// Trust & Security Report

    DoNotPay, Inc. logo

    DoNotPay, Inc.

    AI-powered consumer rights platform with 100+ tools for dispute resolution, bill negotiation, hidden money discovery, privacy protection, and bureaucratic navigation. Includes virtual trial cards, spam filtering, robocall compensation, subscription management, and government services assistance.

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1 or Type 2)
    NOT CONFIRMED

    No public evidence of SOC 2 certification found on donotpay.com or associated security/trust documentation.

    source: donotpay.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on donotpay.com or privacy/security pages.

    source: donotpay.com
    GDPR Compliance
    NOT CONFIRMED

    Privacy policy states general compliance with 'applicable law' but does not reference specific GDPR certification, data processing agreements, or GDPR-specific controls.

    source: donotpay.com
    HIPAA
    NOT CONFIRMED

    No evidence found; product is consumer-focused (non-healthcare), not healthcare-specific.

    source: donotpay.com
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found.

    source: donotpay.com
    ISO 27018 (Personal Data Protection)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found.

    source: donotpay.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS compliance documentation, despite handling payment card information for virtual cards and transactions.

    source: donotpay.com
    ISO 27701 (Privacy Information Management)
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found.

    source: donotpay.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    United States (San Francisco-based; no multi-region or data residency options mentioned)

    No public documentation found regarding whether DoNotPay trains AI models on customer data or offers data opt-outs. Privacy policy does not address AI model training practices. Given FTC settlement (Jan 2025) citing chatbot not properly trained, transparency on this is recommended.

    // Security controls

    Encryption in Transit

    Not explicitly detailed. Privacy policy states general 'reasonable measures' but does not specify TLS/SSL version, cipher suites, or encryption protocols.

    donotpay.com

    Encryption at Rest

    Not documented. No mention in privacy policy or security resources.

    donotpay.com

    Account Security

    User responsible for account security; users must notify DoNotPay of unauthorized access. No mention of 2FA, biometric auth, or other advanced controls.

    donotpay.com

    Data Breach Notification

    No specific breach notification timeline or procedures documented in public privacy policy or terms.

    donotpay.com

    Vendor/Third-Party Management

    Privacy policy mentions sharing with 'service providers' with restrictions on their use of data, but no detail on vendor risk assessment or security requirements.

    donotpay.com

    Access Controls & Identity Verification

    Company reserves right to verify identity via credit reports or third-party databases, but no documentation of role-based access controls, least-privilege policies, or audit logging.

    donotpay.com

    // Products & data scope

    Free Trial Card (Virtual Credit Card)Payment Protection

    data: Payment card data, merchant information, transaction history

    Secure virtual card for protecting privacy during free trials; prevents unwanted charges. Handles payment card data but no PCI compliance documentation found.

    Bill Negotiation ChatbotAI Consumer Rights

    data: Account credentials (email, phone), service provider information, financial details

    Uses AI/ChatGPT to negotiate bills automatically. FTC settlement (Jan 2025) found this product made deceptive claims about effectiveness; now restricted in marketing.

    Robocall Compensation & FightingPrivacy & Anti-Spam

    data: Phone number, call logs, carrier information

    Helps file claims against robocallers and TCPA violations. Data shared with claims processors and legal entities.

    Subscription CancellationPayment Protection

    data: Email, linked accounts (merchants, payment providers), subscription details

    Automates cancellation of unwanted subscriptions. Requires broad access to email and linked accounts.

    Unclaimed Money FinderFinancial Discovery

    data: Name, address, SSN (potentially), financial history

    Searches for unclaimed funds, tax refunds, scholarships. Requires significant PII to function.

    DMV & Government ServicesBureaucracy Navigation

    data: Government ID, license info, appointment preferences, FOIA requests

    Assists with DMV appointments, government document requests, and FOIA. Integrates with government databases.

    Dispute Resolution (Chargebacks, Refunds, Parking Tickets)Consumer Rights

    data: Transaction data, ticket/citation details, evidence documents, customer communications

    Core product; helps dispute unauthorized charges and file complaints. Stores sensitive transaction and legal documents.

    // What to watch

    • CRITICAL: FTC Enforcement Action (Jan 2025) - DoNotPay made deceptive 'AI lawyer' claims; ordered to pay $193,000 and notify affected customers. Product was found 'not trained or tested properly' by FTC. This raises questions about internal product quality practices and AI governance.
    • No public trust center or security certifications (SOC 2, ISO 27001, GDPR, PCI DSS, etc.) despite handling sensitive financial and personal data.
    • Privacy policy vague on security standards: uses 'reasonable measures' language without specifying encryption, key rotation, or incident response.
    • Handles payment card data but no PCI DSS compliance documentation; no virtual card security certification visible.
    • Privacy policy does NOT address AI training on customer data; unclear if customer conversations/data are used to improve models or sold for model training.
    • Broad liability limitations in ToS (as-is service, no warranties); no explicit data breach notification timeline.
    • Terms require users to authorize access to bank accounts and email; risks from compromised authorization if security controls weak.
    • No documented secure data deletion, data retention limits, or GDPR/CCPA right-to-deletion procedures.
    • Shares data with third-party service providers but no public vendor security requirements or sub-processor list.
    • Recent regulatory action by FTC suggests rapid product expansion without adequate legal/compliance review.

    // At a glance

    Pricing model

    Freemium subscription (free features + premium plans with flat or per-use pricing)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on DoNotPay, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    donotpay.com

    > Browse all vendor trust reports