// Trust & Security Report

    Whimsical, Inc. logo

    Whimsical, Inc.

    Whimsical is a whiteboard/diagramming SaaS for technical teams: flowcharts, wireframes, mind maps, boards, and an integrated "Whimsical AI" feature for generating diagrams and content from prompts. Single core product with Free, Pro, and Business subscription tiers (no separate consumer vs enterprise product line).

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Compliance certifications SOC 2 Type II

    Verify on trust.whimsical.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence. Not listed under Trust Center 'Compliance certifications' (only SOC 2 Type II is listed there) and not mentioned on the company security page (whimsical.com/company/security).

    source: trust.whimsical.com
    HIPAA
    NOT CONFIRMED

    No public evidence. Not referenced in the Trust Center, the security page, the pricing page, or the privacy policy.

    source: whimsical.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of a Whimsical PCI DSS attestation. Payment processing is handled by Stripe as a subprocessor, so any PCI scope sits with Stripe, not Whimsical.

    source: whimsical.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Not listed in the Trust Center certifications section or on the AI terms page.

    source: trust.whimsical.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on the Trust Center or vendor site.

    source: trust.whimsical.com
    GDPR (regulatory posture, not a certification)
    NOT CONFIRMED

    GDPR is listed as a 'Compliance' framework tab on the Trust Center (alongside CCPA) and the Privacy Policy has a dedicated 'Individuals Located in Europe' section describing legal bases and a Transfer Impact Assessment resource. This reflects a documented GDPR posture, not a third-party GDPR certification (no such certification body exists), so it is graded held=false as a formal 'certification' while the posture itself is recorded honestly in the privacy block below.

    source: trust.whimsical.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Hosted in and provided from the United States on AWS infrastructure; the Privacy Policy notes data may also be transferred to Canada or other countries, with Standard Contractual Clauses and a Transfer Impact Assessment used for international transfers.

    Whimsical's AI Supplementary Terms state: 'Whimsical does not use your Customer Data or permit others to use your Customer Data to train the machine learning models used to provide Whimsical AI functionality.' Data collected from AI usage may be used to improve models only when a user 'voluntarily provide[s] feedback' or 'give[s] us your permission' - i.e., opt-in, not opt-out by default. No tier-based differences in this policy were found (applies uniformly across Free/Pro/Business).

    // Security controls

    Encryption in transit

    TLS 1.2 or higher

    whimsical.com

    Encryption at rest

    AES-256

    whimsical.com

    Hosting infrastructure

    Amazon Web Services (AWS) data centers

    whimsical.com

    SSO / identity

    SAML 2.0 SSO (Okta, OneLogin, GSuite) and SCIM available on the Business plan only; TOTP-based two-factor authentication available generally

    whimsical.com

    Penetration testing

    Annual third-party penetration test; a Trust Center resource labeled 'Penetration Test (CFD)' is available under NDA/access request

    trust.whimsical.com

    Vulnerability disclosure

    Vulnerability disclosure / responsible-disclosure program referenced on the security page

    whimsical.com

    Monitoring

    24/7 security monitoring described as performed by the engineering team

    whimsical.com

    Subprocessors

    Stripe named for payment processing; a fuller subprocessor list is linked from the Trust Center but requires access request

    trust.whimsical.com

    // Products & data scope

    Whimsical (Free)Whiteboard / diagramming

    data: Boards, diagrams, wireframes, mind maps created by the user; no SSO/SCIM

    Personal/small use; no enterprise security controls.

    Whimsical ProWhiteboard / diagramming

    data: Same data model as Free with expanded team collaboration

    Still lacks SAML SSO/SCIM per the pricing table.

    Whimsical BusinessWhiteboard / diagramming (team/org)

    data: Org-wide boards plus admin controls

    Only tier with SAML SSO, SCIM, custom security reviews, and Content Security Lock per the pricing page.

    Whimsical AIAI-assisted diagram/content generation feature

    data: Prompts and generated content within a board; governed by the AI Supplementary Terms

    Bundled into the base subscription at no extra cost; contractually excluded from model-training use of Customer Data absent explicit opt-in feedback/permission.

    // What to watch

    • Trust Center page is JS-rendered and largely blocked non-headless fetch tools; findings rely on a partial headless capture in the raw evidence plus corroborating vendor pages (security, pricing, privacy, AI terms), so the full certifications list and controls detail behind the access-gated Trust Center could not be independently re-verified page-by-page.
    • No ISO 27001, HIPAA, or AI-governance (ISO 42001 / CSA STAR) certifications found anywhere on vendor-owned domains; do not infer these from the SOC 2 Type II badge.
    • GDPR and CCPA appear on the Trust Center as 'Compliance' framework tabs alongside the SOC 2 badge; this could visually read as 'certified for GDPR/CCPA' to a casual viewer, but neither is a certifiable standard, only SOC 2 Type II is an actual third-party attested certification. Flagged so AIFOXX does not over-represent GDPR/CCPA as certifications on the listing.

    // At a glance

    Pricing model

    Per-editor seat pricing: Free, Pro ($10/editor/mo), Business ($20/editor/mo)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Whimsical, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.whimsical.com

    > Browse all vendor trust reports