// Trust & Security Report

    CopyAI, Inc. logo

    CopyAI, Inc.

    Copy.ai GTM AI Platform

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Compliance — SOC 2 Type II (Copy.ai Trust Center, Compliance section). Corroborated by the announcement: "Copy.ai has achieved SOC 2 Type II compliance in accordance with the American Institute of Certified Public Accountants (AICPA) standards for SOC for Service Organizations, also known as SSAE 18" with an audit by Prescient Assurance.

    Verify on trust.copy.ai
    GDPR (DPF / EU-U.S. Data Privacy Framework)
    HELD

    "Copy.ai adheres to the EU-U.S. Data Privacy Framework Principles regarding the collection, use, and retention of personal data transferred from the European Union." Privacy Notice also designates an EEA representative at contact@gdprlocal.com and frames Copy.ai as a data controller/processor under Regulation (EU) 2016/679.

    Verify on copy.ai
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Not listed in the Copy.ai Trust Center Compliance section (only SOC 2 Type II is shown) and not claimed on the security page.

    source: trust.copy.ai
    HIPAA
    NOT CONFIRMED

    No HIPAA attestation or BAA offering is listed in the Trust Center or on the security page.

    source: trust.copy.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    Cloud-based services storing/processing data in the United States and European Union, with transfers to additional locations including Brazil, Costa Rica, Philippines, and Canada per the Privacy Notice. Primary subprocessor infrastructure (Heroku, MongoDB Atlas) is hosted in the United States.

    Security page states plainly: "We don't train on your data" and "our models are trained without utilizing your individual data"; also "We don't share your prompts" / "your prompts, and creative inputs are never shared with other customers" and "we don't trade in your data. We do not have, nor will we ever have, a revenue model that exploits user data." Note: Copy.ai is model-agnostic and routes generation through third-party LLM subprocessors (Anthropic, OpenAI) listed in the Trust Center; the ToS also assigns ownership of Generated Content to the licensor (e.g., OpenAI). Underlying foundation-model providers' own data-use terms therefore also apply.

    // Security controls

    SOC 2 Type II attestation

    Held; audited by Prescient Assurance over a 3-month observation period; SOC 2 report downloadable via the Trust Center on request.

    copy.ai

    Encryption

    Trust Center lists 'Encryption key access restricted', 'Portable media encrypted', and a 'Cryptography Policy'; Privacy Notice cites 'appropriate physical, technical and organizational controls'. Specific at-rest/in-transit cipher standards are not published publicly.

    trust.copy.ai

    Access control

    Trust Center: 'Production network access restricted', 'Unique network system authentication enforced', plus an Access Control Policy. SSO available.

    trust.copy.ai

    Vulnerability management

    Trust Center: 'Vulnerability and system monitoring procedures established' and 'Control self-assessments conducted'. A documented Secure Development lifecycle and Incident Response Plan are listed.

    trust.copy.ai

    Penetration testing

    unknown — not explicitly published. The public Trust Center references vulnerability monitoring and self-assessments but does not confirm independent third-party penetration testing.

    trust.copy.ai

    Bug bounty

    unknown / none found — no public HackerOne or Bugcrowd program located.

    trust.copy.ai

    Business continuity / DR

    Trust Center: 'Continuity and Disaster Recovery plans established' and 'Cybersecurity insurance maintained'.

    trust.copy.ai

    Subprocessors

    Heroku (application hosting/database, US), MongoDB Atlas (database, US), Anthropic (LLMs, US), OpenAI (LLMs, US).

    trust.copy.ai

    // Products & data scope

    Copy.ai GTM AI Platform (Workflows, Actions, Agents, Tables, Chat, Infobase, Brand Voice)Go-to-market AI automation platform (sales + marketing + ops)

    data: Team/enterprise data: CRM records, account/contact research, sales transcripts, marketing content, and the customer's Infobase. 2,000+ integrations and LLM model-agnostic routing. SOC 2 Type II scope; subprocessors include Anthropic and OpenAI.

    Primary commercial product; 'Trusted by 17 million users at leading companies' (Lenovo, Juniper cited). Enterprise tier with SSO and audit trails.

    Copy.ai Free ToolsFree standalone consumer AI writing utilities

    data: Lighter consumer-facing generators; same Privacy Notice/ToS apply. No separate compliance scope published.

    Marketed separately under 'Free Tools'; useful for low-risk individual use vs the governed enterprise platform.

    // What to watch

    • Penetration testing not publicly confirmed (only vulnerability monitoring/self-assessments disclosed).
    • No public bug-bounty program (HackerOne/Bugcrowd) found.
    • DPA availability not stated in public Privacy Notice/ToS; likely available on request via legal@copy.ai but unverified.
    • Generation relies on third-party LLM subprocessors (Anthropic, OpenAI); enterprise buyers should also review those providers' data-use terms. ToS assigns ownership of Generated Content to the LLM licensor.
    • Data is transferred to multiple jurisdictions (incl. Brazil, Philippines, Costa Rica, Canada) which may matter for strict data-residency requirements.

    // At a glance

    Pricing model

    Subscription SaaS (Free tier + paid plans; enterprise/demo-led for the GTM platform). Subscription-based, not data-monetized.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on CopyAI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.copy.ai

    > Browse all vendor trust reports