// Trust & Security Report
Stack AI, Inc. (acquired by Asana, Inc., May 2026)
Enterprise AI agent workflow platform: no-code builder for agentic workflows, RAG pipelines, and LLM orchestration; deployed as multi-tenant cloud, VPC, on-premise, or air-gapped
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.stackai.com“StackAI has successfully completed a SOC 2 Type II audit conducted by an independent third-party firm. Click below to request access to the full report.”
Verify on trust.stackai.com“Our Information Security Management System (ISMS) has been independently audited and certified as compliant with ISO 27001. Click below to request the full certification report.”
Verify on stackai.com“Footer link 'Sign BAA With Us' (a mailto link) confirms Business Associate Agreements are available for enterprise customers; the general enterprise contact on the site is enterprise@stack-ai.com.”
Verify on trust.stackai.com“Stack AI undergoes regular third-party penetration testing. Our May 2025 assessment concluded a Low overall risk rating with no critical vulnerabilities identified.”
> Show 7 unconfirmed / not-held certifications
source: stackai.comHIPAA is a US regulation, not an auditable certification. StackAI markets it as a 'certification' in homepage and security page copy, but their own blog post accurately states: 'Stack AI was also audited against HIPAA standards during the same period as the SOC 2 Type II audit.' The Trust Center compliance section lists only SOC 2 Type II and ISO 27001 as formal certifications; HIPAA does not appear there. BAA is available ('Sign BAA With Us' in footer), which is the operative HIPAA tool for covered entities.
source: stackai.comGDPR is an EU regulation, not a certification. StackAI labels it as a 'certification' in marketing copy alongside SOC 2 and ISO 27001, but GDPR cannot be formally certified. The Trust Center does not list GDPR in its compliance certifications section. StackAI does demonstrate GDPR compliance posture through privacy policy and DPA availability, but held=false for certification framing.
source: trust.stackai.comNo public evidence of PCI DSS certification or scope on any vendor-domain page reviewed.
source: trust.stackai.comNo public evidence of FedRAMP authorization on any vendor-domain page reviewed.
source: trust.stackai.comNo public evidence of CSA STAR entry or assessment on any vendor-domain page reviewed.
source: trust.stackai.comNo public evidence of ISO 42001 certification on any vendor-domain page reviewed.
source: trust.stackai.comNo public evidence of these certifications on any vendor-domain page reviewed.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Not explicitly stated on public pages. Deployment options include multi-tenant cloud (region unspecified), VPC, on-premise, and air-gapped on-premise; contact required for data residency specifics.
Explicitly stated on security page: 'We ensure that your data is not used for training AI models through data processing addendums (DPAs).' DPAs executed with OpenAI and Anthropic (as LLM subprocessors) are available on request via the Trust Center. No tier-based differences noted; this appears to apply to all tiers.
// Security controls
Continuous monitoring
Secureframe-monitored across 9 control domains (Change Management, Availability, Confidentiality, Vulnerability Management, Incident Response, Risk Assessment, Network Security, Access Security, Physical Security)
trust.stackai.comPenetration testing
Annual third-party pen test; May 2025 result: Low overall risk, no critical vulnerabilities
trust.stackai.comVulnerability management
Regular automated scans plus third-party assessment; patch management policy in place
trust.stackai.comDeployment options
Multi-tenant cloud, Virtual Private Cloud (VPC), on-premise, air-gapped on-premise
stackai.comIncident response
Documented plan with tracking, lessons-learned protocol, and regular testing
trust.stackai.comCybersecurity insurance
Listed as an active control in Organizational Management domain
trust.stackai.comResponsible disclosure
Public responsible disclosure policy with safe harbor; contact via security page
stackai.com// Products & data scope
data: Customer workflow data, documents, and query inputs processed in shared infrastructure. AES-256 at rest, TLS 1.3 in transit. No AI model training on customer data.
Free tier (500 runs/month, 2 projects, 1 seat) and Enterprise tier available. SSO, HIPAA BAA, and compliance features are enterprise-only.
data: Customer data remains in a dedicated Virtual Private Cloud. Enables stronger data isolation for regulated industries.
Enterprise tier only. Suitable for customers needing network-level data segregation.
data: All data stays within the customer's own infrastructure. Maximum data control and sovereignty.
Enterprise tier only. Suitable for government, defense, and highly regulated environments.
// What to watch
- OVER-CLAIM: StackAI's homepage, security page, and solutions pages list HIPAA alongside SOC 2 Type II and ISO 27001 under the heading 'OUR CERTIFICATIONS'. HIPAA is a US federal regulation, not an auditable certification product. Their own blog post correctly describes it as 'audited against HIPAA standards.' The Trust Center's formal compliance section lists only SOC 2 Type II and ISO 27001. AIFOXX should display this as 'HIPAA-compliant (BAA available)' rather than implying a formal HIPAA certification.
- OVER-CLAIM: GDPR is similarly labeled a 'certification' in marketing copy. GDPR is an EU regulation; compliance posture is not the same as certification. Correctly describe as 'GDPR compliant' or 'GDPR data processing posture.'
- CORPORATE EVENT: Asana, Inc. acquired Stack AI, Inc. on May 28, 2026 for approximately $75M. StackAI continues to operate as its own brand post-acquisition, but data handling agreements, SLAs, and compliance boundaries may change as integration progresses. Buyers in regulated sectors should verify current BAA and DPA status with the vendor directly.
- AUDIT CURRENCY: StackAI's own blog (https://www.stackai.com/blog/soc2-type2-hipaa) states the SOC 2 Type II audit covered March 1 to May 31, 2024 and was conducted by Modern Assurance, which is over two years before this assessment date (June 27, 2026). Note: the Trust Center itself does not publish the audit period or auditor name, so this detail is sourced from the blog, not the Trust Center. No evidence of a subsequent renewal audit was found. Buyers should request the current report and confirm the audit period when evaluating.
// At a glance
Pricing model
Freemium + Enterprise (custom); Free: 500 runs/month, 2 projects, 1 seat; Enterprise: custom runs, unlimited projects, custom seats, dedicated infrastructure
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Stack AI, Inc. (acquired by Asana, Inc., May 2026)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.stackai.com