// Trust & Security Report
ChatPDF GmbH
PDF document analysis and chat tool powered by AI (GPT-4o, GPT-4o-mini). Allows users to upload PDFs, documents, and video files, then ask questions about their content. Features: multi-file chat, summarization, side-by-side view, citations, multi-language support. Free tier + ChatPDF Plus premium.
Certifications held
0
Maturity
Startup
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 7 unconfirmed / not-held certifications
source: chatpdf.comOur SOC2 Type II certified storage provider ensures enterprise-level security - refers to Google Firebase storage provider, not ChatPDF itself
No public evidence found. Not mentioned in privacy documentation, FAQ, or vendor materials.
source: chatpdf.comGeneral privacy practices mentioned but no formal GDPR compliance certification or Data Processing Agreement publicly available. No mention of Standard Contractual Clauses or adequacy decisions.
No public evidence found. Not mentioned in vendor materials. Product designed for general users, not healthcare-specific compliance.
No public evidence found. Not mentioned in vendor documentation.
No public evidence found. Claimed in Nudge Security profile but marked as unverified placeholder with no supporting documentation.
No public evidence found. Claimed in Nudge Security profile but marked as unverified placeholder.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
Multi-region (Google Firebase Firestore, OpenAI, Google, Anthropic servers)
Document text and user queries are sent to OpenAI, Google, and Anthropic API services for AI processing. OpenAI API by default does not train on API inputs/outputs, but users should verify retention policies with each provider. No clear opt-out mechanism mentioned for ChatPDF platform.
// Security controls
Third-Party Processing
Document content sent to OpenAI (GPT-4o/GPT-4o-mini), Google, and Anthropic for processing
chatpdf.comTrust Center / Security Portal
Not available
Bug Bounty Program
Not mentioned
// Products & data scope
data: Limited analysis via OpenAI API (2 documents/day)
Free tier with limited daily document analysis. Data sent to OpenAI for processing.
data: Unlimited document analysis and features
Premium subscription with unlimited documents, multi-file chats, advanced features. Data sent to third-party AI providers.
data: AI Writer, AI Detector, Flashcard Generator, YouTube Chat, Research tools
Suite of complementary tools using similar AI processing pipeline. All send content to third-party LLM providers.
// What to watch
- OVER-CLAIM: Nudge Security profile lists SOC 2, HIPAA, PCI, ISO 27001, FedRAMP, and CSA STAR as certified, but notes these are 'placeholders' with no accessible supporting documentation. No independent verification found for any of these claims.
- STORAGE PROVIDER CONFUSION: ChatPDF's FAQ states 'Our SOC2 Type II certified storage provider' referring to Google Firebase - this is the cloud provider's cert, not ChatPDF's. Marketing could be misleading.
- THIRD-PARTY DATA PROCESSING: User document content is automatically sent to OpenAI, Google, and Anthropic LLM APIs. While necessary for functionality, users should understand data flows to these providers.
- NO FORMAL GDPR COMPLIANCE: No Data Processing Agreement (DPA), no Standard Contractual Clauses, no mention of EU Adequacy Decisions. General privacy policy exists but no formal GDPR compliance framework documented.
- NO HIPAA COMPLIANCE: Product not designed for healthcare use. No HIPAA compliance certification or Business Associate Agreement (BAA) available.
- LIMITED TRUST DOCUMENTATION: No dedicated trust center, security documentation, vulnerability disclosure policy, or bug bounty program publicly available.
- YOUNG COMPANY: Founded 2023, no external funding, limited compliance infrastructure typical of enterprise vendors.
- PRIVACY POLICY INACCESSIBLE: Privacy Policy and Terms of Service hosted on Notion, could not be fully accessed via automated verification.
- INCOMPLETE COMPLIANCE POSTURE: For a startup PDF tool, current security and privacy posture is reasonable but lacks enterprise-grade certifications and formal compliance frameworks.
// At a glance
Pricing model
Freemium (free with limited daily documents, Plus subscription for unlimited)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on ChatPDF GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
chat-pdf.notion.site