// Trust & Security Report
Softr Platforms GmbH
No-code AI business app platform: portals, dashboards, internal tools, built-in database, workflow automation, AI Agents (GPT/Claude/Gemini), mobile apps, and forms
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on softr.io“SOC 2 Type II audit — clean audit with no noted exceptions, covering Security, Availability, Processing Integrity, Confidentiality, and Privacy Trust Services Criteria. Announced March 28, 2024.”
Verify on softr.io“Softr Platforms GmbH is a German company incorporated in Berlin. Terms of Service includes Appendix 1 (Data Processing Agreement with SCCs) and Appendix 2 (EU Data Act Addendum). Homepage and enterprise page display 'GDPR Ready' badge.”
> Show 7 unconfirmed / not-held certifications
source: softr.ioSecurity page states 'The datacenter is therefore located in Germany and is SOC 1, SOC 2, and ISO 27001 certified' — context makes clear this refers to the AWS datacenter, not Softr itself. The enterprise page does not list ISO 27001 as a Softr certification. This is the host's cert, not the vendor's.
source: softr.ioNo public evidence found on softr.io. HIPAA is not listed on the security page, enterprise page, or terms. No BAA mentioned in public documentation.
source: softr.ioSoftr uses Stripe for payment processing and explicitly states it 'never directly handles payment details.' PCI Level 1 certification belongs to Stripe, not Softr. This is the payment processor's cert, not the vendor's.
source: softr.ioOnly Type II announced; no separate Type I report referenced in public documentation. Type II supersedes Type I in any case.
source: softr.ioNo public evidence found. Not mentioned on any softr.io page reviewed.
source: softr.ioNo public evidence found. Not mentioned on any softr.io page reviewed.
source: softr.ioNo public evidence found. Not mentioned on any softr.io page reviewed.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Germany (AWS eu-central-1)
DPA (Appendix 1 to ToS) states customer data is not used for training AI models. ToS section 2.10 says 'Data is processed by AI-Tools only when you choose to use them. If you do not make use of AI-Tools, no data is processed by them.' Softr's AI Agents route through third-party providers (OpenAI, Anthropic, Google Gemini); sub-processor AI training policies are governed by those providers' own agreements as listed in the DPA Annex. No explicit opt-out flow described publicly.
// Security controls
Encryption in transit
256-bit TLS for all connections between user devices and Softr servers
softr.ioEncryption at rest
Implied by AWS Germany datacenter; not explicitly stated as a separate Softr control on the security page
softr.ioUptime SLA
99% annual average (contractual ToS clause 2.2); 99.9% uptime stated in marketing
softr.ioPayment security
Payments processed exclusively by Stripe (PCI Level 1); Softr never directly handles payment card data
softr.io// Products & data scope
data: Customer app structure, user data, and content stored in Softr-hosted database or connected third-party sources (Airtable, Google Sheets, Notion, HubSpot, etc.)
Core product; SOC 2 and GDPR apply at all paid tiers. Free plan available with limited features.
data: Prompts and AI-generated outputs; processed via third-party LLM providers (OpenAI, Anthropic, Google Gemini) only when AI features are actively used
AI data processing is opt-in; DPA states customer data is not used for training AI models. Sub-processor AI policies may vary.
data: Full platform scope; Trust Center available on request via sales
Adds SSO (SAML), MFA enforcement, audit logs, granular workspace management. SOC 2 Type II and GDPR compliance marketed at this tier.
// What to watch
- HOST-CERT AMBIGUITY: The security page credits SOC 1, SOC 2, and ISO 27001 to the AWS Germany datacenter, not to Softr itself. Softr's own SOC 2 Type II is independently confirmed via a March 2024 blog post. ISO 27001 is the host's cert; do not list Softr as ISO 27001 certified without further vendor confirmation.
- This is a customer app hosted on a Softr subdomain, not Softr's own trust center. Softr's actual trust center is gated behind a sales contact form.
- TRUST CENTER NOT PUBLIC: Softr's Trust Center (including the SOC 2 report) requires contacting the enterprise sales team. There is no self-serve URL, which reduces ongoing verification ability.
- HIPAA: Not claimed on any Softr domain page. Do not list as HIPAA-covered without a BAA confirmation from the vendor directly.
- PRIVACY POLICY URL: The footer links to a privacy policy but the direct URL returned a 404 during verification. Privacy terms appear to be embedded within the Terms of Service document at softr.io/terms.
- AI SUB-PROCESSOR RISK: Softr's AI Agents use OpenAI, Anthropic, and Google Gemini as sub-processors. Softr's own DPA prohibits using customer data for training, but the downstream AI provider agreements govern actual model training behavior and should be reviewed separately by enterprise buyers.
// At a glance
Pricing model
Freemium + tiered subscription (Starter, Professional, Business, Enterprise); billed monthly or annually
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Softr Platforms GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
softr.io