// Trust & Security Report
ToolJet Solutions, Inc.
AI-native low-code platform for building internal enterprise apps, AI agents, and workflows. Available as ToolJet Cloud (hosted SaaS), self-hosted / on-premise deployment (Docker, Kubernetes, air-gapped), and an open-source core (ToolJet on GitHub) that underlies the commercial "ToolJet AI" enterprise offering.
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.tooljet.com“Compliances: ISO 27001 v2022 - Compliant; ISO 27001 - Compliant”
> Show 5 unconfirmed / not-held certifications
source: docs.tooljet.comNo public evidence of a HIPAA certification or signed BAA program. HIPAA is not mentioned anywhere in ToolJet's own compliance documentation (docs.tooljet.com/docs/security/compliance/ lists only SOC 2 Type II, GDPR, and ISO 27001; HIPAA is absent, not affirmatively disclaimed). One third-party summary mentions SSO 'with HIPAA support' but this refers to identity/access controls, not a HIPAA attestation or BAA offering.
source: trust.tooljet.comNo public evidence. Not mentioned on the trust center, compliance docs, or enterprise security page.
source: trust.tooljet.comNo public evidence. Not listed among the trust center's Compliances (ISO 27001 v2022, SOC 2, GDPR, ISO 27001 only).
source: trust.tooljet.comNo public evidence found on the trust center or vendor documentation.
source: trust.tooljet.comNo public evidence found; not referenced anywhere in vendor-owned pages.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
No fixed region guarantee for the standard offering: privacy policy states 'ToolJet may transfer and/or store Information it collects in any country.' Self-hosted/on-premise and enterprise deployments let customers pin data to their own infrastructure/region (AWS, Azure, GCP, or air-gapped), per the enterprise-security and home pages.
Privacy policy states: 'We do not use any customer data - whether personal, behavioral, or usage-related - to train, fine-tune, or otherwise improve our AI models or underlying technology.' The enterprise-security page separately advertises 'DPA and data residency commitments' as part of its enterprise trust features, indicating a DPA is offered (likely to paid/enterprise customers on request rather than universally self-serve).
// Security controls
SSO / Identity
SAML 2.0, OpenID Connect, OAuth2, LDAP; supports Okta, Azure AD, Google Workspace, Auth0, Ping, Keycloak; SSO-only enforcement and MFA via IdP; SCIM/group sync
tooljet.comAccess control
RBAC with app-level and page-level granular permissions; scoped access for datasources and secrets
tooljet.comDeployment isolation options
Self-hosted / on-premise / air-gapped deployment options in addition to ToolJet Cloud; customer controls where infrastructure and data live
tooljet.com// Products & data scope
data: Customer app data, connected datasource credentials, and end-user data hosted on ToolJet's cloud infrastructure (AWS/Azure/GCP per enterprise page); subject to trust center compliance posture (SOC 2, ISO 27001, GDPR).
Default offering for most customers; data residency not fixed by default per privacy policy.
data: All application and end-user data stays entirely within the customer's own infrastructure; ToolJet has no access.
Marketed explicitly for compliance-sensitive buyers ('meet compliance requirements without compromising on speed... your data stays where your IT team wants it').
data: Fully self-hosted by the user; no vendor data handling at all.
Foundation of the commercial ToolJet AI enterprise product; 38k+ GitHub stars per home page.
data: May process prompts and connected data through AI/LLM integrations to generate apps, dashboards, and workflow logic.
Vendor states customer data is not used to train or fine-tune its AI models (see privacy policy); scope of any third-party LLM sub-processing was not independently documented on the pages captured.
// What to watch
- Trust center (trust.tooljet.com) returns HTTP 403 to automated fetches, so live cross-verification of exact SOC 2 type (I vs II) and current cert dates could not be done directly against that page in this session; SOC 2 Type II language was corroborated via ToolJet's own docs.tooljet.com compliance page and enterprise-security page, but no downloadable SOC 2 report or audit date/period was found on a public vendor page.
- Trust center lists 'ISO 27001 v2022 - Compliant' and a separate duplicate line 'ISO 27001 - Compliant' with no distinguishing detail; likely a rendering artifact of the trust-center widget (e.g.
- Two vendor domains in use (tooljet.com and tooljet.ai) for marketing vs. legal/privacy pages; content is consistent and both clearly refer to the same company and product, but the split is worth noting for anyone auditing the vendor's web presence.
- No HIPAA BAA or attestation found on any vendor-owned page; a third-party-derived summary referenced 'HIPAA support' in the context of SSO, which is not equivalent to a HIPAA compliance program and should not be represented as one.
// At a glance
Pricing model
Tiered SaaS pricing (self-serve) plus enterprise/self-hosted contracts; also offers guided 'forward deployed engineer' delivery for enterprise buyers
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on ToolJet Solutions, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.tooljet.com