// Trust & Security Report
Tidio
Tidio customer service platform (Lyro AI Agent, Help Desk, Live Chat, Flows)
Certifications held
6
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.tidio.com“Tidio has successfully completed its SOC 2 Type II audit (covering Security, Availability, and Confidentiality criteria). On the public security page: "We have successfully completed our SOC 2® examination, reinforcing our focus on protecting customer data." The SOC 2 Type 2 report is listed as an available document in the Trust Center, audited by A-LIGN (announced 14 Oct 2025).”
Verify on tidio.com“"Personal data is handled according to the latest GDPR and CCPA laws." Tidio also states all data is stored on servers in the European Economic Area and a DPA + Standard Contractual Clauses are available on request.”
Verify on tidio.com“"Personal data is handled according to the latest GDPR and CCPA laws." CPRA also listed in the Trust Center compliance set.”
Verify on trust.tidio.com“Trust Center lists "EU-US Data Privacy Framework (DPF)" as a compliance certification, providing an approved transfer mechanism for trans-Atlantic data flows (EU-US, UK Extension, Swiss-US).”
Verify on trust.tidio.com“"Tidio has successfully completed penetration testing, confirming our commitment to ensuring the highest level of data security." A 2025 Pentest Report is listed as an available document in the Trust Center.”
Verify on tidio.com“"Make secure payments for all your Tidio acquisitions through Stripe." Payment card processing is delegated to Stripe (PCI-DSS); Tidio does not store raw card data ("card tokens are irreversibly hashed").”
> Show 2 unconfirmed / not-held certifications
source: trust.tidio.comNo mention of ISO 27001 on the Tidio security page, Trust Center, or FAQ. Not claimed by the vendor.
source: tidio.comNo HIPAA claim or BAA offering found on any Tidio page. Not a healthcare-positioned product.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
European Economic Area (EEA). FAQ: "All our data is stored on servers located in member countries of the European Economic Area." Hosted on AWS. Cross-border transfers covered by EU-US DPF + SCCs.
Lyro AI Agent is powered by Claude (Anthropic), per Tidio FAQ: "Tidio uses Claude by Anthropic AI to power Lyro." Lyro answers only from the customer's own uploaded knowledge base, not the open web: "Lyro works exclusively with the information you provide... it won't generate random responses or draw from web-based data." Tidio states customer conversations are not used to train public AI models and are not shared with third parties to train other AIs. The product can be improved over time via human-reviewed knowledge-gap suggestions that require customer approval, not automatic model retraining.
// Security controls
Encryption in transit
TLS 1.2+ with 256-bit SSL across all connections (widget, panel, API). "All connections to Tidio servers are encrypted with TLS protocol."
tidio.comEncryption at rest
AES-256 disk-level encryption. "Your data is encrypted at rest, shielding it from unauthorized access."
tidio.comCredential storage
"Password and credentials are stored as strong hashed values"; card tokens irreversibly hashed (one-way).
tidio.comTwo-factor authentication
2FA via authenticator app (e.g. Google Authenticator) supported for team logins.
tidio.comVulnerability disclosure
Responsible disclosure program with safe-harbor protection for good-faith research. No public paid bug-bounty platform (HackerOne/Bugcrowd) confirmed; report via security@tidio.net.
trust.tidio.comAvailable compliance documents
SOC 2 Type II report, 2025 Pentest report, HECVAT Lite, subprocessor list, DPA/SCCs (on request) - via Trust Center / privacy@tidio.net.
trust.tidio.com// Products & data scope
data: Ingests customer-provided knowledge base (site content, FAQs, uploaded docs) and end-user chat messages. Powered by Anthropic Claude. Answers restricted to provided knowledge; conversations not used to train public models. Supports MCP / Smart Actions with scoped, authenticated, auditable external calls.
Core AI product. End-user PII may flow through chats; covered by GDPR posture, EEA hosting, and SOC 2 scope.
data: Visitor messages, contact details, and agent conversations. Standard PII handling under GDPR/CCPA; encrypted in transit and at rest.
Human-agent channel; same security controls as the platform.
data: Support tickets, customer contact data, conversation history across channels.
Team/enterprise tier feature.
data: Visitor interaction data, lead-capture form fields, behavioral triggers used for routing and lead gen.
Rule-based automation; collects lead/contact data.
// What to watch
- SOC 2 is Type II (stronger than Type 1), audited by A-LIGN, announced Oct 2025 - scope: Security, Availability, Confidentiality.
- No ISO 27001 and no HIPAA/BAA - acceptable for an SMB-focused product but a gap for regulated-industry buyers.
- Vulnerability handling is a responsible-disclosure program with safe harbor, not a public paid bug-bounty (no HackerOne/Bugcrowd confirmed).
- Lyro runs on Anthropic Claude; data stays in EEA and is not used to train public models - a positive privacy posture for an AI chatbot.
// At a glance
Pricing model
Freemium SaaS subscription. Free plan (no credit card) plus paid tiers (Starter/Growth/Plus/Premium) and usage-based Lyro AI conversation add-ons; custom enterprise pricing via sales.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Tidio's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.tidio.com