// Trust & Security Report

    Upstash, Inc. logo

    Upstash, Inc.

    Serverless data platform: Upstash Redis (key-value store), Upstash Vector (vector database), QStash (serverless message queue/scheduler), and Workflow (durable workflow orchestration built on QStash)

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Compliance / SOC 2 Type II ... Controls / Infrastructure security / Organizational security / Product security / Internal security procedures (trust.upstash.com Compliance tab); Upstash's own docs state: "Upstash Redis databases under Pro and Enterprise support plans are SOC2 compliant."

    Verify on trust.upstash.com
    GDPR
    HELD

    Compliance section of trust.upstash.com lists "GDPR" alongside SOC 2 Type II, HIPAA, and DPF; Upstash's Data Processing Addendum (DPA) implements GDPR-required processing terms, subprocessor DPAs, and Standard Contractual Clauses for international transfers.

    Verify on trust.upstash.com
    HIPAA
    HELD

    "Upstash Redis is HIPAA compliant and we are in process of getting this compliance for our other products." (scoped to the Redis product only; Vector, QStash and Workflow are not yet covered)

    Verify on upstash.com
    Data Privacy Framework (EU-US / UK / Swiss)
    HELD

    "Data Privacy Framework (DPF)" listed under Compliance on trust.upstash.com; the Upstash DPA states Upstash complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

    Verify on trust.upstash.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Upstash's compliance documentation states: "We are in process of getting this certification." ISO 27001 is not listed under the Compliance section of the live trust center (trust.upstash.com), which lists only SOC 2 Type II, GDPR, HIPAA, and Data Privacy Framework (DPF).

    source: upstash.com
    PCI DSS
    NOT CONFIRMED

    No public evidence Upstash itself holds PCI DSS. Upstash's compliance docs state it does not store credit card data directly and relies on Stripe, described as "a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry"; PCI DSS is not listed as an Upstash certification on the trust.upstash.com Compliance tab or the enterprise page.

    source: trust.upstash.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence. Not listed on trust.upstash.com Compliance tab or docs compliance page.

    source: trust.upstash.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence of ISO 42001 or any AI-governance-specific certification on trust.upstash.com or elsewhere on the vendor domain.

    source: trust.upstash.com
    CSA STAR
    NOT CONFIRMED

    Trust center lists a "CAIQ v4.0.2 - Questionnaire" as a downloadable resource (a CSA Consensus Assessments Initiative Questionnaire, the basis for a STAR Level 1 self-assessment), but there is no confirmation Upstash is listed on the public CSA STAR Registry, and no STAR badge or certificate is shown.

    source: trust.upstash.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not mentioned on trust.upstash.com, docs, or enterprise page.

    source: trust.upstash.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Global multi-region hosting across AWS, GCP, Fly.io and Vercel Edge (home page: "Data is replicated across 8+ regions worldwide"); customers choose a primary region at database/resource creation, with optional multi-region read replicas. No single-region-only or EU-data-residency guarantee documented on the vendor site.

    No explicit statement on any vendor-domain page (privacy policy, DPA, trust center, docs) confirming or denying training of AI/ML models on customer data. Upstash's products (Redis, Vector, QStash, Workflow) are data infrastructure, not an AI model provider, so this concern is lower-relevance than for LLM vendors, but no vendor denial was located, so this is graded unknown rather than assumed false.

    // Security controls

    Trust center platform

    Dedicated trust center at trust.upstash.com listing Overview, Resources, Controls, Subprocessors, Updates, and Compliance tabs; access to full audit reports appears gated ("Request access").

    trust.upstash.com

    Encryption

    Trust center Controls list "Encryption key access restricted," "Portable media encrypted," and "Data encryption utilized" under Infrastructure/Organizational/Product security control categories.

    trust.upstash.com

    Subprocessors

    Disclosed subprocessors include Slack (chat/notifications), Google Workspace (email/office/analytics), Atlassian (alerting/statuspage), Intercom (customer support); subprocessor list is actively maintained (e.g. Cloudflare added for inference, Granola AI added, per Updates log).

    trust.upstash.com

    Penetration testing

    Trust center Product security controls list "Penetration testing performed."

    trust.upstash.com

    Incident response / continuity

    Trust center lists an "Incident Response Plan," a "Business Continuity and Disaster Recovery Plan," and states Continuity/DR plans are established and tested; cybersecurity insurance is maintained.

    trust.upstash.com

    Enterprise access controls

    SAML SSO and access logs are offered as Enterprise-tier features (not confirmed available on lower tiers).

    upstash.com

    Network isolation (Enterprise)

    VPC peering available; "VPC peering requires an Enterprise contract."

    upstash.com

    // Products & data scope

    Upstash RedisServerless key-value / cache database

    data: Customer key-value data, session/cache data; HTTP/REST and Redis-protocol access

    The only product with explicit SOC 2 Type II (Pro/Enterprise support plans) and HIPAA compliance confirmed by the vendor's own docs.

    Upstash VectorVector database (embeddings/semantic search)

    data: Vector embeddings and associated metadata used for AI/semantic search workloads

    Not explicitly named in SOC 2 or HIPAA scope statements; per Upstash docs, non-Redis products' HIPAA compliance is "in process."

    QStashServerless message queue / scheduler

    data: Queued message payloads and delivery metadata

    Same compliance-scope caveat as Vector; covered by the general GDPR/DPA posture but not confirmed under SOC 2 or HIPAA.

    WorkflowDurable workflow orchestration (built on QStash)

    data: Workflow state and step payloads

    Newest product in the family; same compliance-scope caveat as Vector and QStash.

    // What to watch

    • Over-claim / internal contradiction: upstash.com/enterprise states the platform "complies with GDPR, SOC 2, HIPAA and ISO 27001," but Upstash's own compliance docs page (upstash.com/docs/common/help/compliance) states ISO 27001 is still "in process" and it is absent from the live trust center's Compliance list. Graded ISO 27001 as NOT held; the enterprise marketing page overstates status.
    • SOC 2 Type II is explicitly scoped by the vendor to "Redis databases under Pro and Enterprise support plans" -- not confirmed for Vector, QStash, Workflow, or free-tier Redis.
    • HIPAA is explicitly scoped to the Redis product only; the vendor states other products' HIPAA compliance is still in process.
    • CSA CAIQ v4.0.2 questionnaire is offered as a trust-center resource but this is a self-assessment artifact, not confirmation of a public CSA STAR Registry listing; do not represent as a CSA STAR certification.
    • Full audit reports/certificates behind the trust center require a "Request access" gate; only summary control statements were verifiable without a granted NDA-level account.

    // At a glance

    Pricing model

    Freemium (free tier) plus usage-based pay-per-request pricing, fixed monthly plans, and custom Enterprise contracts

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Upstash, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.upstash.com

    > Browse all vendor trust reports