// Trust & Security Report
DoNotPay, Inc.
AI-powered consumer rights platform with 100+ tools for dispute resolution, bill negotiation, hidden money discovery, privacy protection, and bureaucratic navigation. Includes virtual trial cards, spam filtering, robocall compensation, subscription management, and government services assistance.
Certifications held
0
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: donotpay.comNo public evidence of SOC 2 certification found on donotpay.com or associated security/trust documentation.
source: donotpay.comNo public evidence of ISO 27001 certification found on donotpay.com or privacy/security pages.
source: donotpay.comPrivacy policy states general compliance with 'applicable law' but does not reference specific GDPR certification, data processing agreements, or GDPR-specific controls.
source: donotpay.comNo evidence found; product is consumer-focused (non-healthcare), not healthcare-specific.
source: donotpay.comNo public evidence of ISO 27017 certification found.
source: donotpay.comNo public evidence of ISO 27018 certification found.
source: donotpay.comNo public evidence of PCI DSS compliance documentation, despite handling payment card information for virtual cards and transactions.
source: donotpay.comNo public evidence of ISO 27701 certification found.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
United States (San Francisco-based; no multi-region or data residency options mentioned)
No public documentation found regarding whether DoNotPay trains AI models on customer data or offers data opt-outs. Privacy policy does not address AI model training practices. Given FTC settlement (Jan 2025) citing chatbot not properly trained, transparency on this is recommended.
// Security controls
Encryption in Transit
Not explicitly detailed. Privacy policy states general 'reasonable measures' but does not specify TLS/SSL version, cipher suites, or encryption protocols.
donotpay.comAccount Security
User responsible for account security; users must notify DoNotPay of unauthorized access. No mention of 2FA, biometric auth, or other advanced controls.
donotpay.comData Breach Notification
No specific breach notification timeline or procedures documented in public privacy policy or terms.
donotpay.comVendor/Third-Party Management
Privacy policy mentions sharing with 'service providers' with restrictions on their use of data, but no detail on vendor risk assessment or security requirements.
donotpay.comAccess Controls & Identity Verification
Company reserves right to verify identity via credit reports or third-party databases, but no documentation of role-based access controls, least-privilege policies, or audit logging.
donotpay.com// Products & data scope
data: Payment card data, merchant information, transaction history
Secure virtual card for protecting privacy during free trials; prevents unwanted charges. Handles payment card data but no PCI compliance documentation found.
data: Account credentials (email, phone), service provider information, financial details
Uses AI/ChatGPT to negotiate bills automatically. FTC settlement (Jan 2025) found this product made deceptive claims about effectiveness; now restricted in marketing.
data: Phone number, call logs, carrier information
Helps file claims against robocallers and TCPA violations. Data shared with claims processors and legal entities.
data: Email, linked accounts (merchants, payment providers), subscription details
Automates cancellation of unwanted subscriptions. Requires broad access to email and linked accounts.
data: Name, address, SSN (potentially), financial history
Searches for unclaimed funds, tax refunds, scholarships. Requires significant PII to function.
data: Government ID, license info, appointment preferences, FOIA requests
Assists with DMV appointments, government document requests, and FOIA. Integrates with government databases.
data: Transaction data, ticket/citation details, evidence documents, customer communications
Core product; helps dispute unauthorized charges and file complaints. Stores sensitive transaction and legal documents.
// What to watch
- CRITICAL: FTC Enforcement Action (Jan 2025) - DoNotPay made deceptive 'AI lawyer' claims; ordered to pay $193,000 and notify affected customers. Product was found 'not trained or tested properly' by FTC. This raises questions about internal product quality practices and AI governance.
- No public trust center or security certifications (SOC 2, ISO 27001, GDPR, PCI DSS, etc.) despite handling sensitive financial and personal data.
- Privacy policy vague on security standards: uses 'reasonable measures' language without specifying encryption, key rotation, or incident response.
- Handles payment card data but no PCI DSS compliance documentation; no virtual card security certification visible.
- Privacy policy does NOT address AI training on customer data; unclear if customer conversations/data are used to improve models or sold for model training.
- Broad liability limitations in ToS (as-is service, no warranties); no explicit data breach notification timeline.
- Terms require users to authorize access to bank accounts and email; risks from compromised authorization if security controls weak.
- No documented secure data deletion, data retention limits, or GDPR/CCPA right-to-deletion procedures.
- Shares data with third-party service providers but no public vendor security requirements or sub-processor list.
- Recent regulatory action by FTC suggests rapid product expansion without adequate legal/compliance review.
// At a glance
Pricing model
Freemium subscription (free features + premium plans with flat or per-use pricing)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on DoNotPay, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
donotpay.com