// Trust & Security Report
WebEngage
Full-stack customer engagement and retention platform (Retention OS). Core capabilities: Customer Data Platform, Product & Revenue Analytics, Segmentation, Omnichannel Campaign Manager, Campaign Orchestration, Web Personalization, App Personalization, and Marketing Automation. Not a generative-AI product; personalization/automation is rules- and segmentation-driven rather than LLM-based on the evidence gathered.
Certifications held
7
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on webengage.com“WebEngage undergoes annual third-party audits to ensure our internal controls are designed and operated effectively, following industry standards such as SOC 2 and ISO 27001.”
Verify on webengage.com“ISO 27001:2013 certified ensuring highest data security standards.”
Verify on webengage.trust.site“Trust center Resources section lists a downloadable 'ISO 27701' compliance document alongside SOC2 Type 2, HIPAA, and ISO 27001.”
Verify on webengage.com“WebEngage has achieved full HIPAA compliance ... engaged independent third-party auditors for validation and improvement. Uses AES-256 encryption and TLS for data in transit, with role-based access controls.”
Verify on webengage.com“WebEngage is GDPR compliant and takes necessary steps to ensure customer privacy.”
Verify on webengage.trust.site“Trust center lists 'RBI SAR' as 'Compliant' alongside SOC 2, ISO 27001, ISO 27701, GDPR, HIPAA, and VAPT.”
Verify on webengage.trust.site“Resources section lists a downloadable 'Vulnerability Assessment Report'; trust center marks VAPT as 'Compliant'.”
> Show 4 unconfirmed / not-held certifications
source: webengage.trust.siteNo public evidence of PCI DSS on the vendor's trust center, security page, or blog. WebEngage does not process payment card data as part of its core product.
source: webengage.trust.siteNo public evidence of ISO 42001 certification. Not listed on trust center or security page, and no search result surfaced a vendor announcement.
source: webengage.trust.siteNo public evidence of CSA STAR registration or certification.
source: docs.webengage.comNo public evidence of FedRAMP authorization; WebEngage's stated data centers are US, India, and Saudi Arabia, with no federal-government-specific offering mentioned.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Default US Data Center, with India Data Center (dashboard.in.webengage.com) and Saudi Arabia Data Center available by contractual agreement.
No public statement found (privacy policy, terms, security page, or trust center) confirming or denying use of customer data to train AI/ML models. WebEngage's core product is a rules/segmentation-based customer engagement platform rather than a generative-AI product, so this is plausibly not applicable, but it is not explicitly addressed in any vendor-domain document reviewed. Graded null/unknown rather than assumed false.
// Security controls
Encryption in transit
TLS protocols with SHA256 algorithms used to handle data communications; HIPAA blog additionally cites TLS for PHI in transit.
webengage.comEncryption at rest
AES-256 encryption for data at rest (stated specifically in the context of HIPAA-scoped PHI; general security page references 'advanced encryption' without naming the algorithm).
webengage.comAccess control
Role-based access control and maker-checker principles available; multi-factor authentication referenced in HIPAA context.
webengage.comAudit logging
All actions taken by an admin, across the dashboard, are logged for auditing.
webengage.comThird-party audits
Annual third-party audits of internal controls following SOC 2 and ISO 27001 standards; independent auditors engaged for HIPAA validation (auditor name not disclosed publicly).
webengage.com// Products & data scope
data: Consolidates customer data from multiple sources into a unified profile.
Core data layer underlying segmentation and personalization features.
data: Behavioral and product-usage event data; cohort funnels, paths, RFM modeling.
Rules/statistics-based, not described as AI-model-driven in vendor copy captured.
data: Customer contact and behavioral-trigger data across email, push, SMS, WhatsApp, and other channels.
Standard multi-channel messaging orchestration.
data: Behavioral and segmentation data used to customize on-site/in-app experiences.
No evidence of generative-AI/LLM component; described as rule- and segment-driven.
// What to watch
- AI-training posture is unstated: no vendor-domain source (privacy policy, terms, security page, trust center) explicitly confirms or denies use of customer data for AI/ML model training, so trains_on_customer_data is graded null rather than assumed. Recommend follow-up with vendor before listing any AI-training claim.
- Auditor identity not disclosed: SOC 2 Type 2, ISO 27001, ISO 27701, and HIPAA validation are asserted on vendor pages but the specific accredited auditor/certification body name was not found in the pages reviewed (documents are gated behind a request form on the trust center, https://webengage.trust.site/resources), so underlying audit reports could not be independently inspected.
- RBI SAR is an India-specific financial-sector audit standard, listed by the vendor as 'Compliant' but not independently verifiable without the gated document; included for completeness but should be understood as narrower/regional in scope.
// At a glance
Pricing model
Enterprise SaaS subscription (demo-gated; pricing not publicly listed).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on WebEngage's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
webengage.trust.site