// Trust & Security Report
Brain.FM, Inc.
Science-backed functional music platform for focus, creativity, learning, sleep, relaxation, and meditation. Core products: web and mobile app with free trials, personal subscriptions, and team account licensing for enterprises.
Certifications held
0
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 12 unconfirmed / not-held certifications
source: brain.fmNo public evidence found across Brain.fm's website, privacy policy, terms, or public search results.
source: brain.fmNo public evidence found across Brain.fm's website, privacy policy, terms, or public search results.
source: brain.fmNo public evidence found across Brain.fm's website, privacy policy, terms, or public search results.
source: brain.fmNo public evidence found; not mentioned in available documentation.
source: brain.fmNo public evidence found; not mentioned in available documentation.
source: brain.fmNo public evidence found; not mentioned in available documentation.
source: brain.fmPrivacy policy mentions GDPR rights (deletion within 30 days) and notes data processing in EU, but no formal GDPR compliance framework, DPA, or Article 28 processor status is publicly documented.
source: brain.fmNo public evidence found; product is a consumer wellness app, not a HIPAA-covered entity or business associate. HIPAA does not apply to this product category.
source: brainfm.helpscoutdocs.comBrain.fm itself is not PCI DSS certified; payment processing is handled by Stripe (PCI DSS Level 1 compliant), but vendor does not claim direct PCI DSS compliance. Brain.fm does not store credit card information.
source: brain.fmNo public evidence found; not mentioned in available documentation and unlikely given small company size and private sector focus.
source: brain.fmNo public evidence found; not mentioned in available documentation.
source: brain.fmNo public evidence found; not mentioned in available documentation.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
United States, Singapore, European Union
No mention of training models on customer listening data, musical preferences, or focus patterns in public privacy policy or terms. Product appears to use pre-composed audio rather than generative AI. However, privacy policy is last updated May 23, 2018 and may not reflect current practices.
// Security controls
Encryption in Transit
SSL/SFTP with SHA-2 encryption for third-party data transfers; HTTPS enforced for all services
brain.fmAccess Controls
Physical access restrictions to database servers; authorized personnel only; firewalls to prevent unauthorized internet access to database
brain.fmPayment Processing
Payment processed via Stripe (PCI DSS Level 1 compliant); Brain.fm does not store credit card information
brainfm.helpscoutdocs.comThird-Party Processors
Third-party processors (marketing, analytics) required to maintain compliance standards matching or exceeding Brain.fm's; prohibited from using data beyond contracted purposes
brain.fm// Products & data scope
data: User account, listening history, subscription status, payment method (processed by Stripe, not stored)
Available on web, iOS, Android, and desktop. Free 30-day trial, then monthly/trimonthly/yearly subscriptions. Stores user neurotype preferences from in-app quiz to customize audio stimulus levels.
data: Team member accounts, team administrator data, aggregate usage analytics
Special pricing available for companies and classrooms. Contact support@brain.fm for team account details. No public documentation of team-specific data handling or compliance.
// What to watch
- Privacy policy last updated May 23, 2018 - extremely outdated and does not reflect modern AI/data practices, GDPR updates, or current industry standards for SaaS privacy disclosures.
- No formal GDPR compliance documentation or Data Processing Agreement (Article 28) publicly available, despite processing EU user data and offering EU data storage.
- No trust center or dedicated security/compliance documentation page exists; enterprise customers must contact support for compliance questions.
- No SOC 2 or ISO 27001 certifications despite offering team/enterprise licensing; smaller companies in this category often lack formal certifications but should have updated privacy policies.
- Data processing in Singapore adds complexity for enterprises with data sovereignty requirements; no public explanation of why Singapore is used or what data flows there.
- Over-claim risk: Marketing materials emphasize 'science-backed' and published research, but this does not constitute security/compliance certifications. Customers may conflate research credibility with security certifications.
- AI governance gap: Privacy policy does not address whether user behavioral/listening data could be used for future AI model training; policy predates modern AI practices by 8 years.
// At a glance
Pricing model
Freemium (30-day free trial) + subscription (monthly, trimonthly, yearly); team discounts available
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Brain.FM, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
brain.fm