// Trust & Security Report

    BenevolentAI (BenevolentAI S.A., Luxembourg; formerly listed on Euronext Amsterdam as BAI, delisted and taken private via merger into Osaka Holdings S.a r.l. in March 2025) logo

    BenevolentAI (BenevolentAI S.A., Luxembourg; formerly listed on Euronext Amsterdam as BAI, delisted and taken private via merger into Osaka Holdings S.a r.l. in March 2025)

    AI-driven drug discovery and life science intelligence platform enabling pharmaceutical research teams to accelerate R&D through proprietary knowledge graphs, machine learning, and biomedical data analysis.

    Certifications held

    1

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR
    HELD

    BenevolentAI Group states it is 'committed to conducting its businesses in accordance with all applicable Data Protection laws and regulations' and, for international transfers, implements 'data transfer agreements, implementing standard contractual clauses, or International Data Transfer Agreements'.

    Verify on benevolent.com
    > Show 6 unconfirmed / not-held certifications
    SOC 2 (Type 1 or Type 2)
    NOT CONFIRMED

    No public evidence of SOC 2 certification found on vendor domain; not mentioned in privacy notice or terms.

    source: benevolent.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on vendor domain; not mentioned in privacy notice or terms.

    source: benevolent.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification found on vendor domain; not mentioned in privacy notice or terms.

    source: benevolent.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification; not mentioned on vendor domain.

    source: benevolent.com
    CSA STAR (Cloud Security Alliance)
    NOT CONFIRMED

    No public evidence of CSA STAR certification found on vendor domain.

    source: benevolent.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on vendor domain.

    source: benevolent.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region: United Kingdom, EU, and United States (with trusted suppliers). Uses Standard Contractual Clauses (SCCs) for international transfers.

    Explicitly prohibited under terms of service. Document states: 'prohibit text and data mining, web scraping, and automated access for AI training purposes' as 'an express reservation of our rights' under EU copyright law.

    // Security controls

    Encryption in Transit

    Not publicly disclosed. The privacy notice makes no encryption claim and instead disclaims transmission security: 'the transmission of information via the internet is not completely secure' and 'remains at your own risk'.

    benevolent.com

    Data Protection Measures

    Appropriate technical, organisational, and administrative measures; Standard Contractual Clauses (SCCs) with third-party processors

    benevolent.com

    Breach Notification

    Notifies regulators within 72 hours of suspected breach (GDPR requirement)

    benevolent.com

    Penetration Testing

    Not publicly disclosed

    benevolent.com

    Security Audits

    Regular security audits claimed in third-party assessments; not independently verified on vendor domain

    rfp.wiki

    // Products & data scope

    BenevolentAI Platform (Life Science Intelligence)AI Drug Discovery

    data: Biomedical data, disease biology, therapeutic targets, research data; handles sensitive pharmaceutical R&D information

    Proprietary knowledge graph and ontologies developed over decade; machine learning for drug target identification and hypothesis generation. Data stored in UK/EU with US supplier backup.

    // What to watch

    • No SOC 2 certification despite enterprise SaaS positioning and handling sensitive pharmaceutical research data
    • No ISO 27001 certification despite regulated-industry (pharmaceutical R&D) focus and enterprise positioning
    • No dedicated trust center or security/compliance documentation page (returns 404)
    • Explicit security disclaimer in terms: 'we do not guarantee that our site will be fully secured or free from bugs or viruses'
    • Data stored with 'trusted suppliers' in US but their certifications not disclosed or verified
    • Lack of publicly-available security certifications unusual for enterprise pharmaceutical AI platform handling confidential drug discovery data
    • No evidence of third-party security audits or assessments (e.g., penetration testing, vulnerability assessments) publicly available
    • GDPR compliance claimed but no link to Data Protection Impact Assessment (DPIA) or detailed processor agreements

    // At a glance

    Pricing model

    Enterprise licensing; contact for pricing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on BenevolentAI (BenevolentAI S.A., Luxembourg; formerly listed on Euronext Amsterdam as BAI, delisted and taken private via merger into Osaka Holdings S.a r.l. in March 2025)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    benevolent.com

    > Browse all vendor trust reports