// Trust & Security Report

    Aiva Technologies SARL logo

    Aiva Technologies SARL

    AIVA, an AI music generation assistant for individual creators (Free / Standard / Pro tiers) with a separately-negotiated custom Enterprise licensing track; no distinct security/enterprise product exists outside the consumer web/desktop app.

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. No trust center, security page, or SOC 2 mention exists anywhere on aiva.ai, aiva.ai/about, aiva.ai/legal/*, or status.aiva.ai.

    source: aiva.ai
    ISO 27001
    NOT CONFIRMED

    No public evidence. Not referenced on any vendor-domain page.

    source: aiva.ai
    GDPR
    NOT CONFIRMED

    Privacy Policy states: 'If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted... we note that we are processing your information in order to fulfill contracts... or otherwise to pursue our legitimate business interests.' This is a basic EU-resident-rights statement, not a formal GDPR compliance program, DPA, or Article 30 records disclosure, so graded as posture-only rather than a certification held.

    source: aiva.ai
    HIPAA
    NOT CONFIRMED

    No public evidence. AIVA is a consumer music-generation tool with no healthcare use case, PHI handling, or BAA offering mentioned anywhere on the vendor domain.

    source: aiva.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence of AIVA's own PCI attestation. Privacy Policy states payment card data 'is not stored on our servers, and are stored by our payment processor, Stripe' i.e. PCI scope is offloaded to Stripe, not held by AIVA itself.

    source: aiva.ai
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence. No AI-governance certification is mentioned on any vendor-domain page.

    source: aiva.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence on the vendor domain.

    source: aiva.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence on the vendor domain; not applicable to a consumer creative tool with no US federal government offering.

    source: aiva.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Not disclosed. Company is domiciled in Luxembourg; no data-residency or processing-location statement found in the Privacy Policy, EULA, or status page.

    AIVA's End User License Agreement grants the company broad training rights over user-submitted content: 'Licensee provides Licensor with a worldwide, non-exclusive, commercial and transferrable license to train AIVA's AI systems on the Uploaded Influence, in perpetuity' (Upload Influence / custom style model feature). No opt-out is described in the EULA or Privacy Policy, and no tier-based exception was found (the Pro plan changes composition copyright ownership, not the training license grant). Conversely, users are explicitly barred from using AIVA-generated output as ML training data themselves.

    // Security controls

    Encryption in transit/at rest

    Not disclosed. No technical security controls are described on any vendor-domain page.

    aiva.ai

    Payment data handling

    Card and order data are collected via the site but stored by third-party processor Stripe, not on AIVA's own servers.

    aiva.ai

    SSO / 2FA / enterprise auth features

    Not confirmed on vendor domain. A third-party SaaS-security aggregator (Nudge Security) lists SSO and multiple 2FA methods as available, but this could not be verified on aiva.ai itself (no login/account settings page was accessible without an authenticated session), so it is recorded here as unverified rather than as a confirmed control.

    security-profiles.nudgesecurity.com

    Status/uptime transparency

    Public status page (status.aiva.ai) reports health of 'Website' and 'Music Engine' components; no SLA or infrastructure provider disclosed.

    status.aiva.ai

    // Products & data scope

    AIVA FreeConsumer / individual

    data: Account data, generated compositions, optional uploaded MIDI/audio influence

    Non-commercial use only, AIVA retains composition copyright, 3 downloads/month.

    AIVA Standard / ProConsumer / individual, prosumer

    data: Same as Free plus billing data (handled by Stripe)

    Pro plan transfers composition copyright to the user; does not change the AI-training license granted over uploaded influence content.

    AIVA Enterprise (custom)Business / high-volume licensing

    data: Unknown; governed by a separate negotiated agreement, not published

    Defined by AIVA as a business with 3+ employees and >$300k prior-year revenue; must contact AIVA directly to establish terms. No enterprise security addendum, DPA, or compliance documentation is published, so terms (including any security commitments) are opaque to the public.

    // What to watch

    • Over-claim risk: a third-party SaaS security aggregator (Nudge Security) displays badges asserting AIVA is 'SOC 2, GDPR, ISO 27001, FedRAMP, PCI, HIPAA, and CSA STAR Level 1 compliant,' but the same page admits these are unlinked badges with no attestation evidence, and none of these certifications appear anywhere on AIVA's own domain. This pattern (a full enterprise-grade cert stack claimed for a ~9-person consumer creative-app startup with no trust center) is implausible and should NOT be surfaced to users as fact; do not cite Nudge Security as a compliance source.
    • No DPA (Data Processing Agreement) is published or referenced, despite the product processing EU personal data and accepting EU customers.
    • Privacy Policy is a generic, unmodified template (dated 2019, structured like a standard e-commerce/Shopify boilerplate) rather than an AI-product-specific policy; it does not address AI model training, generated-content data flows, or retention periods for uploaded influence files.
    • EULA grants AIVA a perpetual, worldwide training license over user-uploaded audio/MIDI 'Influence' files with no stated opt-out, which should be disclosed to prospective users, especially any who upload proprietary or client material.
    • No data-residency or sub-processor list is published.

    // At a glance

    Pricing model

    Freemium subscription (EUR monthly/annual) for individuals; opaque custom pricing for Enterprise

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Aiva Technologies SARL's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    aiva.ai

    > Browse all vendor trust reports