Rasa

Open-source conversational AI framework for building enterprise chatbots and voice assistants

Portkey

AI gateway and LLMOps platform for routing, observability, and guardrails across multiple LLM providers

Rasa

Strong

19/25

Portkey

Moderate

15/25

Score Breakdown

DimensionRasaPortkey

Data Residency

Where is your data stored and processed?

Rasa: Open-source framework deployable on any infrastructure. Self-hosted option means data never leaves customer's environment. No cloud dependency for core functionality.

Portkey: US cloud by default but self-hosted deployment option allows EU data residency. Gateway architecture means LLM requests can be routed to EU-hosted providers.

5/5

Open-source framework deployable on any infrastructure. Self-hosted option means data never leaves customer's environment. No cloud dependency for core functionality.

3/5

US cloud by default but self-hosted deployment option allows EU data residency. Gateway architecture means LLM requests can be routed to EU-hosted providers.

Legal Jurisdiction

Which laws govern the company and your data?

Rasa: Dual incorporation: Rasa Technologies GmbH (Germany) and Rasa Technologies Inc (USA). German R&D but US entity introduces CLOUD Act considerations. Self-hosted deployments mitigate jurisdiction risks.

Portkey: Delaware incorporation. US jurisdiction. Self-hosted option eliminates cloud dependency for data-sensitive deployments.

3/5

Dual incorporation: Rasa Technologies GmbH (Germany) and Rasa Technologies Inc (USA). German R&D but US entity introduces CLOUD Act considerations. Self-hosted deployments mitigate jurisdiction risks.

2/5

Delaware incorporation. US jurisdiction. Self-hosted option eliminates cloud dependency for data-sensitive deployments.

Data Retention & Training

Is your data used for model training?

Rasa: Self-hosted architecture gives customers complete control over data retention. Rasa does not access or host customer data. Open-source code allows full audit of data handling.

Portkey: Gateway does not train on routed data. Observability logs are retained per customer policy. Self-hosted gives full control.

5/5

Self-hosted architecture gives customers complete control over data retention. Rasa does not access or host customer data. Open-source code allows full audit of data handling.

4/5

Gateway does not train on routed data. Observability logs are retained per customer policy. Self-hosted gives full control.

Certifications

ISO 27001, SOC 2, Cyber Essentials, etc.

Rasa: Controls aligned with ISO 27002. Supports GDPR and HIPAA compliance. No formal ISO 27001 or SOC 2 certifications listed. Self-hosted model shifts certification burden to customer.

Portkey: SOC 2 Type II certified. Appropriate for the company's stage. ISO 27001 would strengthen enterprise procurement.

2/5

Controls aligned with ISO 27002. Supports GDPR and HIPAA compliance. No formal ISO 27001 or SOC 2 certifications listed. Self-hosted model shifts certification burden to customer.

3/5

SOC 2 Type II certified. Appropriate for the company's stage. ISO 27001 would strengthen enterprise procurement.

Regulatory Fit

Suitability for regulated industries and professional services

Rasa: Excellent for regulated industries due to self-hosting capability. Used by enterprises in financial services, healthcare, and government. Full data control enables compliance with strict regulatory requirements.

Portkey: Self-hosted option enables EU deployment. SOC 2 certified. US jurisdiction applies to cloud product. Suitable for European teams managing multi-model AI infrastructure.

4/5

Excellent for regulated industries due to self-hosting capability. Used by enterprises in financial services, healthcare, and government. Full data control enables compliance with strict regulatory requirements.

3/5

Self-hosted option enables EU deployment. SOC 2 certified. US jurisdiction applies to cloud product. Suitable for European teams managing multi-model AI infrastructure.

Total Score

19/25

15/25

Best For

Rasa

Best for privacy-conscious teams who need strong data retention controls; organisations that need self-hosted or on-premise deployment; teams on a tight budget.

Portkey

Best for regulated industries (financial-services, healthcare); privacy-conscious teams who need strong data retention controls; organisations that need self-hosted or on-premise deployment; teams on a tight budget.

Detailed Comparison

Portkey vs Rasa: Trust & Compliance Comparison

Portkey (Portkey, US) scores 15/25 overall with a Bronze (Moderate) trust badge. AI gateway and LLMOps platform for routing, observability, and guardrails across multiple LLM providers. Rasa (Rasa, DE) scores 19/25 with a Silver (Strong) trust badge. Open-source conversational AI framework for building enterprise chatbots and voice assistants.

Dimension-by-Dimension Breakdown

#### Data Residency

Rasa leads with 5/5 vs 3/5.

●Portkey (3/5): US cloud by default but self-hosted deployment option allows EU data residency. Gateway architecture means LLM requests can be routed to EU-hosted providers.

●Rasa (5/5): Open-source framework deployable on any infrastructure. Self-hosted option means data never leaves customer's environment. No cloud dependency for core functionality.

#### Legal Jurisdiction

Rasa leads with 3/5 vs 2/5.

●Portkey (2/5): Delaware incorporation. US jurisdiction. Self-hosted option eliminates cloud dependency for data-sensitive deployments.

●Rasa (3/5): Dual incorporation: Rasa Technologies GmbH (Germany) and Rasa Technologies Inc (USA). German R&D but US entity introduces CLOUD Act considerations. Self-hosted deployments mitigate jurisdiction risks.

#### Data Retention & Training

Rasa leads with 5/5 vs 4/5.

●Portkey (4/5): Gateway does not train on routed data. Observability logs are retained per customer policy. Self-hosted gives full control.

●Rasa (5/5): Self-hosted architecture gives customers complete control over data retention. Rasa does not access or host customer data. Open-source code allows full audit of data handling.

#### Certifications

Portkey leads with 3/5 vs 2/5.

●Portkey (3/5): SOC 2 Type II certified. Appropriate for the company's stage. ISO 27001 would strengthen enterprise procurement.

●Rasa (2/5): Controls aligned with ISO 27002. Supports GDPR and HIPAA compliance. No formal ISO 27001 or SOC 2 certifications listed. Self-hosted model shifts certification burden to customer.

#### Regulatory Fit

Rasa leads with 4/5 vs 3/5.

●Portkey (3/5): Self-hosted option enables EU deployment. SOC 2 certified. US jurisdiction applies to cloud product. Suitable for European teams managing multi-model AI infrastructure.

●Rasa (4/5): Excellent for regulated industries due to self-hosting capability. Used by enterprises in financial services, healthcare, and government. Full data control enables compliance with strict regulatory requirements.

Certifications at a Glance

Certification	Portkey	Rasa
SOC 2 Type II	Yes	No

Overall Verdict

Rasa has a clear trust advantage, scoring 19/25 compared to Portkey's 15/25. Rasa particularly excels in data residency, legal jurisdiction, data retention & training, regulatory fit.

Frequently Asked Questions

Which is better for EU compliance, Rasa or Portkey?

Rasa has a TrustKit score of 19/25 while Portkey scores 15/25. Rasa currently rates higher across data residency, legal jurisdiction, data retention, certifications, and regulatory fit.

How do Rasa and Portkey compare on data residency?

Rasa scores 5/5 for data residency (Open-source framework deployable on any infrastructure. Self-hosted option means data never leaves customer's environment. No cloud dependency for core functionality.), while Portkey scores 3/5 (US cloud by default but self-hosted deployment option allows EU data residency. Gateway architecture means LLM requests can be routed to EU-hosted providers.).

Are Rasa and Portkey GDPR compliant?

Both tools are assessed across five compliance dimensions. Rasa has a regulatory fit score of 4/5 and Portkey scores 3/5. Check the full comparison above for a detailed breakdown.

Explore Each Tool