// Trust & Security Report

    Shortwave Communications, Inc. logo

    Shortwave Communications, Inc.

    Shortwave is an AI-powered email client built on top of Gmail / Google Workspace (web, iOS, Android, Mac, Windows), with Personal, Pro, Business, Premier, Max and custom Enterprise tiers; sister product Tasklet (separate product, not assessed here) extends AI automation to 3,000+ third-party apps.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    Google CASA Tier 2 (Cloud Application Security Assessment)
    HELD

    Shortwave has been reviewed by third-party security auditors to ensure it complies with strict security requirements.

    Verify on shortwave.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    If your organization requires SOC 2 Type II or GDPR compliance, please contact our team at support@shortwave.com.

    source: shortwave.com
    ISO 27001
    NOT CONFIRMED

    no public evidence; not mentioned on Shortwave's own security, FAQ, or policy pages

    source: shortwave.com
    HIPAA
    NOT CONFIRMED

    no public evidence; not mentioned anywhere on shortwave.com. A third-party review site (not the vendor) claims Shortwave is 'HIPAA Compliant, PCI Compliant... FedRamp Compliant, and CSA Star Level 1 Compliant' with no citation; this claim does not appear on any shortwave.com page and is treated as unverified marketing by an unrelated site, not vendor-asserted

    source: shortwave.com
    GDPR
    NOT CONFIRMED

    If your organization requires SOC 2 Type II or GDPR compliance, please contact our team at support@shortwave.com. / Your Personal Data will be transferred from your location to our facilities and servers in the United States.

    source: shortwave.com
    PCI DSS
    NOT CONFIRMED

    no public evidence; not mentioned on shortwave.com (billing is handled via a third-party payment processor per Privacy Policy, so PCI scope, if any, likely sits with that processor, not Shortwave directly)

    source: shortwave.com
    FedRAMP
    NOT CONFIRMED

    no public evidence; not mentioned on shortwave.com

    source: shortwave.com
    CSA STAR
    NOT CONFIRMED

    no public evidence; not mentioned on shortwave.com

    source: shortwave.com
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    no public evidence; not mentioned on shortwave.com

    source: shortwave.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    United States (Google Cloud data centers); Privacy Policy: 'Your Personal Data will be transferred from your location to our facilities and servers in the United States.'

    Vendor security page states 'Your data will never be used to train third-party LLMs.' AI processing (including a RAG pipeline) runs on Google Cloud plus named sub-processors OpenAI, Anthropic and Pinecone; Shortwave states 'the vast majority of our AI workloads use open source models that run on hardware we control.' No dedicated DPA document is published or linked from the Privacy Policy or Terms of Service; enterprise customers appear to negotiate this via sales (SOC 2/GDPR are 'available on request').

    // Security controls

    Encryption at rest

    AES-256

    shortwave.com

    Encryption in transit

    TLS 1.2+

    shortwave.com

    Hosting

    All data stored in Google Cloud data centers

    shortwave.com

    Sub-processors (AI)

    Google Cloud, OpenAI, Anthropic, Pinecone

    shortwave.com

    Employee data access controls

    Hardware security key (MFA) required for employee access; access is audit-logged; vendor states no customer data is accessed without explicit customer permission

    shortwave.com

    Google API data use

    Compliant with Google's API Services User Data Policy, including Limited Use requirements for Restricted Scopes; approved for Google Workspace Marketplace listing

    shortwave.com

    Vulnerability disclosure program

    Public responsible-disclosure program (report to security@shortwave.com); policy last updated 2021-12-10; no bug bounty payout mentioned

    shortwave.com

    Tracking/pixel protection

    Automatically detects and strips most email tracking pixels; proxies remote images through Shortwave servers to mask user IP/browser info

    shortwave.com

    // Products & data scope

    Shortwave Personal/ProIndividual AI email client (Gmail add-on / standalone client)

    data: Single Gmail/.edu mailbox; email content, metadata, and Google profile info synced via Gmail API

    Personal tier restricted to gmail.com/.edu accounts with no custom domain; Pro adds full AI search history and writing features

    Shortwave Business/Premier/MaxTeam AI email & collaboration

    data: Up to 10+ team mailboxes, Google Workspace domains, shared threads/labels, team-wide AI search across member inboxes

    Adds team inboxes, shared comments, priority support; still built on the same underlying Google Cloud infrastructure and sub-processor list as Personal/Pro

    Shortwave EnterpriseCustom enterprise plan (50+ seats)

    data: Same architecture as Business tier; SOC 2 Type II report and GDPR documentation made available on request

    This is the only tier where the vendor indicates SOC 2/GDPR paperwork can be obtained, and only via direct contact with support/sales, not a public trust center

    Tasklet (sister product)24/7 AI workflow automation, 3,000+ app integrations

    data: Separate product surface from Shortwave email; not covered by the evidence reviewed for this assessment

    Marketed alongside Shortwave but should be assessed independently before any compliance claims are extended to it

    // What to watch

    • No public trust center; SOC 2 Type II and GDPR documentation are gated behind a sales/support request rather than published, so 'available on request' cannot be verified as an actually completed audit versus a future commitment.
    • Several low-quality third-party review/listicle sites (not shortwave.com) claim Shortwave is 'PCI Compliant, HIPAA Compliant, SOC 2 Compliant, GDPR Compliant, ISO 27001 Compliant, FedRAMP Compliant, and CSA Star Level 1 Compliant.' None of these appear on any shortwave.com page; this looks like an unverified/likely-fabricated listicle claim and should NOT be repeated in the AIFOXX listing.
    • A visually similar domain, shortwave.am, is an unrelated company (appears to be an SDR/analytics tool) with its own separate privacy policy; do not conflate it with shortwave.com (Shortwave Communications, Inc., the email client assessed here).
    • No dedicated Data Processing Agreement (DPA) document is publicly linked from the Privacy Policy or Terms of Service.

    // At a glance

    Pricing model

    Freemium/subscription: free tier, Personal/Pro per-seat monthly or annual, Business $30/seat/mo ($24/seat/mo annual), higher Premier/Max/Enterprise tiers up to ~$100/seat/mo, custom Enterprise pricing for 50+ seats

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Shortwave Communications, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    shortwave.com

    > Browse all vendor trust reports