// Trust & Security Report
Teamwork.com (Teamwork Crew Limited)
Professional Services Automation (PSA) / project, resource and financial management platform, plus TeamworkAI and helpdesk/chat/docs products
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on teamwork.com“Our security certifications ... ISO/IEC 27001:2022 SOC 2 Type 2 certified”
Verify on teamwork.com“Our security certifications ... ISO/IEC 27001:2022 SOC 2 Type 2 certified”
Verify on teamwork.com“This Privacy Notice was last updated on 19th August 2024, and is published in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR").”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
AWS hosting in the US and the EU ('Our servers are with Amazon Web Services AWS and are hosted within the US and the EU.'). Controller for the websites is Teamwork Crew Limited, based in Cork, Ireland; a Data Protection Officer is appointed (dpo@teamwork.com).
Vendor AI legal policy states verbatim: 'No data is used to train language models.' and 'Data sent for A.I. processing is discarded upon completion of the specific request.' The homepage also states data is 'never used to train third-party models.' AI features are powered by OpenAI LLMs across the platform and by the Anthropic Claude 3.5 Haiku model in Teamwork Desk; 'No personally identifiable information is passed to any third-party A.I. provider.' AI features are opt-out via Customer Support. The optional TeamworkAI MCP server connection is OAuth-secured and scoped to the connected user's permissions.
// Security controls
Hosting / infrastructure
Amazon Web Services (AWS), US and EU regions; physical security via Amazon-controlled data centers
teamwork.comServer access control
'Only certain members of our team have authorization to access the servers.'
teamwork.comVulnerability disclosure / bug bounty
Public HackerOne Vulnerability Disclosure Policy (VDP) program at hackerone.com/teamwork_com. Listed as a vulnerability disclosure program; paid bounty tier not confirmed.
hackerone.comPenetration testing
unknown - not stated verbatim on the public security page; typically evidenced inside SOC 2 / ISO 27001 reports available on request
teamwork.comData ownership / encryption
'Every byte of information that you store with us is owned by you.' Privacy notice references 'encrypting messages exchanged on our platform.' Specific encryption-at-rest/in-transit standards not quoted on public page.
teamwork.com// Products & data scope
data: Customer project, task, time-tracking, billing/financial and resource data; Identity, Contact, Financial, Technical, Usage and Customer Support data per privacy notice. AWS US/EU. Teamwork acts as data processor for customer-input data.
SOC 2 Type 2 and ISO 27001:2022 covered. Primary B2B product, 20,000+ companies across 140+ countries.
data: Uses project data to generate insights and take actions within the account; sends data to OpenAI LLMs for processing, discarded after each request; no PII passed to third-party AI providers; no training on customer data. MCP server is OAuth-secured and permission-scoped.
Opt-out available via Customer Support. Connects to external models (Claude, ChatGPT, Copilot, Gemini) via MCP.
data: Support ticket and customer interaction data. AI features in Desk use the Anthropic Claude 3.5 Haiku model; same no-training, request-discarded policy applies.
Distinct AI provider (Anthropic) vs OpenAI used elsewhere on the platform.
data: Team chat messages and presence data within the customer account.
Part of the suite; same overarching privacy/security posture.
data: Customer-authored documents and collaboration content.
Part of the suite; same overarching privacy/security posture.
// What to watch
- Strong, verifiable enterprise posture: SOC 2 Type 2 + ISO 27001:2022 confirmed by direct quote on vendor's own security page.
- Clear, favorable AI data-use stance: 'No data is used to train language models'; AI request data discarded after processing; no PII to third-party AI providers.
- Multi-provider AI: OpenAI LLMs platform-wide, Anthropic Claude 3.5 Haiku in Teamwork Desk. Worth surfacing for buyers with provider-specific data policies.
- Trust portal subdomains (trust./security./compliance.teamwork.com) returned a Teamwork Projects login error during capture, not a live trust center; the public /security page is the working source. Detailed audit reports (SOC 2/ISO) appear gated to request/NDA.
- HackerOne presence is a Vulnerability Disclosure Policy; paid bug-bounty tier and formal pen-test cadence not publicly quoted (typically inside the gated reports).
// At a glance
Pricing model
Subscription SaaS (tiered paid plans, 30-day free trial, no credit card required)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Teamwork.com (Teamwork Crew Limited)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
teamwork.com