// Trust & Security Report
Aiva Technologies SARL
AIVA, an AI music generation assistant for individual creators (Free / Standard / Pro tiers) with a separately-negotiated custom Enterprise licensing track; no distinct security/enterprise product exists outside the consumer web/desktop app.
Certifications held
0
Maturity
Startup
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: aiva.aiNo public evidence. No trust center, security page, or SOC 2 mention exists anywhere on aiva.ai, aiva.ai/about, aiva.ai/legal/*, or status.aiva.ai.
source: aiva.aiPrivacy Policy states: 'If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted... we note that we are processing your information in order to fulfill contracts... or otherwise to pursue our legitimate business interests.' This is a basic EU-resident-rights statement, not a formal GDPR compliance program, DPA, or Article 30 records disclosure, so graded as posture-only rather than a certification held.
source: aiva.aiNo public evidence. AIVA is a consumer music-generation tool with no healthcare use case, PHI handling, or BAA offering mentioned anywhere on the vendor domain.
source: aiva.aiNo public evidence of AIVA's own PCI attestation. Privacy Policy states payment card data 'is not stored on our servers, and are stored by our payment processor, Stripe' i.e. PCI scope is offloaded to Stripe, not held by AIVA itself.
source: aiva.aiNo public evidence. No AI-governance certification is mentioned on any vendor-domain page.
source: aiva.aiNo public evidence on the vendor domain; not applicable to a consumer creative tool with no US federal government offering.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
Not disclosed. Company is domiciled in Luxembourg; no data-residency or processing-location statement found in the Privacy Policy, EULA, or status page.
AIVA's End User License Agreement grants the company broad training rights over user-submitted content: 'Licensee provides Licensor with a worldwide, non-exclusive, commercial and transferrable license to train AIVA's AI systems on the Uploaded Influence, in perpetuity' (Upload Influence / custom style model feature). No opt-out is described in the EULA or Privacy Policy, and no tier-based exception was found (the Pro plan changes composition copyright ownership, not the training license grant). Conversely, users are explicitly barred from using AIVA-generated output as ML training data themselves.
// Security controls
Encryption in transit/at rest
Not disclosed. No technical security controls are described on any vendor-domain page.
aiva.aiPayment data handling
Card and order data are collected via the site but stored by third-party processor Stripe, not on AIVA's own servers.
aiva.aiSSO / 2FA / enterprise auth features
Not confirmed on vendor domain. A third-party SaaS-security aggregator (Nudge Security) lists SSO and multiple 2FA methods as available, but this could not be verified on aiva.ai itself (no login/account settings page was accessible without an authenticated session), so it is recorded here as unverified rather than as a confirmed control.
security-profiles.nudgesecurity.comStatus/uptime transparency
Public status page (status.aiva.ai) reports health of 'Website' and 'Music Engine' components; no SLA or infrastructure provider disclosed.
status.aiva.ai// Products & data scope
data: Account data, generated compositions, optional uploaded MIDI/audio influence
Non-commercial use only, AIVA retains composition copyright, 3 downloads/month.
data: Same as Free plus billing data (handled by Stripe)
Pro plan transfers composition copyright to the user; does not change the AI-training license granted over uploaded influence content.
data: Unknown; governed by a separate negotiated agreement, not published
Defined by AIVA as a business with 3+ employees and >$300k prior-year revenue; must contact AIVA directly to establish terms. No enterprise security addendum, DPA, or compliance documentation is published, so terms (including any security commitments) are opaque to the public.
// What to watch
- Over-claim risk: a third-party SaaS security aggregator (Nudge Security) displays badges asserting AIVA is 'SOC 2, GDPR, ISO 27001, FedRAMP, PCI, HIPAA, and CSA STAR Level 1 compliant,' but the same page admits these are unlinked badges with no attestation evidence, and none of these certifications appear anywhere on AIVA's own domain. This pattern (a full enterprise-grade cert stack claimed for a ~9-person consumer creative-app startup with no trust center) is implausible and should NOT be surfaced to users as fact; do not cite Nudge Security as a compliance source.
- No DPA (Data Processing Agreement) is published or referenced, despite the product processing EU personal data and accepting EU customers.
- Privacy Policy is a generic, unmodified template (dated 2019, structured like a standard e-commerce/Shopify boilerplate) rather than an AI-product-specific policy; it does not address AI model training, generated-content data flows, or retention periods for uploaded influence files.
- EULA grants AIVA a perpetual, worldwide training license over user-uploaded audio/MIDI 'Influence' files with no stated opt-out, which should be disclosed to prospective users, especially any who upload proprietary or client material.
- No data-residency or sub-processor list is published.
// At a glance
Pricing model
Freemium subscription (EUR monthly/annual) for individuals; opaque custom pricing for Enterprise
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Aiva Technologies SARL's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
aiva.ai