Is Drata safe with your data?

Drata

Drata, Inc.

63/100

Partial disclosure · high confidence

Drata earns a C (63/100) because it discloses its data practices only in part.

#57

of 116 apps ranked

score · Security & compliance avg —

—

vs category average

Grade scaleA · 85–100B · 70–84C · 55–69D · 40–54F · 0–39

Drata's controller-side privacy notice covers both CCPA and GDPR rights, with a named Data Privacy Framework certification, EU Standard Contractual Clauses, and a listed data protection officer address. It says nothing about AI training of user inputs because the notice expressly excludes Drata's products and customer data, and its retention language stays vague outside the California request windows. The score is at the upper end of C, held back by silent training-data indicators and an unquantified retention period.

What Drata's privacy policy says about your data

Full data subject rights

The notice grants access, deletion, correction, portability, objection, and restriction rights under both the CCPA and GDPR, exercisable through Drata's Privacy Center. The EEA section lists each right explicitly.

Named transfer safeguards

International transfers rely on EU Standard Contractual Clauses, the UK Addendum, and adequacy decisions. Drata states it has certified to the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks with the U.S. Department of Commerce.

Vague retention

Personal data is retained as long as necessary to fulfill the purposes for which it was collected. The notice gives no concrete day count or deletion timeline beyond the 30 and 45 day windows that apply only to California rights requests.

Opt-out of sale or sharing

Drata says it has not sold or shared data for money but treats advertising cookie exchanges as a potential sale or share under California law. It offers a Do Not Sell or Share link and honors opt-out preference signals at the browser level.

What the policy is silent or vague on

Not stated: keeping user inputs out of model training
Not stated: a way to opt out of training
Not stated: whether training use differs by plan
Not stated: your ownership of generated outputs

Drata privacy rating

Training-data use0 of 4 disclosed

Keeps user inputs out of model training, or makes training opt-inSilent

Names a way to opt out of or into trainingSilent

Says whether training use differs by plan or tierSilent

Lets the user keep ownership of generated outputsSilent

Data-subject rights5 of 5 disclosed

Grants a right to access your dataDisclosed

Grants a right to delete your dataDisclosed

Offers data portability in a usable formatDisclosed

Grants a right to correct your dataDisclosed

Grants a way to object to or opt out of processingDisclosed

Retention and deletion1 of 3 disclosed

States a retention period for your dataPartial

States a deletion timeline after closure or requestPartial

Sets a shorter retention for AI conversation logsNot applicable

Commits to collecting only the data it needsDisclosed

Third-party sharing3 of 5 disclosed

Lists the categories of third parties it shares withDisclosed

References a sub-processor list or data processing agreementPartial

Does not sell or share data for advertising, or offers opt-outPartial

Names a safeguard for international data transfersDisclosed

States a standard for government and law-enforcement accessDisclosed

Transparency2 of 3 disclosed

Discloses that you are interacting with AINot applicable

Marks AI-generated or synthetic outputNot applicable

Enumerates the categories of data it collectsDisclosed

Maps processing purposes to legal basesDisclosed

Is versioned and dated, with change noticePartial

Sensitive data and children2 of 3 disclosed

Discloses automated decisions and a human-review pathDisclosed

Limits the use of special-category dataPartial

Governs biometric data specificallyNot applicable

States protections for children's dataDisclosed

Security and accountability1 of 3 disclosed

Describes its security safeguardsPartial

Commits to breach notificationSilent

Names a certification or a privacy contactDisclosed

DisclosedPartialSilentAdverseNot applicable

Details

Category: Security & compliance
Modalities: text
Processes biometrics: No
Policy last updated: 2026-06-02
Region scored: Global / US-default
Assessed: 2026-06-20

Read Drata's privacy policy

Other security & compliance apps

VantaC

Each grade reflects our analysis of what an app states in its public privacy policy and terms as of the assessment date. It measures the transparency of those documents, not the company's actual data practices, security, or compliance. Grades are our opinion, offered for general information. Full disclaimer.