// Trust & Security Report
Colossyan Inc.
Colossyan Creator: AI avatar video generator for corporate training and enablement (video creation, courses, localization, delivery, analytics), with self-serve Free/Starter/Business tiers and a separate Enterprise tier (SSO, custom avatars, multi-workspace, SCORM export).
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on colossyan.com“Colossyan holds SOC 2 Type II certification, independently audited by a third-party firm.”
Verify on colossyan.com“Colossyan complies with the EU General Data Protection Regulation... We process personal data lawfully, maintain data processing agreements (DPAs), and support data subject access requests.”
> Show 6 unconfirmed / not-held certifications
source: colossyan.comNo public evidence on Colossyan's own domain. The vendor's /security page references ISO 27001 only as a preference/requirement it applies to its own sub-processors and partner vendors, not as Colossyan's own certification. A third-party directory (Nudge Security) displays an 'ISO 27001 Compliant' badge with no supporting evidence or link, which we disregard per verification rules.
source: colossyan.comCustomer warrants that it will not use the Services to store or transmit any 'protected health information' as defined by HIPAA (Enterprise Terms, Section 5.1); standard Terms Section 7.1(ix) similarly bars uploading PHI. No Business Associate Agreement (BAA) is offered in either Standard or Enterprise terms.
source: colossyan.comNo public evidence on Colossyan's own domain; Colossyan does not process cardholder payment data directly (billing is handled via third-party payment processors). A third-party directory (Nudge Security) shows a 'PCI Compliant' badge with no evidence or link, which we disregard.
source: colossyan.comNo public evidence on Colossyan's own domain. The vendor's security page references following 'the transparency and risk management principles of the EU AI Act' but does not claim ISO 42001 certification.
source: colossyan.comNo public evidence on Colossyan's own domain. A third-party directory (Nudge Security) shows a 'CSA STAR Level 1 Compliant' badge with no evidence or link, which we disregard.
source: colossyan.comNo public evidence on Colossyan's own domain; Colossyan is not a US federal government cloud offering. A third-party directory (Nudge Security) shows a 'FedRAMP Compliant' badge with no evidence or link, which we disregard.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Infrastructure hosted on AWS in EU and US regions; Colossyan Inc. is a US entity with subsidiaries/registered offices in London (UK) and Budapest (Hungary); the general privacy notice separately states hosting occurs in Germany and the UK for EU/UK users, with data transfers outside the EEA relying on Standard Contractual Clauses (SCCs).
Vendor's security marketing page and privacy notice state customer documents, scripts, and generated videos are never used to train Colossyan's AI models, and that third-party AI vendors are contractually prohibited from training on Colossyan input. However, the Enterprise Terms of Service (Section 4.2) carve out one exception: Colossyan may use a customer's own Recordings to train the specific AI model that creates and operates that customer's Custom Created Avatar. This is a narrow, customer-specific use (building the customer's own avatar), not training Colossyan's general-purpose models on customer content, but AIFOXX should note the exception exists since it is not mentioned on the marketing security page.
// Security controls
Encryption in transit
TLS 1.3 for all data transmitted between browser and Colossyan servers.
colossyan.comHosting
AWS infrastructure in EU and US regions; 99.9% uptime SLA with 1-hour RTO/RPO cited on the security page.
colossyan.comPenetration testing
Annual third-party penetration tests; reports available via the Trust Center under NDA.
colossyan.comAttack surface monitoring
Real-time monitoring via UpGuard, with a safety score cited as consistently above 900 (self-reported, not independently re-verified by this assessment).
colossyan.comEnterprise access controls
SAML and OIDC SSO, custom roles/permissions, multi-workspace architecture, available on the Enterprise tier.
colossyan.comBreach notification
Affected customers notified within GDPR-required timeframes (72 hours).
colossyan.com// Products & data scope
data: Scripts, uploaded documents, generated videos, and any stock/custom avatar recordings the user uploads; standard Terms grant Colossyan broader internal research/service-improvement rights over Customer Materials than Enterprise terms do.
Free plan (3 min/month, shared avatars), Starter ($19-27/mo), Business ($70-88/mo per editor) tiers; no SSO/SAML, no BAA, PHI upload prohibited under Section 7.1(ix) of standard Terms.
data: Same content types as self-serve, plus SSO-authenticated workspace data; PHI storage/transmission still explicitly prohibited (no BAA offered).
Adds SAML/OIDC SSO, custom roles, multi-workspace isolation, SCORM export, custom quotes; only tier where Custom Created Avatar recordings may be used to train a customer-specific avatar model per Enterprise Terms Section 4.2.
// What to watch
- The trust center at security.colossyan.com is a JS-rendered SafeBase/Vanta-style portal that could not be scraped for its underlying control list or SOC 2 report date; SOC 2 Type II claim is corroborated only via the vendor's own /security marketing page, not the trust center's raw content. Recommend a manual check of the live trust center before high-stakes procurement decisions.
- Third-party directory Nudge Security displays generic 'compliant' badges for Colossyan covering SOC 2, ISO 27001, HIPAA, PCI DSS, FedRAMP, and CSA STAR Level 1 with zero supporting evidence or links. These badges directly contradict what Colossyan's own site and Terms say (e.g. HIPAA is explicitly disclaimed, ISO 27001/PCI/FedRAMP/CSA STAR are not mentioned anywhere on the vendor's own domain). Treat the Nudge Security badges as unverified marketing noise, not as vendor-confirmed certifications.
- Marketing copy on the security page states customer content is 'never used to train our AI models,' but the Enterprise Terms of Service carve out an exception allowing use of a customer's own Recordings to train that customer's Custom Created Avatar model. Not a fabrication, but a nuance the marketing page omits; worth surfacing to buyers who rely on the blanket 'never trains on your data' claim.
- Minor inconsistency between the security page (hosting described as AWS in EU/US regions) and the general privacy notice (hosting described as Germany and the UK for EU/UK users); likely reflects different infrastructure providers for different services rather than a real conflict, but not fully reconciled from public pages alone.
// At a glance
Pricing model
Freemium SaaS: Free, Starter (~$19-27/mo), Business (~$70-88/mo per editor), and custom-quoted Enterprise (SSO, SCORM, brand kits).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Colossyan Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.colossyan.com