// Trust & Security Report

    Colossyan Inc. logo

    Colossyan Inc.

    Colossyan Creator: AI avatar video generator for corporate training and enablement (video creation, courses, localization, delivery, analytics), with self-serve Free/Starter/Business tiers and a separate Enterprise tier (SSO, custom avatars, multi-workspace, SCORM export).

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Colossyan holds SOC 2 Type II certification, independently audited by a third-party firm.

    Verify on colossyan.com
    GDPR (compliance posture, not a certification)
    HELD

    Colossyan complies with the EU General Data Protection Regulation... We process personal data lawfully, maintain data processing agreements (DPAs), and support data subject access requests.

    Verify on colossyan.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence on Colossyan's own domain. The vendor's /security page references ISO 27001 only as a preference/requirement it applies to its own sub-processors and partner vendors, not as Colossyan's own certification. A third-party directory (Nudge Security) displays an 'ISO 27001 Compliant' badge with no supporting evidence or link, which we disregard per verification rules.

    source: colossyan.com
    HIPAA
    NOT CONFIRMED

    Customer warrants that it will not use the Services to store or transmit any 'protected health information' as defined by HIPAA (Enterprise Terms, Section 5.1); standard Terms Section 7.1(ix) similarly bars uploading PHI. No Business Associate Agreement (BAA) is offered in either Standard or Enterprise terms.

    source: colossyan.com
    PCI DSS
    NOT CONFIRMED

    No public evidence on Colossyan's own domain; Colossyan does not process cardholder payment data directly (billing is handled via third-party payment processors). A third-party directory (Nudge Security) shows a 'PCI Compliant' badge with no evidence or link, which we disregard.

    source: colossyan.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence on Colossyan's own domain. The vendor's security page references following 'the transparency and risk management principles of the EU AI Act' but does not claim ISO 42001 certification.

    source: colossyan.com
    CSA STAR
    NOT CONFIRMED

    No public evidence on Colossyan's own domain. A third-party directory (Nudge Security) shows a 'CSA STAR Level 1 Compliant' badge with no evidence or link, which we disregard.

    source: colossyan.com
    FedRAMP
    NOT CONFIRMED

    No public evidence on Colossyan's own domain; Colossyan is not a US federal government cloud offering. A third-party directory (Nudge Security) shows a 'FedRAMP Compliant' badge with no evidence or link, which we disregard.

    source: colossyan.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Infrastructure hosted on AWS in EU and US regions; Colossyan Inc. is a US entity with subsidiaries/registered offices in London (UK) and Budapest (Hungary); the general privacy notice separately states hosting occurs in Germany and the UK for EU/UK users, with data transfers outside the EEA relying on Standard Contractual Clauses (SCCs).

    Vendor's security marketing page and privacy notice state customer documents, scripts, and generated videos are never used to train Colossyan's AI models, and that third-party AI vendors are contractually prohibited from training on Colossyan input. However, the Enterprise Terms of Service (Section 4.2) carve out one exception: Colossyan may use a customer's own Recordings to train the specific AI model that creates and operates that customer's Custom Created Avatar. This is a narrow, customer-specific use (building the customer's own avatar), not training Colossyan's general-purpose models on customer content, but AIFOXX should note the exception exists since it is not mentioned on the marketing security page.

    // Security controls

    Encryption in transit

    TLS 1.3 for all data transmitted between browser and Colossyan servers.

    colossyan.com

    Encryption at rest

    AES-256 for customer data stored on Colossyan servers.

    colossyan.com

    Hosting

    AWS infrastructure in EU and US regions; 99.9% uptime SLA with 1-hour RTO/RPO cited on the security page.

    colossyan.com

    Penetration testing

    Annual third-party penetration tests; reports available via the Trust Center under NDA.

    colossyan.com

    Attack surface monitoring

    Real-time monitoring via UpGuard, with a safety score cited as consistently above 900 (self-reported, not independently re-verified by this assessment).

    colossyan.com

    Enterprise access controls

    SAML and OIDC SSO, custom roles/permissions, multi-workspace architecture, available on the Enterprise tier.

    colossyan.com

    Breach notification

    Affected customers notified within GDPR-required timeframes (72 hours).

    colossyan.com

    // Products & data scope

    Colossyan Creator (Free / Starter / Business)Self-serve AI video generator

    data: Scripts, uploaded documents, generated videos, and any stock/custom avatar recordings the user uploads; standard Terms grant Colossyan broader internal research/service-improvement rights over Customer Materials than Enterprise terms do.

    Free plan (3 min/month, shared avatars), Starter ($19-27/mo), Business ($70-88/mo per editor) tiers; no SSO/SAML, no BAA, PHI upload prohibited under Section 7.1(ix) of standard Terms.

    Colossyan EnterpriseTeam/enterprise AI video platform

    data: Same content types as self-serve, plus SSO-authenticated workspace data; PHI storage/transmission still explicitly prohibited (no BAA offered).

    Adds SAML/OIDC SSO, custom roles, multi-workspace isolation, SCORM export, custom quotes; only tier where Custom Created Avatar recordings may be used to train a customer-specific avatar model per Enterprise Terms Section 4.2.

    // What to watch

    • The trust center at security.colossyan.com is a JS-rendered SafeBase/Vanta-style portal that could not be scraped for its underlying control list or SOC 2 report date; SOC 2 Type II claim is corroborated only via the vendor's own /security marketing page, not the trust center's raw content. Recommend a manual check of the live trust center before high-stakes procurement decisions.
    • Third-party directory Nudge Security displays generic 'compliant' badges for Colossyan covering SOC 2, ISO 27001, HIPAA, PCI DSS, FedRAMP, and CSA STAR Level 1 with zero supporting evidence or links. These badges directly contradict what Colossyan's own site and Terms say (e.g. HIPAA is explicitly disclaimed, ISO 27001/PCI/FedRAMP/CSA STAR are not mentioned anywhere on the vendor's own domain). Treat the Nudge Security badges as unverified marketing noise, not as vendor-confirmed certifications.
    • Marketing copy on the security page states customer content is 'never used to train our AI models,' but the Enterprise Terms of Service carve out an exception allowing use of a customer's own Recordings to train that customer's Custom Created Avatar model. Not a fabrication, but a nuance the marketing page omits; worth surfacing to buyers who rely on the blanket 'never trains on your data' claim.
    • Minor inconsistency between the security page (hosting described as AWS in EU/US regions) and the general privacy notice (hosting described as Germany and the UK for EU/UK users); likely reflects different infrastructure providers for different services rather than a real conflict, but not fully reconciled from public pages alone.

    // At a glance

    Pricing model

    Freemium SaaS: Free, Starter (~$19-27/mo), Business (~$70-88/mo per editor), and custom-quoted Enterprise (SSO, SCORM, brand kits).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Colossyan Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.colossyan.com

    > Browse all vendor trust reports