Is Drata safe with your data?
Drata
Drata, Inc.
Partial disclosure · high confidence
Drata earns a C (53/100) because it discloses its data practices only in part.
Dealbreaker flag
- D1.4: all rights, title and interest in and to the Services and all hardware, Software and other components of or used to provide the Services...will remain with Drata and belong exclusively to Drata
#85
of 211 apps ranked
53
score · Security & compliance avg 50
+3
vs category average
Drata does not train on customer data but retains broad IP rights in outputs; deletion rights lack concrete timelines and mandatory safeguards are boilerplate.
What Drata's privacy policy and terms of service say about your data
AI training restriction
Drata does not use Customer Data to train or fine-tune artificial intelligence or machine learning models and does not permit third-party inference providers to do so (Section 2.4.3)
Output ownership adverse
All rights, title and interest in outputs and services remain with Drata exclusively; user receives no IP ownership (Section 10.1)
Deletion timeline missing
Deletion requests are subject to exceptions with no concrete timeline; data retained as long as necessary for purposes (Privacy Notice Section 6)
Security language generic
Safeguards described as appropriate administrative, physical, and technical measures but with no named controls (TLS/AES-256/RBAC) (Section 6.3)
What the policy is silent or vague on
- Not stated: a way to opt out of training
- Not stated: whether training use differs by plan
- Not stated: your ownership of generated outputs
- Not stated: a right to delete your data
Drata privacy rating
Details
- Category
- Security & compliance
- Modalities
- text
- Processes biometrics
- No
- Policy last updated
- 2026-06-02
- Region scored
- Global / US-default
- Last assessed
- 2026-07-08
Documents examined
Other security & compliance apps
Each grade reflects our analysis of what an app states in its public privacy policy and terms as of the assessment date. It measures the transparency of those documents, not the company's actual data practices, security, or compliance. Grades are our opinion, offered for general information. Full disclaimer.