// Trust & Security Report
CopyAI, Inc.
Copy.ai GTM AI Platform
Certifications held
2
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.copy.ai“Compliance — SOC 2 Type II (Copy.ai Trust Center, Compliance section). Corroborated by the announcement: "Copy.ai has achieved SOC 2 Type II compliance in accordance with the American Institute of Certified Public Accountants (AICPA) standards for SOC for Service Organizations, also known as SSAE 18" with an audit by Prescient Assurance.”
Verify on copy.ai“"Copy.ai adheres to the EU-U.S. Data Privacy Framework Principles regarding the collection, use, and retention of personal data transferred from the European Union." Privacy Notice also designates an EEA representative at contact@gdprlocal.com and frames Copy.ai as a data controller/processor under Regulation (EU) 2016/679.”
> Show 2 unconfirmed / not-held certifications
source: trust.copy.aiNot listed in the Copy.ai Trust Center Compliance section (only SOC 2 Type II is shown) and not claimed on the security page.
source: trust.copy.aiNo HIPAA attestation or BAA offering is listed in the Trust Center or on the security page.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
Cloud-based services storing/processing data in the United States and European Union, with transfers to additional locations including Brazil, Costa Rica, Philippines, and Canada per the Privacy Notice. Primary subprocessor infrastructure (Heroku, MongoDB Atlas) is hosted in the United States.
Security page states plainly: "We don't train on your data" and "our models are trained without utilizing your individual data"; also "We don't share your prompts" / "your prompts, and creative inputs are never shared with other customers" and "we don't trade in your data. We do not have, nor will we ever have, a revenue model that exploits user data." Note: Copy.ai is model-agnostic and routes generation through third-party LLM subprocessors (Anthropic, OpenAI) listed in the Trust Center; the ToS also assigns ownership of Generated Content to the licensor (e.g., OpenAI). Underlying foundation-model providers' own data-use terms therefore also apply.
// Security controls
SOC 2 Type II attestation
Held; audited by Prescient Assurance over a 3-month observation period; SOC 2 report downloadable via the Trust Center on request.
copy.aiEncryption
Trust Center lists 'Encryption key access restricted', 'Portable media encrypted', and a 'Cryptography Policy'; Privacy Notice cites 'appropriate physical, technical and organizational controls'. Specific at-rest/in-transit cipher standards are not published publicly.
trust.copy.aiAccess control
Trust Center: 'Production network access restricted', 'Unique network system authentication enforced', plus an Access Control Policy. SSO available.
trust.copy.aiVulnerability management
Trust Center: 'Vulnerability and system monitoring procedures established' and 'Control self-assessments conducted'. A documented Secure Development lifecycle and Incident Response Plan are listed.
trust.copy.aiPenetration testing
unknown — not explicitly published. The public Trust Center references vulnerability monitoring and self-assessments but does not confirm independent third-party penetration testing.
trust.copy.aiBusiness continuity / DR
Trust Center: 'Continuity and Disaster Recovery plans established' and 'Cybersecurity insurance maintained'.
trust.copy.aiSubprocessors
Heroku (application hosting/database, US), MongoDB Atlas (database, US), Anthropic (LLMs, US), OpenAI (LLMs, US).
trust.copy.ai// Products & data scope
data: Team/enterprise data: CRM records, account/contact research, sales transcripts, marketing content, and the customer's Infobase. 2,000+ integrations and LLM model-agnostic routing. SOC 2 Type II scope; subprocessors include Anthropic and OpenAI.
Primary commercial product; 'Trusted by 17 million users at leading companies' (Lenovo, Juniper cited). Enterprise tier with SSO and audit trails.
data: Lighter consumer-facing generators; same Privacy Notice/ToS apply. No separate compliance scope published.
Marketed separately under 'Free Tools'; useful for low-risk individual use vs the governed enterprise platform.
// What to watch
- Penetration testing not publicly confirmed (only vulnerability monitoring/self-assessments disclosed).
- No public bug-bounty program (HackerOne/Bugcrowd) found.
- DPA availability not stated in public Privacy Notice/ToS; likely available on request via legal@copy.ai but unverified.
- Generation relies on third-party LLM subprocessors (Anthropic, OpenAI); enterprise buyers should also review those providers' data-use terms. ToS assigns ownership of Generated Content to the LLM licensor.
- Data is transferred to multiple jurisdictions (incl. Brazil, Philippines, Costa Rica, Canada) which may matter for strict data-residency requirements.
// At a glance
Pricing model
Subscription SaaS (Free tier + paid plans; enterprise/demo-led for the GTM platform). Subscription-based, not data-monetized.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on CopyAI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.copy.ai