// Trust & Security Report
tawk.to, inc.
Free live-chat widget and customer-messaging platform (Live Chat, Ticketing, Knowledge Base, AI Assist chat bot beta), plus adjacent paid services: Video + Voice add-on, In-Chat Payments, hired Virtual Assistants, and a separately-branded FieldWorker product for field-service/social-work case management.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on tawk.to“'We have submitted our self-certification for the EU-U.S, UK-US and Swiss-U.S. Data Privacy Frameworks' and tawk.to is 'registered with the Information Commissioner's Office (ICO) in the United Kingdom.' A signable Data Processing Addendum is offered: 'This tawk.to Data Processing Addendum ("DPA") is between tawk.to Inc., a US corporation...and the customer' incorporating Standard Contractual Clauses and a UK Addendum for transfers.”
> Show 7 unconfirmed / not-held certifications
source: tawk.toNo public evidence. tawk.to's Data Protection, Privacy Policy, GDPR, FERPA, DPA, Terms of Service and Legal pages contain no mention of SOC 2. A community feature request from July 2024 ('Obtaining Trusted Security Certification(s)') on tawk.to's own community forum explicitly asks tawk.to to obtain SOC 2 or ISO 27001, indicating it was not held as of that request.
source: tawk.toNo public evidence on any tawk.to-owned page. Third-party integration/partner pages reference ISO certifications belonging to tawk.to's partners (e.g. 'Aberame Pty Ltd'), not to tawk.to itself; those do not count as tawk.to's own certification.
source: tawk.toNo HIPAA claim for the core live-chat platform on any tawk.to page. The only HIPAA-adjacent content is for the separate Virtual Assistant hiring service: 'tawk.to will either source a Virtual Assistant (VA) who is already HIPAA compliant or will bear the cost for the VA to complete HIPAA certification' -- this describes training/certifying individual hired staff, not a platform-level HIPAA compliance program or BAA offering.
source: tawk.toNo public evidence. Not mentioned on Data Protection, Privacy Policy, GDPR, FERPA, DPA, or Terms of Service pages, despite the product advertising an 'In-Chat Payments (beta)' feature on the homepage.
source: tawk.totawk.to states a compliance posture ('any academic institution... must assess for itself whether... its use of a cloud service affects its ability to comply with FERPA') but explicitly notes FERPA 'does not require or recognize audits or other certifications', so this is a stated posture, not a certification.
source: tawk.toNo public evidence of an AI-governance certification anywhere on tawk.to's own domain, despite the vendor now shipping an AI chat-bot feature ('AI Assist').
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States. Privacy Policy: 'We are located in the United States and we do all processing in the United States. Therefore, we may transfer your personal information outside of the country in which it was collected.'
AI Assist (beta) is scoped per-customer: it answers using 'content from your tawk.to knowledgebase as well as plain text' the customer supplies, and the help center warns 'Only upload or connect data that you are comfortable sharing with AI for customer support purposes.' Neither the Privacy Policy, Terms of Service, nor the AI Assist product page states whether shared/foundation AI models are trained on customer chat data, what the AI provider is, retention periods, or an opt-out mechanism. The DPA's subprocessor list (Annex II) includes OpenAI alongside AWS, Google Cloud, Digital Ocean and Twilio, meaning some customer data likely flows to a third-party AI provider for AI Assist processing -- but no vendor page confirms or denies training use. Treated as unconfirmed/unclear rather than asserted either way.
// Security controls
Encryption in transit
TLS 1.2 for all data in transit; all chat communication over SHA-256 SSL.
tawk.toHosting infrastructure
Runs on Google Cloud Services, AWS and Digital Ocean; page notes these providers have 'both physical and technological safeguards' -- this describes the hosts' infrastructure controls, not a tawk.to-held certification.
tawk.toData ownership
Customer/site-owner is stated to own the chat and visitor data collected through their property: 'you are the owner of this data.'
tawk.toSub-processor transparency
Publishes a sub-processor list and requires 10 days' advance notice before adding new subprocessors, with a customer right to object.
tawk.to// Products & data scope
data: Website visitor identity/contact info, chat transcripts, page-visit and search activity; free tier, unlimited agents and history.
The '100% free forever' core product; no cert program published for this product.
data: Customer-supplied knowledge base articles and plain text used as the answer source for a per-account AI agent.
OpenAI appears as a listed DPA subprocessor; no vendor page states whether chat content is used for model training or how long it is retained.
data: Call/video streams; payment data for in-chat payments.
No PCI DSS statement found despite the payments feature.
data: Varies by engagement; may include health-related data for Health Services VAs.
HIPAA compliance, where claimed, applies to the individual VA's certification/training for a specific engagement, not to the tawk.to platform as a whole.
data: Field-service and social-work case records.
Marketed by a tawk.to-affiliated help site as 'designed to ensure full HIPAA-compliance'; this is a distinct product from core Live Chat and was not independently verified in this review -- flagged for separate assessment if listed.
// What to watch
- No SOC 2, ISO 27001, HIPAA, or PCI DSS evidence on any tawk.to-owned page; tawk.to's own community forum shows a July 2024 user request asking the company to obtain SOC 2 or ISO 27001, consistent with these not being held.
- Third-party (non-vendor-domain) marketing content circulating online claims tawk.to runs on 'SOC 2 Type II, ISO 27001, GDPR and HIPAA certified infrastructure' -- this could not be fetched/verified and, if it refers to AWS/Google Cloud's own certifications, would be a host-vs-vendor conflation, not a tawk.to certification. Not used as evidence here; flagged for the advisor to watch for this specific over-claim if it surfaces in vendor-submitted copy.
- AI Assist (beta) data-training and retention practices are not documented on any vendor page; OpenAI is listed as a DPA subprocessor with no accompanying customer-facing explanation of how chat/knowledge-base content is used or whether an opt-out exists.
- In-Chat Payments (beta) is advertised with no accompanying PCI DSS statement.
- HIPAA language exists only for the ancillary Virtual Assistant staffing service and the separately branded FieldWorker product, not for the core Live Chat platform -- listing should not imply the main product is HIPAA-eligible.
- No dedicated trust center or security-certifications page found on tawk.to's domain; security posture had to be pieced together from Data Protection, FERPA, GDPR, DPA and Privacy Policy pages.
// At a glance
Pricing model
Freemium: core live chat, ticketing and knowledge base are free with unlimited agents; paid add-ons for video/voice, hired VAs, and other premium services.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on tawk.to, inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
tawk.to