// Trust & Security Report

    Stack AI, Inc. (acquired by Asana, Inc., May 2026) logo

    Stack AI, Inc. (acquired by Asana, Inc., May 2026)

    Enterprise AI agent workflow platform: no-code builder for agentic workflows, RAG pipelines, and LLM orchestration; deployed as multi-tenant cloud, VPC, on-premise, or air-gapped

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    StackAI has successfully completed a SOC 2 Type II audit conducted by an independent third-party firm. Click below to request access to the full report.

    Verify on trust.stackai.com
    ISO 27001
    HELD

    Our Information Security Management System (ISMS) has been independently audited and certified as compliant with ISO 27001. Click below to request the full certification report.

    Verify on trust.stackai.com
    HIPAA BAA
    HELD

    Footer link 'Sign BAA With Us' (a mailto link) confirms Business Associate Agreements are available for enterprise customers; the general enterprise contact on the site is enterprise@stack-ai.com.

    Verify on stackai.com
    Penetration Test (third-party)
    HELD

    Stack AI undergoes regular third-party penetration testing. Our May 2025 assessment concluded a Low overall risk rating with no critical vulnerabilities identified.

    Verify on trust.stackai.com
    > Show 7 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    HIPAA is a US regulation, not an auditable certification. StackAI markets it as a 'certification' in homepage and security page copy, but their own blog post accurately states: 'Stack AI was also audited against HIPAA standards during the same period as the SOC 2 Type II audit.' The Trust Center compliance section lists only SOC 2 Type II and ISO 27001 as formal certifications; HIPAA does not appear there. BAA is available ('Sign BAA With Us' in footer), which is the operative HIPAA tool for covered entities.

    source: stackai.com
    GDPR
    NOT CONFIRMED

    GDPR is an EU regulation, not a certification. StackAI labels it as a 'certification' in marketing copy alongside SOC 2 and ISO 27001, but GDPR cannot be formally certified. The Trust Center does not list GDPR in its compliance certifications section. StackAI does demonstrate GDPR compliance posture through privacy policy and DPA availability, but held=false for certification framing.

    source: stackai.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification or scope on any vendor-domain page reviewed.

    source: trust.stackai.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on any vendor-domain page reviewed.

    source: trust.stackai.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR entry or assessment on any vendor-domain page reviewed.

    source: trust.stackai.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification on any vendor-domain page reviewed.

    source: trust.stackai.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence of these certifications on any vendor-domain page reviewed.

    source: trust.stackai.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Not explicitly stated on public pages. Deployment options include multi-tenant cloud (region unspecified), VPC, on-premise, and air-gapped on-premise; contact required for data residency specifics.

    Explicitly stated on security page: 'We ensure that your data is not used for training AI models through data processing addendums (DPAs).' DPAs executed with OpenAI and Anthropic (as LLM subprocessors) are available on request via the Trust Center. No tier-based differences noted; this appears to apply to all tiers.

    // Security controls

    Encryption at rest

    AES-256

    stackai.com

    Encryption in transit

    TLS 1.3

    stackai.com

    SSO / Identity

    SAML-based SSO with role-mapping; enterprise tier only

    stackai.com

    Continuous monitoring

    Secureframe-monitored across 9 control domains (Change Management, Availability, Confidentiality, Vulnerability Management, Incident Response, Risk Assessment, Network Security, Access Security, Physical Security)

    trust.stackai.com

    Penetration testing

    Annual third-party pen test; May 2025 result: Low overall risk, no critical vulnerabilities

    trust.stackai.com

    Vulnerability management

    Regular automated scans plus third-party assessment; patch management policy in place

    trust.stackai.com

    Deployment options

    Multi-tenant cloud, Virtual Private Cloud (VPC), on-premise, air-gapped on-premise

    stackai.com

    Data retention

    Customer-controlled; customer decides retention duration

    stackai.com

    Incident response

    Documented plan with tracking, lessons-learned protocol, and regular testing

    trust.stackai.com

    Cybersecurity insurance

    Listed as an active control in Organizational Management domain

    trust.stackai.com

    Responsible disclosure

    Public responsible disclosure policy with safe harbor; contact via security page

    stackai.com

    // Products & data scope

    StackAI Multi-Tenant CloudAI workflow platform (shared cloud)

    data: Customer workflow data, documents, and query inputs processed in shared infrastructure. AES-256 at rest, TLS 1.3 in transit. No AI model training on customer data.

    Free tier (500 runs/month, 2 projects, 1 seat) and Enterprise tier available. SSO, HIPAA BAA, and compliance features are enterprise-only.

    StackAI VPC DeploymentAI workflow platform (dedicated cloud)

    data: Customer data remains in a dedicated Virtual Private Cloud. Enables stronger data isolation for regulated industries.

    Enterprise tier only. Suitable for customers needing network-level data segregation.

    StackAI On-Premise / Air-GappedAI workflow platform (self-hosted)

    data: All data stays within the customer's own infrastructure. Maximum data control and sovereignty.

    Enterprise tier only. Suitable for government, defense, and highly regulated environments.

    // What to watch

    • OVER-CLAIM: StackAI's homepage, security page, and solutions pages list HIPAA alongside SOC 2 Type II and ISO 27001 under the heading 'OUR CERTIFICATIONS'. HIPAA is a US federal regulation, not an auditable certification product. Their own blog post correctly describes it as 'audited against HIPAA standards.' The Trust Center's formal compliance section lists only SOC 2 Type II and ISO 27001. AIFOXX should display this as 'HIPAA-compliant (BAA available)' rather than implying a formal HIPAA certification.
    • OVER-CLAIM: GDPR is similarly labeled a 'certification' in marketing copy. GDPR is an EU regulation; compliance posture is not the same as certification. Correctly describe as 'GDPR compliant' or 'GDPR data processing posture.'
    • CORPORATE EVENT: Asana, Inc. acquired Stack AI, Inc. on May 28, 2026 for approximately $75M. StackAI continues to operate as its own brand post-acquisition, but data handling agreements, SLAs, and compliance boundaries may change as integration progresses. Buyers in regulated sectors should verify current BAA and DPA status with the vendor directly.
    • AUDIT CURRENCY: StackAI's own blog (https://www.stackai.com/blog/soc2-type2-hipaa) states the SOC 2 Type II audit covered March 1 to May 31, 2024 and was conducted by Modern Assurance, which is over two years before this assessment date (June 27, 2026). Note: the Trust Center itself does not publish the audit period or auditor name, so this detail is sourced from the blog, not the Trust Center. No evidence of a subsequent renewal audit was found. Buyers should request the current report and confirm the audit period when evaluating.

    // At a glance

    Pricing model

    Freemium + Enterprise (custom); Free: 500 runs/month, 2 projects, 1 seat; Enterprise: custom runs, unlimited projects, custom seats, dedicated infrastructure

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Stack AI, Inc. (acquired by Asana, Inc., May 2026)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.stackai.com

    > Browse all vendor trust reports