// Trust & Security Report

    ToolJet Solutions, Inc. logo

    ToolJet Solutions, Inc.

    AI-native low-code platform for building internal enterprise apps, AI agents, and workflows. Available as ToolJet Cloud (hosted SaaS), self-hosted / on-premise deployment (Docker, Kubernetes, air-gapped), and an open-source core (ToolJet on GitHub) that underlies the commercial "ToolJet AI" enterprise offering.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Compliances: SOC 2 - Compliant

    Verify on trust.tooljet.com
    ISO 27001
    HELD

    Compliances: ISO 27001 v2022 - Compliant; ISO 27001 - Compliant

    Verify on trust.tooljet.com
    GDPR (posture)
    HELD

    Compliances: GDPR - Compliant

    Verify on trust.tooljet.com
    > Show 5 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of a HIPAA certification or signed BAA program. HIPAA is not mentioned anywhere in ToolJet's own compliance documentation (docs.tooljet.com/docs/security/compliance/ lists only SOC 2 Type II, GDPR, and ISO 27001; HIPAA is absent, not affirmatively disclaimed). One third-party summary mentions SSO 'with HIPAA support' but this refers to identity/access controls, not a HIPAA attestation or BAA offering.

    source: docs.tooljet.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. Not mentioned on the trust center, compliance docs, or enterprise security page.

    source: trust.tooljet.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Not listed among the trust center's Compliances (ISO 27001 v2022, SOC 2, GDPR, ISO 27001 only).

    source: trust.tooljet.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on the trust center or vendor documentation.

    source: trust.tooljet.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found; not referenced anywhere in vendor-owned pages.

    source: trust.tooljet.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    No fixed region guarantee for the standard offering: privacy policy states 'ToolJet may transfer and/or store Information it collects in any country.' Self-hosted/on-premise and enterprise deployments let customers pin data to their own infrastructure/region (AWS, Azure, GCP, or air-gapped), per the enterprise-security and home pages.

    Privacy policy states: 'We do not use any customer data - whether personal, behavioral, or usage-related - to train, fine-tune, or otherwise improve our AI models or underlying technology.' The enterprise-security page separately advertises 'DPA and data residency commitments' as part of its enterprise trust features, indicating a DPA is offered (likely to paid/enterprise customers on request rather than universally self-serve).

    // Security controls

    Encryption in transit

    TLS 1.2+/1.3, HSTS and modern ciphers ('TLS everywhere')

    tooljet.com

    Encryption at rest

    Data encrypted at rest

    tooljet.com

    SSO / Identity

    SAML 2.0, OpenID Connect, OAuth2, LDAP; supports Okta, Azure AD, Google Workspace, Auth0, Ping, Keycloak; SSO-only enforcement and MFA via IdP; SCIM/group sync

    tooljet.com

    Access control

    RBAC with app-level and page-level granular permissions; scoped access for datasources and secrets

    tooljet.com

    Audit logging

    Audit log retention windows with export to SIEM

    tooljet.com

    Penetration testing

    Regular third-party penetration testing

    tooljet.com

    Deployment isolation options

    Self-hosted / on-premise / air-gapped deployment options in addition to ToolJet Cloud; customer controls where infrastructure and data live

    tooljet.com

    IP allowlisting

    IP whitelisting available (enterprise tier)

    tooljet.com

    // Products & data scope

    ToolJet CloudHosted SaaS low-code app builder

    data: Customer app data, connected datasource credentials, and end-user data hosted on ToolJet's cloud infrastructure (AWS/Azure/GCP per enterprise page); subject to trust center compliance posture (SOC 2, ISO 27001, GDPR).

    Default offering for most customers; data residency not fixed by default per privacy policy.

    Self-hosted / On-premise ToolJetSelf-managed deployment (Docker/Kubernetes, air-gapped supported)

    data: All application and end-user data stays entirely within the customer's own infrastructure; ToolJet has no access.

    Marketed explicitly for compliance-sensitive buyers ('meet compliance requirements without compromising on speed... your data stays where your IT team wants it').

    Open-source ToolJet (core)Open-source low-code framework (GitHub)

    data: Fully self-hosted by the user; no vendor data handling at all.

    Foundation of the commercial ToolJet AI enterprise product; 38k+ GitHub stars per home page.

    ToolJet AI Agents / WorkflowsAI-powered automation layer (agents, natural-language app generation)

    data: May process prompts and connected data through AI/LLM integrations to generate apps, dashboards, and workflow logic.

    Vendor states customer data is not used to train or fine-tune its AI models (see privacy policy); scope of any third-party LLM sub-processing was not independently documented on the pages captured.

    // What to watch

    • Trust center (trust.tooljet.com) returns HTTP 403 to automated fetches, so live cross-verification of exact SOC 2 type (I vs II) and current cert dates could not be done directly against that page in this session; SOC 2 Type II language was corroborated via ToolJet's own docs.tooljet.com compliance page and enterprise-security page, but no downloadable SOC 2 report or audit date/period was found on a public vendor page.
    • Trust center lists 'ISO 27001 v2022 - Compliant' and a separate duplicate line 'ISO 27001 - Compliant' with no distinguishing detail; likely a rendering artifact of the trust-center widget (e.g.
    • Two vendor domains in use (tooljet.com and tooljet.ai) for marketing vs. legal/privacy pages; content is consistent and both clearly refer to the same company and product, but the split is worth noting for anyone auditing the vendor's web presence.
    • No HIPAA BAA or attestation found on any vendor-owned page; a third-party-derived summary referenced 'HIPAA support' in the context of SSO, which is not equivalent to a HIPAA compliance program and should not be represented as one.

    // At a glance

    Pricing model

    Tiered SaaS pricing (self-serve) plus enterprise/self-hosted contracts; also offers guided 'forward deployed engineer' delivery for enterprise buyers

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on ToolJet Solutions, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.tooljet.com

    > Browse all vendor trust reports