// Trust & Security Report

    Softr Platforms GmbH logo

    Softr Platforms GmbH

    No-code AI business app platform: portals, dashboards, internal tools, built-in database, workflow automation, AI Agents (GPT/Claude/Gemini), mobile apps, and forms

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II audit — clean audit with no noted exceptions, covering Security, Availability, Processing Integrity, Confidentiality, and Privacy Trust Services Criteria. Announced March 28, 2024.

    Verify on softr.io
    GDPR (posture)
    HELD

    Softr Platforms GmbH is a German company incorporated in Berlin. Terms of Service includes Appendix 1 (Data Processing Agreement with SCCs) and Appendix 2 (EU Data Act Addendum). Homepage and enterprise page display 'GDPR Ready' badge.

    Verify on softr.io
    > Show 7 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Security page states 'The datacenter is therefore located in Germany and is SOC 1, SOC 2, and ISO 27001 certified' — context makes clear this refers to the AWS datacenter, not Softr itself. The enterprise page does not list ISO 27001 as a Softr certification. This is the host's cert, not the vendor's.

    source: softr.io
    HIPAA
    NOT CONFIRMED

    No public evidence found on softr.io. HIPAA is not listed on the security page, enterprise page, or terms. No BAA mentioned in public documentation.

    source: softr.io
    PCI DSS
    NOT CONFIRMED

    Softr uses Stripe for payment processing and explicitly states it 'never directly handles payment details.' PCI Level 1 certification belongs to Stripe, not Softr. This is the payment processor's cert, not the vendor's.

    source: softr.io
    SOC 2 Type I
    NOT CONFIRMED

    Only Type II announced; no separate Type I report referenced in public documentation. Type II supersedes Type I in any case.

    source: softr.io
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence found. Not mentioned on any softr.io page reviewed.

    source: softr.io
    CSA STAR
    NOT CONFIRMED

    No public evidence found. Not mentioned on any softr.io page reviewed.

    source: softr.io
    FedRAMP
    NOT CONFIRMED

    No public evidence found. Not mentioned on any softr.io page reviewed.

    source: softr.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Germany (AWS eu-central-1)

    DPA (Appendix 1 to ToS) states customer data is not used for training AI models. ToS section 2.10 says 'Data is processed by AI-Tools only when you choose to use them. If you do not make use of AI-Tools, no data is processed by them.' Softr's AI Agents route through third-party providers (OpenAI, Anthropic, Google Gemini); sub-processor AI training policies are governed by those providers' own agreements as listed in the DPA Annex. No explicit opt-out flow described publicly.

    // Security controls

    Encryption in transit

    256-bit TLS for all connections between user devices and Softr servers

    softr.io

    Encryption at rest

    Implied by AWS Germany datacenter; not explicitly stated as a separate Softr control on the security page

    softr.io

    Data center

    Amazon Web Services, Germany (eu-central-1 region)

    softr.io

    Uptime SLA

    99% annual average (contractual ToS clause 2.2); 99.9% uptime stated in marketing

    softr.io

    Backups

    Daily backups retained for 7 days (ToS clause 2.3)

    softr.io

    SSO

    SAML SSO available on Enterprise tier for both builders and end users

    softr.io

    MFA

    MFA enforcement available on Enterprise tier as a centralized governance control

    softr.io

    Audit logs

    Detailed audit logs across apps, databases, and users on Enterprise tier

    softr.io

    Payment security

    Payments processed exclusively by Stripe (PCI Level 1); Softr never directly handles payment card data

    softr.io

    // Products & data scope

    No-code App Builder (Starter / Professional / Business)No-code / low-code SaaS

    data: Customer app structure, user data, and content stored in Softr-hosted database or connected third-party sources (Airtable, Google Sheets, Notion, HubSpot, etc.)

    Core product; SOC 2 and GDPR apply at all paid tiers. Free plan available with limited features.

    AI App Builder / AI AgentsAI-powered no-code builder

    data: Prompts and AI-generated outputs; processed via third-party LLM providers (OpenAI, Anthropic, Google Gemini) only when AI features are actively used

    AI data processing is opt-in; DPA states customer data is not used for training AI models. Sub-processor AI policies may vary.

    EnterpriseEnterprise no-code platform

    data: Full platform scope; Trust Center available on request via sales

    Adds SSO (SAML), MFA enforcement, audit logs, granular workspace management. SOC 2 Type II and GDPR compliance marketed at this tier.

    // What to watch

    • HOST-CERT AMBIGUITY: The security page credits SOC 1, SOC 2, and ISO 27001 to the AWS Germany datacenter, not to Softr itself. Softr's own SOC 2 Type II is independently confirmed via a March 2024 blog post. ISO 27001 is the host's cert; do not list Softr as ISO 27001 certified without further vendor confirmation.
    • This is a customer app hosted on a Softr subdomain, not Softr's own trust center. Softr's actual trust center is gated behind a sales contact form.
    • TRUST CENTER NOT PUBLIC: Softr's Trust Center (including the SOC 2 report) requires contacting the enterprise sales team. There is no self-serve URL, which reduces ongoing verification ability.
    • HIPAA: Not claimed on any Softr domain page. Do not list as HIPAA-covered without a BAA confirmation from the vendor directly.
    • PRIVACY POLICY URL: The footer links to a privacy policy but the direct URL returned a 404 during verification. Privacy terms appear to be embedded within the Terms of Service document at softr.io/terms.
    • AI SUB-PROCESSOR RISK: Softr's AI Agents use OpenAI, Anthropic, and Google Gemini as sub-processors. Softr's own DPA prohibits using customer data for training, but the downstream AI provider agreements govern actual model training behavior and should be reviewed separately by enterprise buyers.

    // At a glance

    Pricing model

    Freemium + tiered subscription (Starter, Professional, Business, Enterprise); billed monthly or annually

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Softr Platforms GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    softr.io

    > Browse all vendor trust reports