// Trust & Security Report
Shortcut Software Company
Shortcut is a project management / issue-tracking platform for software teams (formerly Clubhouse). Its notable sub-product is Korey (korey.ai), an AI orchestration agent for product development built by Shortcut Software, plus a Shortcut MCP Server for connecting Shortcut to coding agents like Cursor and Claude Code. Note: the similarly-named domain shortcut.ai ("Shortcut AI", an Excel-automation agent by Fundamental Research Labs) is a DIFFERENT, unrelated company and must not be confused with this vendor.
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on shortcut.com“Shortcut has successfully completed its SOC 2 Type 2 audits for controls relevant to security, availability, and confidentiality with no exceptions.”
Verify on shortcut.com“We are a data processor of the personal data inputted or generated by our customer's use of the Platform... Shortcut is self-certified and adheres to the EU-U.S. Data Privacy Framework Principles... We may alternatively rely on appropriate Standard Contractual Clauses with such recipients to ensure adequate protection for your personal data.”
Verify on shortcut.com“Shortcut supports workflows that involve patient and other sensitive health data. For HIPAA compliance, we offer a Business Associate Agreement (BAA)”
Verify on korey.ai“SOC 2 Type II compliant, Private by default, Built-in safety checks, and Zero data retention.”
> Show 6 unconfirmed / not-held certifications
source: shortcut.comNo public evidence of a separate Type I attestation; vendor cites completed Type II audits directly.
source: shortcut.comNo public evidence. Shortcut's security page and marketing ("GDPR and SOC2 compliant | ... | HIPAA & BAA Ready") list SOC 2, GDPR posture and HIPAA/BAA readiness but do not mention ISO 27001; no ISO certificate or trust-center entry found on the vendor domain.
source: shortcut.comyour credit card information is handed off to Stripe, a company dedicated to storing your sensitive data on PCI-Compliant servers. Their servers do not store or even see your credit card information. (This is Stripe's PCI compliance as payment processor, not a Shortcut-held PCI certification; Shortcut itself never handles card data.)
source: shortcut.comNo public evidence of ISO 42001 certification for Shortcut or its Korey AI agent on any vendor-owned domain (shortcut.com or korey.ai).
source: shortcut.comNo public evidence of a CSA STAR listing or registry entry for Shortcut on any vendor-owned domain.
source: shortcut.comNo public evidence of FedRAMP authorization; not mentioned on the security or trust pages.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Hosted on AWS (US); the GDPR subprocessor list shows nearly all subprocessors located in the United States (one exception, CKEditor, in Poland). No explicit EU/UK data-residency option is documented on the public site.
Shortcut's privacy policy states: 'By default, we will not use your inputs or outputs to train our language learning models,' with training occurring only if a customer explicitly reports feedback/bugs or explicitly opts in (a future-facing option, not currently enabled by default). Korey (Shortcut's AI agent, built by Shortcut Software and hosted at korey.ai) separately states it operates with 'Zero data retention' and does not use customer inputs/outputs to train models. No public DPA (Data Processing Agreement) page was found on shortcut.com; a DPA is likely available via sales/Master Services Agreement for paid plans but this was not confirmed on a vendor-owned page, so dpa is graded false (no public evidence) rather than assumed true.
// Security controls
Password storage
All passwords are filtered from all our logs and are one-way encrypted in the database using bcrypt.
shortcut.comMFA
Two-factor authentication (2FA) available as an additional security measure when accessing a Shortcut account.
shortcut.comSSO / SCIM
Google SSO included for all plans; SSO and SCIM available (on higher tiers per pricing page: Business/Enterprise).
shortcut.comBackups
Incremental, encrypted backups of the DynamoDB datastore every 10 minutes to Amazon S3, designed for 99.999999999% durability.
shortcut.comInfrastructure access controls
Deployed on AWS; SSH disabled on data-access machines; employee access to customer data requires written permission and is audit-trailed.
shortcut.comPayment data handling
Credit card information is handed off to Stripe (PCI-compliant); Shortcut's own servers never store or see card data.
shortcut.com// Products & data scope
data: Customer work data (stories, epics, comments, attachments), user account data, integrations (GitHub, GitLab, Slack, Sentry, etc.)
Free, Team, Business, and Enterprise tiers. Google SSO on all plans; SSO/SAML and SCIM gated to Business/Enterprise per the pricing page.
data: Reads and acts on connected Shortcut project data and explicitly-connected tools; produces specs, PRs, and task updates.
Hosted at korey.ai, built by Shortcut Software. Vendor states SOC 2 Type II, zero data retention, and no training on customer data. Uses Anthropic as an AI subprocessor per Shortcut's GDPR subprocessor list.
data: Connects Shortcut to third-party coding agents/tools (e.g., Cursor, Claude Code) to sync work with GitHub.
Same underlying platform security/privacy posture as core Shortcut; no separate certification found.
// What to watch
- Name-collision risk: shortcut.ai ("Shortcut AI", an Excel automation agent by Fundamental Research Labs) is a completely different company from shortcut.com (Shortcut Software Company) and must never be conflated in listings, certs, or copy.
- ISO 27001 is not held; only SOC 2 and GDPR/HIPAA posture are confirmed. Do not let 'GDPR and SOC2 compliant | ... HIPAA & BAA Ready' marketing banner on the homepage be read as implying ISO 27001 or a formal HIPAA certification (HIPAA has no such certification; only a BAA offering).
- No public DPA page found on shortcut.com; likely available via sales contract but not independently verified on a vendor-owned page.
- Korey's SOC 2 Type II and zero-data-retention claims are sourced from korey.ai (owned/operated by Shortcut Software per their own About page), a separate marketing domain from shortcut.com; treat as a sub-product claim, not verified on the shortcut.com trust center itself.
- PCI DSS applies to payment processor Stripe, not to Shortcut directly; graded held=false to avoid overstating Shortcut's own PCI scope.
// At a glance
Pricing model
Per-user/month SaaS: Free forever tier, Team ($8.50/user/mo annual), Business ($12/user/mo annual, adds SSO/SAML and advanced permissions), custom Enterprise pricing for 100+ seats.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Shortcut Software Company's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
shortcut.com