// Trust & Security Report
Upstash, Inc.
Serverless data platform: Upstash Redis (key-value store), Upstash Vector (vector database), QStash (serverless message queue/scheduler), and Workflow (durable workflow orchestration built on QStash)
Certifications held
4
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.upstash.com“Compliance / SOC 2 Type II ... Controls / Infrastructure security / Organizational security / Product security / Internal security procedures (trust.upstash.com Compliance tab); Upstash's own docs state: "Upstash Redis databases under Pro and Enterprise support plans are SOC2 compliant."”
Verify on trust.upstash.com“Compliance section of trust.upstash.com lists "GDPR" alongside SOC 2 Type II, HIPAA, and DPF; Upstash's Data Processing Addendum (DPA) implements GDPR-required processing terms, subprocessor DPAs, and Standard Contractual Clauses for international transfers.”
Verify on upstash.com“"Upstash Redis is HIPAA compliant and we are in process of getting this compliance for our other products." (scoped to the Redis product only; Vector, QStash and Workflow are not yet covered)”
Verify on trust.upstash.com“"Data Privacy Framework (DPF)" listed under Compliance on trust.upstash.com; the Upstash DPA states Upstash complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.”
> Show 6 unconfirmed / not-held certifications
source: upstash.comUpstash's compliance documentation states: "We are in process of getting this certification." ISO 27001 is not listed under the Compliance section of the live trust center (trust.upstash.com), which lists only SOC 2 Type II, GDPR, HIPAA, and Data Privacy Framework (DPF).
source: trust.upstash.comNo public evidence Upstash itself holds PCI DSS. Upstash's compliance docs state it does not store credit card data directly and relies on Stripe, described as "a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry"; PCI DSS is not listed as an Upstash certification on the trust.upstash.com Compliance tab or the enterprise page.
source: trust.upstash.comNo public evidence. Not listed on trust.upstash.com Compliance tab or docs compliance page.
source: trust.upstash.comNo public evidence of ISO 42001 or any AI-governance-specific certification on trust.upstash.com or elsewhere on the vendor domain.
source: trust.upstash.comTrust center lists a "CAIQ v4.0.2 - Questionnaire" as a downloadable resource (a CSA Consensus Assessments Initiative Questionnaire, the basis for a STAR Level 1 self-assessment), but there is no confirmation Upstash is listed on the public CSA STAR Registry, and no STAR badge or certificate is shown.
source: trust.upstash.comNo public evidence. Not mentioned on trust.upstash.com, docs, or enterprise page.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Global multi-region hosting across AWS, GCP, Fly.io and Vercel Edge (home page: "Data is replicated across 8+ regions worldwide"); customers choose a primary region at database/resource creation, with optional multi-region read replicas. No single-region-only or EU-data-residency guarantee documented on the vendor site.
No explicit statement on any vendor-domain page (privacy policy, DPA, trust center, docs) confirming or denying training of AI/ML models on customer data. Upstash's products (Redis, Vector, QStash, Workflow) are data infrastructure, not an AI model provider, so this concern is lower-relevance than for LLM vendors, but no vendor denial was located, so this is graded unknown rather than assumed false.
// Security controls
Trust center platform
Dedicated trust center at trust.upstash.com listing Overview, Resources, Controls, Subprocessors, Updates, and Compliance tabs; access to full audit reports appears gated ("Request access").
trust.upstash.comEncryption
Trust center Controls list "Encryption key access restricted," "Portable media encrypted," and "Data encryption utilized" under Infrastructure/Organizational/Product security control categories.
trust.upstash.comSubprocessors
Disclosed subprocessors include Slack (chat/notifications), Google Workspace (email/office/analytics), Atlassian (alerting/statuspage), Intercom (customer support); subprocessor list is actively maintained (e.g. Cloudflare added for inference, Granola AI added, per Updates log).
trust.upstash.comPenetration testing
Trust center Product security controls list "Penetration testing performed."
trust.upstash.comIncident response / continuity
Trust center lists an "Incident Response Plan," a "Business Continuity and Disaster Recovery Plan," and states Continuity/DR plans are established and tested; cybersecurity insurance is maintained.
trust.upstash.comEnterprise access controls
SAML SSO and access logs are offered as Enterprise-tier features (not confirmed available on lower tiers).
upstash.comNetwork isolation (Enterprise)
VPC peering available; "VPC peering requires an Enterprise contract."
upstash.com// Products & data scope
data: Customer key-value data, session/cache data; HTTP/REST and Redis-protocol access
The only product with explicit SOC 2 Type II (Pro/Enterprise support plans) and HIPAA compliance confirmed by the vendor's own docs.
data: Vector embeddings and associated metadata used for AI/semantic search workloads
Not explicitly named in SOC 2 or HIPAA scope statements; per Upstash docs, non-Redis products' HIPAA compliance is "in process."
data: Queued message payloads and delivery metadata
Same compliance-scope caveat as Vector; covered by the general GDPR/DPA posture but not confirmed under SOC 2 or HIPAA.
data: Workflow state and step payloads
Newest product in the family; same compliance-scope caveat as Vector and QStash.
// What to watch
- Over-claim / internal contradiction: upstash.com/enterprise states the platform "complies with GDPR, SOC 2, HIPAA and ISO 27001," but Upstash's own compliance docs page (upstash.com/docs/common/help/compliance) states ISO 27001 is still "in process" and it is absent from the live trust center's Compliance list. Graded ISO 27001 as NOT held; the enterprise marketing page overstates status.
- SOC 2 Type II is explicitly scoped by the vendor to "Redis databases under Pro and Enterprise support plans" -- not confirmed for Vector, QStash, Workflow, or free-tier Redis.
- HIPAA is explicitly scoped to the Redis product only; the vendor states other products' HIPAA compliance is still in process.
- CSA CAIQ v4.0.2 questionnaire is offered as a trust-center resource but this is a self-assessment artifact, not confirmation of a public CSA STAR Registry listing; do not represent as a CSA STAR certification.
- Full audit reports/certificates behind the trust center require a "Request access" gate; only summary control statements were verifiable without a granted NDA-level account.
// At a glance
Pricing model
Freemium (free tier) plus usage-based pay-per-request pricing, fixed monthly plans, and custom Enterprise contracts
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Upstash, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.upstash.com