// Trust & Security Report

    WebEngage logo

    WebEngage

    Full-stack customer engagement and retention platform (Retention OS). Core capabilities: Customer Data Platform, Product & Revenue Analytics, Segmentation, Omnichannel Campaign Manager, Campaign Orchestration, Web Personalization, App Personalization, and Marketing Automation. Not a generative-AI product; personalization/automation is rules- and segmentation-driven rather than LLM-based on the evidence gathered.

    Certifications held

    7

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    WebEngage undergoes annual third-party audits to ensure our internal controls are designed and operated effectively, following industry standards such as SOC 2 and ISO 27001.

    Verify on webengage.com
    ISO 27001
    HELD

    ISO 27001:2013 certified ensuring highest data security standards.

    Verify on webengage.com
    ISO 27701 (Privacy Information Management)
    HELD

    Trust center Resources section lists a downloadable 'ISO 27701' compliance document alongside SOC2 Type 2, HIPAA, and ISO 27001.

    Verify on webengage.trust.site
    HIPAA
    HELD

    WebEngage has achieved full HIPAA compliance ... engaged independent third-party auditors for validation and improvement. Uses AES-256 encryption and TLS for data in transit, with role-based access controls.

    Verify on webengage.com
    GDPR (posture, not a certification)
    HELD

    WebEngage is GDPR compliant and takes necessary steps to ensure customer privacy.

    Verify on webengage.com
    RBI SAR (India System Audit Report - fintech)
    HELD

    Trust center lists 'RBI SAR' as 'Compliant' alongside SOC 2, ISO 27001, ISO 27701, GDPR, HIPAA, and VAPT.

    Verify on webengage.trust.site
    VAPT (Vulnerability Assessment & Penetration Testing)
    HELD

    Resources section lists a downloadable 'Vulnerability Assessment Report'; trust center marks VAPT as 'Compliant'.

    Verify on webengage.trust.site
    > Show 4 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS on the vendor's trust center, security page, or blog. WebEngage does not process payment card data as part of its core product.

    source: webengage.trust.site
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification. Not listed on trust center or security page, and no search result surfaced a vendor announcement.

    source: webengage.trust.site
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification.

    source: webengage.trust.site
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization; WebEngage's stated data centers are US, India, and Saudi Arabia, with no federal-government-specific offering mentioned.

    source: docs.webengage.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Default US Data Center, with India Data Center (dashboard.in.webengage.com) and Saudi Arabia Data Center available by contractual agreement.

    No public statement found (privacy policy, terms, security page, or trust center) confirming or denying use of customer data to train AI/ML models. WebEngage's core product is a rules/segmentation-based customer engagement platform rather than a generative-AI product, so this is plausibly not applicable, but it is not explicitly addressed in any vendor-domain document reviewed. Graded null/unknown rather than assumed false.

    // Security controls

    Encryption in transit

    TLS protocols with SHA256 algorithms used to handle data communications; HIPAA blog additionally cites TLS for PHI in transit.

    webengage.com

    Encryption at rest

    AES-256 encryption for data at rest (stated specifically in the context of HIPAA-scoped PHI; general security page references 'advanced encryption' without naming the algorithm).

    webengage.com

    PII masking / hashing

    User contact information can be hashed; PII data can be masked.

    webengage.com

    Access control

    Role-based access control and maker-checker principles available; multi-factor authentication referenced in HIPAA context.

    webengage.com

    Audit logging

    All actions taken by an admin, across the dashboard, are logged for auditing.

    webengage.com

    Third-party audits

    Annual third-party audits of internal controls following SOC 2 and ISO 27001 standards; independent auditors engaged for HIPAA validation (auditor name not disclosed publicly).

    webengage.com

    // Products & data scope

    Customer Data PlatformData unification

    data: Consolidates customer data from multiple sources into a unified profile.

    Core data layer underlying segmentation and personalization features.

    Segmentation & AnalyticsAnalytics

    data: Behavioral and product-usage event data; cohort funnels, paths, RFM modeling.

    Rules/statistics-based, not described as AI-model-driven in vendor copy captured.

    Omnichannel Campaign Manager / OrchestrationMarketing automation

    data: Customer contact and behavioral-trigger data across email, push, SMS, WhatsApp, and other channels.

    Standard multi-channel messaging orchestration.

    Web & App PersonalizationPersonalization

    data: Behavioral and segmentation data used to customize on-site/in-app experiences.

    No evidence of generative-AI/LLM component; described as rule- and segment-driven.

    // What to watch

    • AI-training posture is unstated: no vendor-domain source (privacy policy, terms, security page, trust center) explicitly confirms or denies use of customer data for AI/ML model training, so trains_on_customer_data is graded null rather than assumed. Recommend follow-up with vendor before listing any AI-training claim.
    • Auditor identity not disclosed: SOC 2 Type 2, ISO 27001, ISO 27701, and HIPAA validation are asserted on vendor pages but the specific accredited auditor/certification body name was not found in the pages reviewed (documents are gated behind a request form on the trust center, https://webengage.trust.site/resources), so underlying audit reports could not be independently inspected.
    • RBI SAR is an India-specific financial-sector audit standard, listed by the vendor as 'Compliant' but not independently verifiable without the gated document; included for completeness but should be understood as narrower/regional in scope.

    // At a glance

    Pricing model

    Enterprise SaaS subscription (demo-gated; pricing not publicly listed).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on WebEngage's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    webengage.trust.site

    > Browse all vendor trust reports