// Trust & Security Report
D-ID (De-Identification Ltd.)
AI generative video and interactive digital-human / avatar platform (Studio app, API, real-time Visual AI Agents)
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on d-id.com“ISO/IEC 27001:2022: A testament to our robust information security management.”
Verify on d-id.com“ISO/IEC 27017:2015: Sets the benchmark for best practices in cloud security.”
Verify on d-id.com“ISO/IEC 27018:2019: Ensures the protection of personally identifiable information (PII) in cloud environments and compliance with data protection laws like the GDPR.”
Verify on d-id.com“ISO/IEC 42001:2023: An international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations.”
Verify on d-id.com“ISO/IEC 27799: We fully comply with ISO 27799 Health Informatics - Information Security Management in Health using ISO/IEC 27002.”
Verify on d-id.com“SOC 2 Certification: This framework ensures that data stored, processed, and shared in the cloud is protected against unauthorized access and with verified uninterrupted continued service level.”
Verify on d-id.com“Information Security Star: The Standards Institution of Israel granted D-ID a three star ranking for its implementation and maintenance of its security management system.”
Verify on d-id.com“Not claimed on the trust center. D-ID asserts ISO 27799 health-informatics compliance but does not state HIPAA compliance or BAA availability on its own pages.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
AWS, Oregon, USA (primary storage for Software and Applicative Data). Sub-processors (Salesforce, HubSpot, Zendesk) are also US-based.
Privacy policy states uploaded user content is not used to train models: 'While in the storage, awaiting processing or deletion, the Applicative Data is not accessed for any purpose, including not accessed for model training.' Applicative data uploaded via API is auto-erased (24h via AWS settings; 72h for Agents; 14d for Insight Service) unless the user sets a persist flag; Studio data persists until user deletion.
// Security controls
Information security management
ISO 27001:2022 certified ISMS plus ISO 27017/27018 cloud + PII extensions and SOC 2
d-id.comAI governance
ISO 42001:2023 AI Management System certification (notable for a generative-AI vendor)
d-id.comGDPR transfer mechanism
Relies on EU Commission Adequacy Decisions (Art. 45 GDPR) and standard contractual clauses for international transfers
d-id.comData retention / deletion
Auto-deletion of API applicative data within 24h (default), 72h (Agents), 14d (Insight); no model training on stored content
d-id.comPenetration testing
not verified - not mentioned on D-ID's own trust center or privacy pages
d-id.comBug bounty program
not verified - no HackerOne/Bugcrowd or self-managed program found on vendor domain
d-id.comEncryption
not verified - no explicit encryption-at-rest/in-transit statement on the public trust center or privacy policy
d-id.com// Products & data scope
data: User-uploaded images, scripts, and media; stored until user deletion. Consumer/creator and team use.
Self-serve content creation from scripts, briefs, decks, or documents.
data: Applicative data auto-erased within 24h by default (72h Agents, 14d Insight) unless persist flag set; Oregon AWS region.
Most defined data-lifecycle controls; suited to integration into customer apps.
data: Real-time conversational interactions; Agents data retained up to 72h. Built for product-grade scale.
Newest line; conversational/streaming, so consider live-conversation data handling for enterprise deals.
data: Same platform data scope as Studio/API depending on entry point.
Multilingual (120+ languages) avatar and translation features.
// What to watch
- SOC 2 is asserted on the trust center but the report type (Type I vs Type II) and observation period are not stated publicly; report likely available under NDA.
- DPA not explicitly published; likely available to enterprise customers on request but not confirmed on-domain.
- No public mention of penetration testing, bug bounty, or specific encryption standards despite strong certification posture.
- Health-data positioning via ISO 27799 but no explicit HIPAA/BAA claim - confirm before any PHI use case.
- Data residency is US-only; EU customers should confirm transfer safeguards (SCCs/adequacy cited in policy).
// At a glance
Pricing model
Freemium / subscription tiers (free trial, paid Studio plans) plus usage-based API and enterprise/custom contracts
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on D-ID (De-Identification Ltd.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
d-id.com