// Trust & Security Report

    D-ID (De-Identification Ltd.) logo

    D-ID (De-Identification Ltd.)

    AI generative video and interactive digital-human / avatar platform (Studio app, API, real-time Visual AI Agents)

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001:2022
    HELD

    ISO/IEC 27001:2022: A testament to our robust information security management.

    Verify on d-id.com
    ISO/IEC 27017:2015 (Cloud security)
    HELD

    ISO/IEC 27017:2015: Sets the benchmark for best practices in cloud security.

    Verify on d-id.com
    ISO/IEC 27018:2019 (PII in cloud)
    HELD

    ISO/IEC 27018:2019: Ensures the protection of personally identifiable information (PII) in cloud environments and compliance with data protection laws like the GDPR.

    Verify on d-id.com
    ISO/IEC 42001:2023 (AI Management System)
    HELD

    ISO/IEC 42001:2023: An international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations.

    Verify on d-id.com
    ISO 27799 (Health Informatics)
    HELD

    ISO/IEC 27799: We fully comply with ISO 27799 Health Informatics - Information Security Management in Health using ISO/IEC 27002.

    Verify on d-id.com
    SOC 2
    HELD

    SOC 2 Certification: This framework ensures that data stored, processed, and shared in the cloud is protected against unauthorized access and with verified uninterrupted continued service level.

    Verify on d-id.com
    Information Security Star (Standards Institution of Israel, 3-star)
    HELD

    Information Security Star: The Standards Institution of Israel granted D-ID a three star ranking for its implementation and maintenance of its security management system.

    Verify on d-id.com
    HIPAA
    HELD

    Not claimed on the trust center. D-ID asserts ISO 27799 health-informatics compliance but does not state HIPAA compliance or BAA availability on its own pages.

    Verify on d-id.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    AWS, Oregon, USA (primary storage for Software and Applicative Data). Sub-processors (Salesforce, HubSpot, Zendesk) are also US-based.

    Privacy policy states uploaded user content is not used to train models: 'While in the storage, awaiting processing or deletion, the Applicative Data is not accessed for any purpose, including not accessed for model training.' Applicative data uploaded via API is auto-erased (24h via AWS settings; 72h for Agents; 14d for Insight Service) unless the user sets a persist flag; Studio data persists until user deletion.

    // Security controls

    Information security management

    ISO 27001:2022 certified ISMS plus ISO 27017/27018 cloud + PII extensions and SOC 2

    d-id.com

    AI governance

    ISO 42001:2023 AI Management System certification (notable for a generative-AI vendor)

    d-id.com

    GDPR transfer mechanism

    Relies on EU Commission Adequacy Decisions (Art. 45 GDPR) and standard contractual clauses for international transfers

    d-id.com

    Data retention / deletion

    Auto-deletion of API applicative data within 24h (default), 72h (Agents), 14d (Insight); no model training on stored content

    d-id.com

    Penetration testing

    not verified - not mentioned on D-ID's own trust center or privacy pages

    d-id.com

    Bug bounty program

    not verified - no HackerOne/Bugcrowd or self-managed program found on vendor domain

    d-id.com

    Encryption

    not verified - no explicit encryption-at-rest/in-transit statement on the public trust center or privacy policy

    d-id.com

    // Products & data scope

    Creative Reality Studio (Video Studio)Web app - avatar/talking-head video generation

    data: User-uploaded images, scripts, and media; stored until user deletion. Consumer/creator and team use.

    Self-serve content creation from scripts, briefs, decks, or documents.

    API for DevelopersDeveloper API - programmatic video and streaming animation

    data: Applicative data auto-erased within 24h by default (72h Agents, 14d Insight) unless persist flag set; Oregon AWS region.

    Most defined data-lifecycle controls; suited to integration into customer apps.

    Visual AI Agents / V4 Expressive Visual AgentsReal-time interactive digital-human agents

    data: Real-time conversational interactions; Agents data retained up to 72h. Built for product-grade scale.

    Newest line; conversational/streaming, so consider live-conversation data handling for enterprise deals.

    Video Translate / AI Avatars / Agentic VideosContent features within the platform

    data: Same platform data scope as Studio/API depending on entry point.

    Multilingual (120+ languages) avatar and translation features.

    // What to watch

    • SOC 2 is asserted on the trust center but the report type (Type I vs Type II) and observation period are not stated publicly; report likely available under NDA.
    • DPA not explicitly published; likely available to enterprise customers on request but not confirmed on-domain.
    • No public mention of penetration testing, bug bounty, or specific encryption standards despite strong certification posture.
    • Health-data positioning via ISO 27799 but no explicit HIPAA/BAA claim - confirm before any PHI use case.
    • Data residency is US-only; EU customers should confirm transfer safeguards (SCCs/adequacy cited in policy).

    // At a glance

    Pricing model

    Freemium / subscription tiers (free trial, paid Studio plans) plus usage-based API and enterprise/custom contracts

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on D-ID (De-Identification Ltd.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    d-id.com

    > Browse all vendor trust reports