com/Roam-Research) publishes a security policy: reports go to security@roamresearch.com, a coordinated-disclosure model with a default 90-day remediation window, and a safe-harbor clause for good-faith researchers.
github.com// Products & data scope
data: User-authored notes, graphs, and uploaded files/attachments; account and billing information
Core product across Pro ($15/mo or $165/yr) and Believer ($500 one-time for 5 years) plans; both include unlimited private/public graphs, unlimited collaborators, and API access.
data: Browsing content the user chooses to clip into Roam
Newly promoted on the homepage ('NEW: Try Roam Reader for Chrome'); no separate security/privacy documentation found for it.
// What to watch
- During gap-fill, roamresearch.com/privacy and roamresearch.com/terms.html returned HTTP 404, and forum.roamresearch.com (which historically hosted /tos and /privacy) failed to resolve via DNS during this verification session - the vendor's own privacy/terms text could not be directly read and confirmed firsthand.
- Third-party aggregator (Nudge Security) lists Roam Research as SOC 2 / ISO 27001 / HIPAA / PCI / FedRAMP / CSA STAR compliant. This is not corroborated by any vendor-domain evidence, is implausible for a company of this size, and was excluded from grading as an unverifiable/likely-incorrect data source. Flagging as a potential bad-data risk if reused elsewhere.
- High identity-conflation risk: search results are dominated by unrelated companies that also brand themselves 'Roam' - ro.am / 'Roam Virtual Workspace' (virtual office/video platform, has real GDPR/EDPO/encryption documentation but is NOT this vendor), Roam Network, Roam.ai, Roam Resource, Roamr, and roam.plus. None of their certifications or privacy terms were attributed to Roam Research (roamresearch.com) in this assessment.
- Company appears to be a small, resource-constrained startup (~10 employees per third-party company-profile sites; ~$9M raised) with reportedly slow product velocity (per Every.to, 'The Fall of Roam', 2026) - consistent with having no formal third-party compliance program, but this should be reconfirmed with a live fetch once the vendor's domain/subdomain access issues clear.
// At a glance
Pricing model
Subscription (Pro: $15/mo or $165/yr) plus a one-time lifetime tier (Believer: $500 for 5 years)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Roam Research, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
roamresearch.com