// Trust & Security Report

    Brain.FM, Inc. logo

    Brain.FM, Inc.

    Science-backed functional music platform for focus, creativity, learning, sleep, relaxation, and meditation. Core products: web and mobile app with free trials, personal subscriptions, and team account licensing for enterprises.

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 12 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence found across Brain.fm's website, privacy policy, terms, or public search results.

    source: brain.fm
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence found across Brain.fm's website, privacy policy, terms, or public search results.

    source: brain.fm
    ISO 27001
    NOT CONFIRMED

    No public evidence found across Brain.fm's website, privacy policy, terms, or public search results.

    source: brain.fm
    ISO 27017
    NOT CONFIRMED

    No public evidence found; not mentioned in available documentation.

    source: brain.fm
    ISO 27018
    NOT CONFIRMED

    No public evidence found; not mentioned in available documentation.

    source: brain.fm
    ISO 27701
    NOT CONFIRMED

    No public evidence found; not mentioned in available documentation.

    source: brain.fm
    GDPR Compliant
    NOT CONFIRMED

    Privacy policy mentions GDPR rights (deletion within 30 days) and notes data processing in EU, but no formal GDPR compliance framework, DPA, or Article 28 processor status is publicly documented.

    source: brain.fm
    HIPAA
    NOT CONFIRMED

    No public evidence found; product is a consumer wellness app, not a HIPAA-covered entity or business associate. HIPAA does not apply to this product category.

    source: brain.fm
    PCI DSS
    NOT CONFIRMED

    Brain.fm itself is not PCI DSS certified; payment processing is handled by Stripe (PCI DSS Level 1 compliant), but vendor does not claim direct PCI DSS compliance. Brain.fm does not store credit card information.

    source: brainfm.helpscoutdocs.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found; not mentioned in available documentation and unlikely given small company size and private sector focus.

    source: brain.fm
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence found; not mentioned in available documentation.

    source: brain.fm
    CSA STAR
    NOT CONFIRMED

    No public evidence found; not mentioned in available documentation.

    source: brain.fm

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    United States, Singapore, European Union

    No mention of training models on customer listening data, musical preferences, or focus patterns in public privacy policy or terms. Product appears to use pre-composed audio rather than generative AI. However, privacy policy is last updated May 23, 2018 and may not reflect current practices.

    // Security controls

    Encryption in Transit

    SSL/SFTP with SHA-2 encryption for third-party data transfers; HTTPS enforced for all services

    brain.fm

    Encryption at Rest

    No public documentation found

    brain.fm

    Access Controls

    Physical access restrictions to database servers; authorized personnel only; firewalls to prevent unauthorized internet access to database

    brain.fm

    Payment Processing

    Payment processed via Stripe (PCI DSS Level 1 compliant); Brain.fm does not store credit card information

    brainfm.helpscoutdocs.com

    Data Breach Notification

    No public procedure documented

    brain.fm

    Third-Party Processors

    Third-party processors (marketing, analytics) required to maintain compliance standards matching or exceeding Brain.fm's; prohibited from using data beyond contracted purposes

    brain.fm

    // Products & data scope

    Brain.fm PersonalFocus Music & Wellness

    data: User account, listening history, subscription status, payment method (processed by Stripe, not stored)

    Available on web, iOS, Android, and desktop. Free 30-day trial, then monthly/trimonthly/yearly subscriptions. Stores user neurotype preferences from in-app quiz to customize audio stimulus levels.

    Brain.fm TeamFocus Music & Wellness - Team Edition

    data: Team member accounts, team administrator data, aggregate usage analytics

    Special pricing available for companies and classrooms. Contact support@brain.fm for team account details. No public documentation of team-specific data handling or compliance.

    // What to watch

    • Privacy policy last updated May 23, 2018 - extremely outdated and does not reflect modern AI/data practices, GDPR updates, or current industry standards for SaaS privacy disclosures.
    • No formal GDPR compliance documentation or Data Processing Agreement (Article 28) publicly available, despite processing EU user data and offering EU data storage.
    • No trust center or dedicated security/compliance documentation page exists; enterprise customers must contact support for compliance questions.
    • No SOC 2 or ISO 27001 certifications despite offering team/enterprise licensing; smaller companies in this category often lack formal certifications but should have updated privacy policies.
    • Data processing in Singapore adds complexity for enterprises with data sovereignty requirements; no public explanation of why Singapore is used or what data flows there.
    • Over-claim risk: Marketing materials emphasize 'science-backed' and published research, but this does not constitute security/compliance certifications. Customers may conflate research credibility with security certifications.
    • AI governance gap: Privacy policy does not address whether user behavioral/listening data could be used for future AI model training; policy predates modern AI practices by 8 years.

    // At a glance

    Pricing model

    Freemium (30-day free trial) + subscription (monthly, trimonthly, yearly); team discounts available

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Brain.FM, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    brain.fm

    > Browse all vendor trust reports