// Trust & Security Report
Whimsical, Inc.
Whimsical is a whiteboard/diagramming SaaS for technical teams: flowcharts, wireframes, mind maps, boards, and an integrated "Whimsical AI" feature for generating diagrams and content from prompts. Single core product with Free, Pro, and Business subscription tiers (no separate consumer vs enterprise product line).
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 6 unconfirmed / not-held certifications
source: trust.whimsical.comNo public evidence. Not listed under Trust Center 'Compliance certifications' (only SOC 2 Type II is listed there) and not mentioned on the company security page (whimsical.com/company/security).
source: whimsical.comNo public evidence. Not referenced in the Trust Center, the security page, the pricing page, or the privacy policy.
source: whimsical.comNo public evidence of a Whimsical PCI DSS attestation. Payment processing is handled by Stripe as a subprocessor, so any PCI scope sits with Stripe, not Whimsical.
source: trust.whimsical.comNo public evidence. Not listed in the Trust Center certifications section or on the AI terms page.
source: trust.whimsical.comNo public evidence found on the Trust Center or vendor site.
source: trust.whimsical.comGDPR is listed as a 'Compliance' framework tab on the Trust Center (alongside CCPA) and the Privacy Policy has a dedicated 'Individuals Located in Europe' section describing legal bases and a Transfer Impact Assessment resource. This reflects a documented GDPR posture, not a third-party GDPR certification (no such certification body exists), so it is graded held=false as a formal 'certification' while the posture itself is recorded honestly in the privacy block below.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Hosted in and provided from the United States on AWS infrastructure; the Privacy Policy notes data may also be transferred to Canada or other countries, with Standard Contractual Clauses and a Transfer Impact Assessment used for international transfers.
Whimsical's AI Supplementary Terms state: 'Whimsical does not use your Customer Data or permit others to use your Customer Data to train the machine learning models used to provide Whimsical AI functionality.' Data collected from AI usage may be used to improve models only when a user 'voluntarily provide[s] feedback' or 'give[s] us your permission' - i.e., opt-in, not opt-out by default. No tier-based differences in this policy were found (applies uniformly across Free/Pro/Business).
// Security controls
SSO / identity
SAML 2.0 SSO (Okta, OneLogin, GSuite) and SCIM available on the Business plan only; TOTP-based two-factor authentication available generally
whimsical.comPenetration testing
Annual third-party penetration test; a Trust Center resource labeled 'Penetration Test (CFD)' is available under NDA/access request
trust.whimsical.comVulnerability disclosure
Vulnerability disclosure / responsible-disclosure program referenced on the security page
whimsical.comSubprocessors
Stripe named for payment processing; a fuller subprocessor list is linked from the Trust Center but requires access request
trust.whimsical.com// Products & data scope
data: Boards, diagrams, wireframes, mind maps created by the user; no SSO/SCIM
Personal/small use; no enterprise security controls.
data: Same data model as Free with expanded team collaboration
Still lacks SAML SSO/SCIM per the pricing table.
data: Org-wide boards plus admin controls
Only tier with SAML SSO, SCIM, custom security reviews, and Content Security Lock per the pricing page.
data: Prompts and generated content within a board; governed by the AI Supplementary Terms
Bundled into the base subscription at no extra cost; contractually excluded from model-training use of Customer Data absent explicit opt-in feedback/permission.
// What to watch
- Trust Center page is JS-rendered and largely blocked non-headless fetch tools; findings rely on a partial headless capture in the raw evidence plus corroborating vendor pages (security, pricing, privacy, AI terms), so the full certifications list and controls detail behind the access-gated Trust Center could not be independently re-verified page-by-page.
- No ISO 27001, HIPAA, or AI-governance (ISO 42001 / CSA STAR) certifications found anywhere on vendor-owned domains; do not infer these from the SOC 2 Type II badge.
- GDPR and CCPA appear on the Trust Center as 'Compliance' framework tabs alongside the SOC 2 badge; this could visually read as 'certified for GDPR/CCPA' to a casual viewer, but neither is a certifiable standard, only SOC 2 Type II is an actual third-party attested certification. Flagged so AIFOXX does not over-represent GDPR/CCPA as certifications on the listing.
// At a glance
Pricing model
Per-editor seat pricing: Free, Pro ($10/editor/mo), Business ($20/editor/mo)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Whimsical, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.whimsical.com