// Trust & Security Report

    ChatPDF GmbH logo

    ChatPDF GmbH

    PDF document analysis and chat tool powered by AI (GPT-4o, GPT-4o-mini). Allows users to upload PDFs, documents, and video files, then ask questions about their content. Features: multi-file chat, summarization, side-by-side view, citations, multi-language support. Free tier + ChatPDF Plus premium.

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 7 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    Our SOC2 Type II certified storage provider ensures enterprise-level security - refers to Google Firebase storage provider, not ChatPDF itself

    source: chatpdf.com
    ISO 27001
    NOT CONFIRMED

    No public evidence found. Not mentioned in privacy documentation, FAQ, or vendor materials.

    GDPR Compliance
    NOT CONFIRMED

    General privacy practices mentioned but no formal GDPR compliance certification or Data Processing Agreement publicly available. No mention of Standard Contractual Clauses or adequacy decisions.

    source: chatpdf.com
    HIPAA
    NOT CONFIRMED

    No public evidence found. Not mentioned in vendor materials. Product designed for general users, not healthcare-specific compliance.

    PCI DSS
    NOT CONFIRMED

    No public evidence found. Not mentioned in vendor documentation.

    FedRAMP
    NOT CONFIRMED

    No public evidence found. Claimed in Nudge Security profile but marked as unverified placeholder with no supporting documentation.

    CSA STAR
    NOT CONFIRMED

    No public evidence found. Claimed in Nudge Security profile but marked as unverified placeholder.

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Multi-region (Google Firebase Firestore, OpenAI, Google, Anthropic servers)

    Document text and user queries are sent to OpenAI, Google, and Anthropic API services for AI processing. OpenAI API by default does not train on API inputs/outputs, but users should verify retention policies with each provider. No clear opt-out mechanism mentioned for ChatPDF platform.

    // Security controls

    Encryption in Transit

    SSL/TLS encryption

    chatpdf.com

    Encryption at Rest

    Encrypted storage in Google Firebase Firestore

    chatpdf.com

    Data Storage

    Google Firebase Firestore (Google Cloud)

    chatpdf-55797.firebaseapp.com

    Analytics

    Firebase Analytics by Google

    chatpdf-55797.firebaseapp.com

    Authentication

    Google and Microsoft login options, basic account system

    chatpdf.com

    Data Deletion

    Users can delete documents and chats at any time

    chatpdf.com

    Third-Party Processing

    Document content sent to OpenAI (GPT-4o/GPT-4o-mini), Google, and Anthropic for processing

    chatpdf.com

    Trust Center / Security Portal

    Not available

    Bug Bounty Program

    Not mentioned

    // Products & data scope

    ChatPDF FreeDocument Analysis

    data: Limited analysis via OpenAI API (2 documents/day)

    Free tier with limited daily document analysis. Data sent to OpenAI for processing.

    ChatPDF PlusDocument Analysis

    data: Unlimited document analysis and features

    Premium subscription with unlimited documents, multi-file chats, advanced features. Data sent to third-party AI providers.

    Additional ToolsAI Utilities

    data: AI Writer, AI Detector, Flashcard Generator, YouTube Chat, Research tools

    Suite of complementary tools using similar AI processing pipeline. All send content to third-party LLM providers.

    // What to watch

    • OVER-CLAIM: Nudge Security profile lists SOC 2, HIPAA, PCI, ISO 27001, FedRAMP, and CSA STAR as certified, but notes these are 'placeholders' with no accessible supporting documentation. No independent verification found for any of these claims.
    • STORAGE PROVIDER CONFUSION: ChatPDF's FAQ states 'Our SOC2 Type II certified storage provider' referring to Google Firebase - this is the cloud provider's cert, not ChatPDF's. Marketing could be misleading.
    • THIRD-PARTY DATA PROCESSING: User document content is automatically sent to OpenAI, Google, and Anthropic LLM APIs. While necessary for functionality, users should understand data flows to these providers.
    • NO FORMAL GDPR COMPLIANCE: No Data Processing Agreement (DPA), no Standard Contractual Clauses, no mention of EU Adequacy Decisions. General privacy policy exists but no formal GDPR compliance framework documented.
    • NO HIPAA COMPLIANCE: Product not designed for healthcare use. No HIPAA compliance certification or Business Associate Agreement (BAA) available.
    • LIMITED TRUST DOCUMENTATION: No dedicated trust center, security documentation, vulnerability disclosure policy, or bug bounty program publicly available.
    • YOUNG COMPANY: Founded 2023, no external funding, limited compliance infrastructure typical of enterprise vendors.
    • PRIVACY POLICY INACCESSIBLE: Privacy Policy and Terms of Service hosted on Notion, could not be fully accessed via automated verification.
    • INCOMPLETE COMPLIANCE POSTURE: For a startup PDF tool, current security and privacy posture is reasonable but lacks enterprise-grade certifications and formal compliance frameworks.

    // At a glance

    Pricing model

    Freemium (free with limited daily documents, Plus subscription for unlimited)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on ChatPDF GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    chat-pdf.notion.site

    > Browse all vendor trust reports