// Trust & Security Report

    Shortcut Software Company logo

    Shortcut Software Company

    Shortcut is a project management / issue-tracking platform for software teams (formerly Clubhouse). Its notable sub-product is Korey (korey.ai), an AI orchestration agent for product development built by Shortcut Software, plus a Shortcut MCP Server for connecting Shortcut to coding agents like Cursor and Claude Code. Note: the similarly-named domain shortcut.ai ("Shortcut AI", an Excel-automation agent by Fundamental Research Labs) is a DIFFERENT, unrelated company and must not be confused with this vendor.

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Shortcut has successfully completed its SOC 2 Type 2 audits for controls relevant to security, availability, and confidentiality with no exceptions.

    Verify on shortcut.com
    GDPR (posture)
    HELD

    We are a data processor of the personal data inputted or generated by our customer's use of the Platform... Shortcut is self-certified and adheres to the EU-U.S. Data Privacy Framework Principles... We may alternatively rely on appropriate Standard Contractual Clauses with such recipients to ensure adequate protection for your personal data.

    Verify on shortcut.com
    HIPAA / BAA
    HELD

    Shortcut supports workflows that involve patient and other sensitive health data. For HIPAA compliance, we offer a Business Associate Agreement (BAA)

    Verify on shortcut.com
    SOC 2 Type II (Korey AI agent)
    HELD

    SOC 2 Type II compliant, Private by default, Built-in safety checks, and Zero data retention.

    Verify on korey.ai
    > Show 6 unconfirmed / not-held certifications
    SOC 2 Type I
    NOT CONFIRMED

    No public evidence of a separate Type I attestation; vendor cites completed Type II audits directly.

    source: shortcut.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. Shortcut's security page and marketing ("GDPR and SOC2 compliant | ... | HIPAA & BAA Ready") list SOC 2, GDPR posture and HIPAA/BAA readiness but do not mention ISO 27001; no ISO certificate or trust-center entry found on the vendor domain.

    source: shortcut.com
    PCI DSS
    NOT CONFIRMED

    your credit card information is handed off to Stripe, a company dedicated to storing your sensitive data on PCI-Compliant servers. Their servers do not store or even see your credit card information. (This is Stripe's PCI compliance as payment processor, not a Shortcut-held PCI certification; Shortcut itself never handles card data.)

    source: shortcut.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification for Shortcut or its Korey AI agent on any vendor-owned domain (shortcut.com or korey.ai).

    source: shortcut.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of a CSA STAR listing or registry entry for Shortcut on any vendor-owned domain.

    source: shortcut.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization; not mentioned on the security or trust pages.

    source: shortcut.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Hosted on AWS (US); the GDPR subprocessor list shows nearly all subprocessors located in the United States (one exception, CKEditor, in Poland). No explicit EU/UK data-residency option is documented on the public site.

    Shortcut's privacy policy states: 'By default, we will not use your inputs or outputs to train our language learning models,' with training occurring only if a customer explicitly reports feedback/bugs or explicitly opts in (a future-facing option, not currently enabled by default). Korey (Shortcut's AI agent, built by Shortcut Software and hosted at korey.ai) separately states it operates with 'Zero data retention' and does not use customer inputs/outputs to train models. No public DPA (Data Processing Agreement) page was found on shortcut.com; a DPA is likely available via sales/Master Services Agreement for paid plans but this was not confirmed on a vendor-owned page, so dpa is graded false (no public evidence) rather than assumed true.

    // Security controls

    Encryption in transit

    All data exchanged with Shortcut is done via the HTTPS protocol.

    shortcut.com

    Password storage

    All passwords are filtered from all our logs and are one-way encrypted in the database using bcrypt.

    shortcut.com

    MFA

    Two-factor authentication (2FA) available as an additional security measure when accessing a Shortcut account.

    shortcut.com

    SSO / SCIM

    Google SSO included for all plans; SSO and SCIM available (on higher tiers per pricing page: Business/Enterprise).

    shortcut.com

    Backups

    Incremental, encrypted backups of the DynamoDB datastore every 10 minutes to Amazon S3, designed for 99.999999999% durability.

    shortcut.com

    Infrastructure access controls

    Deployed on AWS; SSH disabled on data-access machines; employee access to customer data requires written permission and is audit-trailed.

    shortcut.com

    Payment data handling

    Credit card information is handed off to Stripe (PCI-compliant); Shortcut's own servers never store or see card data.

    shortcut.com

    Vulnerability disclosure

    Responsible Disclosure policy published.

    shortcut.com

    // Products & data scope

    Shortcut (core platform)Project management / issue tracking

    data: Customer work data (stories, epics, comments, attachments), user account data, integrations (GitHub, GitLab, Slack, Sentry, etc.)

    Free, Team, Business, and Enterprise tiers. Google SSO on all plans; SSO/SAML and SCIM gated to Business/Enterprise per the pricing page.

    Korey (AI agent for product development)AI orchestration / coding agent

    data: Reads and acts on connected Shortcut project data and explicitly-connected tools; produces specs, PRs, and task updates.

    Hosted at korey.ai, built by Shortcut Software. Vendor states SOC 2 Type II, zero data retention, and no training on customer data. Uses Anthropic as an AI subprocessor per Shortcut's GDPR subprocessor list.

    Shortcut MCP ServerDeveloper integration (Model Context Protocol)

    data: Connects Shortcut to third-party coding agents/tools (e.g., Cursor, Claude Code) to sync work with GitHub.

    Same underlying platform security/privacy posture as core Shortcut; no separate certification found.

    // What to watch

    • Name-collision risk: shortcut.ai ("Shortcut AI", an Excel automation agent by Fundamental Research Labs) is a completely different company from shortcut.com (Shortcut Software Company) and must never be conflated in listings, certs, or copy.
    • ISO 27001 is not held; only SOC 2 and GDPR/HIPAA posture are confirmed. Do not let 'GDPR and SOC2 compliant | ... HIPAA & BAA Ready' marketing banner on the homepage be read as implying ISO 27001 or a formal HIPAA certification (HIPAA has no such certification; only a BAA offering).
    • No public DPA page found on shortcut.com; likely available via sales contract but not independently verified on a vendor-owned page.
    • Korey's SOC 2 Type II and zero-data-retention claims are sourced from korey.ai (owned/operated by Shortcut Software per their own About page), a separate marketing domain from shortcut.com; treat as a sub-product claim, not verified on the shortcut.com trust center itself.
    • PCI DSS applies to payment processor Stripe, not to Shortcut directly; graded held=false to avoid overstating Shortcut's own PCI scope.

    // At a glance

    Pricing model

    Per-user/month SaaS: Free forever tier, Team ($8.50/user/mo annual), Business ($12/user/mo annual, adds SSO/SAML and advanced permissions), custom Enterprise pricing for 100+ seats.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Shortcut Software Company's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    shortcut.com

    > Browse all vendor trust reports