// Trust & Security Report
Elicit Research, PBC
AI research assistant for scientific literature search, data extraction, and systematic reviews
Certifications held
4
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.elicit.com“Elicit Research, PBC SOC 2 Type 2 Report 07152025.pdf [listed in Compliance > SOC 2 section of trust center; SOC 3 public report also listed; SOC 2 Bridge Letter 4-23-26 and Letter of Engagement 2026 present]”
Verify on trust.elicit.com“SOC 3 public report listed alongside the SOC 2 Type 2 report in the Compliance section of the Elicit Trust Center; SOC 3 is the publicly distributable, general-use version of Elicit's SOC 2 audit.”
Verify on elicit.com“Elicit will (i) comply with Applicable Data Protection Laws, and (ii) process the Customer Personal Data as necessary to perform its obligations under the Agreement. SCCs incorporated for EU and UK transfers; governed by Irish law.”
> Show 7 unconfirmed / not-held certifications
source: trust.elicit.comNo public evidence on any elicit.com or trust.elicit.com page. Not listed in the trust center Compliance section. A third-party aggregator (Nudge Security) claims this cert but it does not appear in Elicit's own trust center, blog, or policy pages and cannot be verified.
source: trust.elicit.comNo public evidence on any elicit.com or trust.elicit.com page. Not listed in trust center Compliance section. Third-party aggregator claims it; unverifiable on vendor domain.
source: trust.elicit.comNo public evidence on any elicit.com or trust.elicit.com page. Not listed in trust center Compliance section.
source: trust.elicit.comNo public evidence on any elicit.com or trust.elicit.com page. Not listed in trust center Compliance section.
source: trust.elicit.comNo public evidence on any elicit.com or trust.elicit.com page. Not listed in trust center Compliance section.
source: trust.elicit.comNo public evidence on any elicit.com or trust.elicit.com page.
source: trust.elicit.comNo public evidence on any elicit.com or trust.elicit.com page.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States (AWS). Privacy policy states 'Our servers are located in the United States.' SCCs and UK Addendum in place for EU and UK data transfers. No EU data residency option confirmed on any vendor page.
Training policy varies sharply by product tier. Enterprise tier: 'We do not train on Enterprise user data' and subprocessors (OpenAI, Anthropic) have zero-retention, no-training agreements. API tier: per API Terms, 'You grant Elicit a license to use your inputs solely to provide the API service...including but not limited to using your inputs to train AI models.' Free/Team platform: Team Terms state 'Platform and its underlying technology is improved and enhanced through the processing of Customer Materials' implying product improvement from customer data. Main platform ToS grants Elicit a broad perpetual, irrevocable, transferable license over user-submitted content. Non-enterprise procurement teams must confirm tier terms before assuming no-train.
// Security controls
Cloud infrastructure
Amazon Web Services (AWS); enterprise customers receive single-tenancy with dedicated, logically isolated AWS clusters; multi-zone replication; daily backups
elicit.comAuthentication and access
MFA enforced; SAML 2.0 SSO supported for enterprise; fine-grained content visibility controls (private, view-only, searchable, collaborative)
elicit.comInfrastructure security controls
Encryption key access restricted; production application access restricted; unique account authentication enforced (14 controls total per trust center)
trust.elicit.comOrganizational security controls
Employee background checks performed; anti-malware technology; asset disposal procedures; Code of Conduct (11 controls total per trust center)
trust.elicit.comBusiness continuity
Business Continuity and Disaster Recovery plans established and tested (listed as controls on trust center)
trust.elicit.comSubprocessors
Amazon Web Services (cloud, US), Anthropic (AI models, US), OpenAI (AI models, US), Customer.io (email, US)
trust.elicit.comHECVAT questionnaire
HECVAT document available on trust center (signals higher-education procurement readiness; not a certification)
trust.elicit.com// Products & data scope
data: User queries, uploaded documents, search history, telemetry
Broad perpetual irrevocable license over user content in main platform ToS. No explicit no-training guarantee at this tier. Shared infrastructure.
data: Shared research projects, uploaded documents, team usage telemetry
Team Terms state platform is improved through customer materials. DPA available. No explicit no-training guarantee. Independent DPA review recommended before handling sensitive data.
data: Isolated single-tenant AWS cluster; enterprise customer data fully redacted before AI provider calls
No training on enterprise user data; AI subprocessors have zero-retention and no-training agreements; SSO/SAML; dedicated infrastructure with complete tenant isolation. Strongest data protection posture.
data: API inputs (search queries, documents), outputs
API Terms explicitly grant Elicit license to use inputs to train AI models. Also prohibit API consumers from using outputs to train competing models.
// What to watch
- AI training bifurcation by tier: Enterprise is explicitly no-train; API explicitly allows Elicit to train on user inputs; Free and Team tiers have broad license language without explicit no-train guarantees. Procurement must confirm tier before assuming no-train.
- Team-Terms language ('Platform and its underlying technology is improved and enhanced through the processing of Customer Materials') could imply product improvement including model training from non-enterprise customer data.
- Main platform ToS grants Elicit a 'perpetual, irrevocable, transferable' license over user-submitted content - unusual breadth for a scientific research tool used with proprietary literature.
- Third-party aggregator Nudge Security claims ISO 27001, HIPAA, FedRAMP, CSA STAR, and PCI DSS for Elicit. None of these appear in Elicit's own trust center, blog, or policy pages. These claims are unverified and should not be relied upon for procurement decisions.
- Cyber Essentials (UK government baseline scheme) is held and confirmed on trust center but is significantly lighter in scope and rigor than ISO 27001.
- No EU data residency: all data resides in US-based AWS. EU and UK customers rely on SCCs as the legal transfer mechanism.
- All AI model subprocessors (Anthropic, OpenAI) are US-based. Enterprise agreements restrict their data retention and training; non-enterprise tiers have no documented equivalent restriction on subprocessor behavior.
- HECVAT questionnaire is available on the trust center, signaling higher-education procurement readiness, but is a self-assessment questionnaire not a third-party certification.
// At a glance
Pricing model
Freemium; paid Plus and Team tiers; Enterprise priced on contract; API priced separately per usage
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Elicit Research, PBC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.elicit.com