// Trust & Security Report
Shortwave Communications, Inc.
Shortwave is an AI-powered email client built on top of Gmail / Google Workspace (web, iOS, Android, Mac, Windows), with Personal, Pro, Business, Premier, Max and custom Enterprise tiers; sister product Tasklet (separate product, not assessed here) extends AI automation to 3,000+ third-party apps.
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on shortwave.com“Shortwave has been reviewed by third-party security auditors to ensure it complies with strict security requirements.”
> Show 8 unconfirmed / not-held certifications
source: shortwave.comIf your organization requires SOC 2 Type II or GDPR compliance, please contact our team at support@shortwave.com.
source: shortwave.comno public evidence; not mentioned on Shortwave's own security, FAQ, or policy pages
source: shortwave.comno public evidence; not mentioned anywhere on shortwave.com. A third-party review site (not the vendor) claims Shortwave is 'HIPAA Compliant, PCI Compliant... FedRamp Compliant, and CSA Star Level 1 Compliant' with no citation; this claim does not appear on any shortwave.com page and is treated as unverified marketing by an unrelated site, not vendor-asserted
source: shortwave.comIf your organization requires SOC 2 Type II or GDPR compliance, please contact our team at support@shortwave.com. / Your Personal Data will be transferred from your location to our facilities and servers in the United States.
source: shortwave.comno public evidence; not mentioned on shortwave.com (billing is handled via a third-party payment processor per Privacy Policy, so PCI scope, if any, likely sits with that processor, not Shortwave directly)
source: shortwave.comno public evidence; not mentioned on shortwave.com
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
United States (Google Cloud data centers); Privacy Policy: 'Your Personal Data will be transferred from your location to our facilities and servers in the United States.'
Vendor security page states 'Your data will never be used to train third-party LLMs.' AI processing (including a RAG pipeline) runs on Google Cloud plus named sub-processors OpenAI, Anthropic and Pinecone; Shortwave states 'the vast majority of our AI workloads use open source models that run on hardware we control.' No dedicated DPA document is published or linked from the Privacy Policy or Terms of Service; enterprise customers appear to negotiate this via sales (SOC 2/GDPR are 'available on request').
// Security controls
Employee data access controls
Hardware security key (MFA) required for employee access; access is audit-logged; vendor states no customer data is accessed without explicit customer permission
shortwave.comGoogle API data use
Compliant with Google's API Services User Data Policy, including Limited Use requirements for Restricted Scopes; approved for Google Workspace Marketplace listing
shortwave.comVulnerability disclosure program
Public responsible-disclosure program (report to security@shortwave.com); policy last updated 2021-12-10; no bug bounty payout mentioned
shortwave.comTracking/pixel protection
Automatically detects and strips most email tracking pixels; proxies remote images through Shortwave servers to mask user IP/browser info
shortwave.com// Products & data scope
data: Single Gmail/.edu mailbox; email content, metadata, and Google profile info synced via Gmail API
Personal tier restricted to gmail.com/.edu accounts with no custom domain; Pro adds full AI search history and writing features
data: Up to 10+ team mailboxes, Google Workspace domains, shared threads/labels, team-wide AI search across member inboxes
Adds team inboxes, shared comments, priority support; still built on the same underlying Google Cloud infrastructure and sub-processor list as Personal/Pro
data: Same architecture as Business tier; SOC 2 Type II report and GDPR documentation made available on request
This is the only tier where the vendor indicates SOC 2/GDPR paperwork can be obtained, and only via direct contact with support/sales, not a public trust center
data: Separate product surface from Shortwave email; not covered by the evidence reviewed for this assessment
Marketed alongside Shortwave but should be assessed independently before any compliance claims are extended to it
// What to watch
- No public trust center; SOC 2 Type II and GDPR documentation are gated behind a sales/support request rather than published, so 'available on request' cannot be verified as an actually completed audit versus a future commitment.
- Several low-quality third-party review/listicle sites (not shortwave.com) claim Shortwave is 'PCI Compliant, HIPAA Compliant, SOC 2 Compliant, GDPR Compliant, ISO 27001 Compliant, FedRAMP Compliant, and CSA Star Level 1 Compliant.' None of these appear on any shortwave.com page; this looks like an unverified/likely-fabricated listicle claim and should NOT be repeated in the AIFOXX listing.
- A visually similar domain, shortwave.am, is an unrelated company (appears to be an SDR/analytics tool) with its own separate privacy policy; do not conflate it with shortwave.com (Shortwave Communications, Inc., the email client assessed here).
- No dedicated Data Processing Agreement (DPA) document is publicly linked from the Privacy Policy or Terms of Service.
// At a glance
Pricing model
Freemium/subscription: free tier, Personal/Pro per-seat monthly or annual, Business $30/seat/mo ($24/seat/mo annual), higher Premier/Max/Enterprise tiers up to ~$100/seat/mo, custom Enterprise pricing for 50+ seats
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Shortwave Communications, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
shortwave.com