// Trust & Security Report

    Tidio logo

    Tidio

    Tidio customer service platform (Lyro AI Agent, Help Desk, Live Chat, Flows)

    Certifications held

    6

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Tidio has successfully completed its SOC 2 Type II audit (covering Security, Availability, and Confidentiality criteria). On the public security page: "We have successfully completed our SOC 2® examination, reinforcing our focus on protecting customer data." The SOC 2 Type 2 report is listed as an available document in the Trust Center, audited by A-LIGN (announced 14 Oct 2025).

    Verify on trust.tidio.com
    GDPR
    HELD

    "Personal data is handled according to the latest GDPR and CCPA laws." Tidio also states all data is stored on servers in the European Economic Area and a DPA + Standard Contractual Clauses are available on request.

    Verify on tidio.com
    CCPA / CPRA
    HELD

    "Personal data is handled according to the latest GDPR and CCPA laws." CPRA also listed in the Trust Center compliance set.

    Verify on tidio.com
    EU-US Data Privacy Framework (DPF)
    HELD

    Trust Center lists "EU-US Data Privacy Framework (DPF)" as a compliance certification, providing an approved transfer mechanism for trans-Atlantic data flows (EU-US, UK Extension, Swiss-US).

    Verify on trust.tidio.com
    Penetration testing (annual, third-party)
    HELD

    "Tidio has successfully completed penetration testing, confirming our commitment to ensuring the highest level of data security." A 2025 Pentest Report is listed as an available document in the Trust Center.

    Verify on trust.tidio.com
    PCI-DSS (payment handling via Stripe)
    HELD

    "Make secure payments for all your Tidio acquisitions through Stripe." Payment card processing is delegated to Stripe (PCI-DSS); Tidio does not store raw card data ("card tokens are irreversibly hashed").

    Verify on tidio.com
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No mention of ISO 27001 on the Tidio security page, Trust Center, or FAQ. Not claimed by the vendor.

    source: trust.tidio.com
    HIPAA
    NOT CONFIRMED

    No HIPAA claim or BAA offering found on any Tidio page. Not a healthcare-positioned product.

    source: tidio.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    European Economic Area (EEA). FAQ: "All our data is stored on servers located in member countries of the European Economic Area." Hosted on AWS. Cross-border transfers covered by EU-US DPF + SCCs.

    Lyro AI Agent is powered by Claude (Anthropic), per Tidio FAQ: "Tidio uses Claude by Anthropic AI to power Lyro." Lyro answers only from the customer's own uploaded knowledge base, not the open web: "Lyro works exclusively with the information you provide... it won't generate random responses or draw from web-based data." Tidio states customer conversations are not used to train public AI models and are not shared with third parties to train other AIs. The product can be improved over time via human-reviewed knowledge-gap suggestions that require customer approval, not automatic model retraining.

    // Security controls

    Encryption in transit

    TLS 1.2+ with 256-bit SSL across all connections (widget, panel, API). "All connections to Tidio servers are encrypted with TLS protocol."

    tidio.com

    Encryption at rest

    AES-256 disk-level encryption. "Your data is encrypted at rest, shielding it from unauthorized access."

    tidio.com

    Credential storage

    "Password and credentials are stored as strong hashed values"; card tokens irreversibly hashed (one-way).

    tidio.com

    Two-factor authentication

    2FA via authenticator app (e.g. Google Authenticator) supported for team logins.

    tidio.com

    Access control

    Roles & permissions to restrict access per user.

    tidio.com

    Infrastructure

    AWS cloud infrastructure with encrypted backups.

    tidio.com

    Vulnerability disclosure

    Responsible disclosure program with safe-harbor protection for good-faith research. No public paid bug-bounty platform (HackerOne/Bugcrowd) confirmed; report via security@tidio.net.

    trust.tidio.com

    Available compliance documents

    SOC 2 Type II report, 2025 Pentest report, HECVAT Lite, subprocessor list, DPA/SCCs (on request) - via Trust Center / privacy@tidio.net.

    trust.tidio.com

    // Products & data scope

    Lyro AI AgentAI customer support agent (LLM chatbot)

    data: Ingests customer-provided knowledge base (site content, FAQs, uploaded docs) and end-user chat messages. Powered by Anthropic Claude. Answers restricted to provided knowledge; conversations not used to train public models. Supports MCP / Smart Actions with scoped, authenticated, auditable external calls.

    Core AI product. End-user PII may flow through chats; covered by GDPR posture, EEA hosting, and SOC 2 scope.

    Live ChatLive chat / messaging widget

    data: Visitor messages, contact details, and agent conversations. Standard PII handling under GDPR/CCPA; encrypted in transit and at rest.

    Human-agent channel; same security controls as the platform.

    Help DeskTicketing / shared inbox

    data: Support tickets, customer contact data, conversation history across channels.

    Team/enterprise tier feature.

    FlowsNo-code automation / chatbot flows

    data: Visitor interaction data, lead-capture form fields, behavioral triggers used for routing and lead gen.

    Rule-based automation; collects lead/contact data.

    // What to watch

    • SOC 2 is Type II (stronger than Type 1), audited by A-LIGN, announced Oct 2025 - scope: Security, Availability, Confidentiality.
    • No ISO 27001 and no HIPAA/BAA - acceptable for an SMB-focused product but a gap for regulated-industry buyers.
    • Vulnerability handling is a responsible-disclosure program with safe harbor, not a public paid bug-bounty (no HackerOne/Bugcrowd confirmed).
    • Lyro runs on Anthropic Claude; data stays in EEA and is not used to train public models - a positive privacy posture for an AI chatbot.

    // At a glance

    Pricing model

    Freemium SaaS subscription. Free plan (no credit card) plus paid tiers (Starter/Growth/Plus/Premium) and usage-based Lyro AI conversation add-ons; custom enterprise pricing via sales.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Tidio's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.tidio.com

    > Browse all vendor trust reports