// Trust & Security Report
Fathom Video Inc.
AI meeting notetaker: records, transcribes, and summarizes video meetings across Zoom, Google Meet, and Microsoft Teams
Certifications held
4
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on fathom.ai“HIPAA listed under Compliance; BAA available: 'If the Health Insurance Portability and Accountability Act ("HIPAA") applies to you, the Fathom Business Associate Agreement available at https://fathom.ai/baa is hereby incorporated by reference.'”
> Show 6 unconfirmed / not-held certifications
source: trust.fathom.videoNo public evidence on vendor's own domain (fathom.ai, fathom.video, trust.fathom.video). Trust center does not list ISO 27001; help article implies SOC 2 substitutes for ISO 27001. Note: fathomhq.com (a separate financial analytics company) holds ISO 27001 but is not this vendor.
source: trust.fathom.videoNo public evidence on vendor's own domain. PCI DSS is not listed on the trust center or any Fathom Video Inc. page.
source: trust.fathom.videoNo public evidence on vendor's own domain. FedRAMP is not mentioned on any Fathom Video Inc. page or trust center.
source: trust.fathom.videoNo public evidence on vendor's own domain. CSA STAR is not mentioned on any Fathom Video Inc. page or trust center.
source: trust.fathom.videoNo public evidence on vendor's own domain. None of these ISO standards are mentioned on the trust center or any Fathom Video Inc. page.
source: trust.fathom.videoNo public evidence on vendor's own domain. ISO 42001 is not mentioned on any Fathom Video Inc. page.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
United States only (Google Cloud Platform, USA). EU/UK transfers handled via Standard Contractual Clauses and EU-U.S. Data Privacy Framework. No EU or UK data residency option. Privacy policy states: 'Services are hosted in the United States and intended for visitors located within the United States.'
Third-party AI providers (OpenAI, Anthropic, Google, ElevenLabs) are contractually 'Forbidden from training AI on Fathom Customer Data' per the trust center subprocessor list. However, Fathom itself may by default use de-identified meeting content to train its own in-house AI models: 'Based on how you configure your account settings, we may use and create de-identified data generated from Meeting Content Information to improve our Services by training, improving, and customizing our in-house artificial intelligence models. You can opt out from this use of your data in your account settings.' Opt-out is account-level, not automatic. This is an opt-out (not opt-in) default, which is a flag for enterprise buyers.
// Security controls
Encryption at rest
Yes - DPA states data is encrypted 'at rest'; BAA requires 'maintain and transmit all PHI in encrypted manner'
fathom.aiEncryption key management
Trust center control: 'Encryption key access restricted'
trust.fathom.videoPenetration testing
Annual; Penetration Test Report and Vulnerability Scan Report available on request via trust center
trust.fathom.videoSecurity incident notification
72 hours after becoming aware of a security incident (DPA); HIPAA BAA requires notification 'without unreasonable delay and no later than five (5) days following discovery'
fathom.aiSubprocessor controls
All AI providers (Anthropic, OpenAI, ElevenLabs) contractually forbidden from training on Fathom customer data; 10 business day advance notice for subprocessor changes; 30-day objection window for customers
trust.fathom.videoCyber insurance
Maintained; 'Proof of Insurance - Commercial Liability' available in trust center
trust.fathom.videoAccess controls
Trust center lists: 'Unique account authentication enforced', 'Production application access restricted', 'Anti-malware technology utilized'
trust.fathom.videoData deletion on account termination
All recording and personal data removed on account deletion; backups cleared within 7 additional days per help center; DPA requires return or deletion at customer instruction
help.fathom.video// Products & data scope
data: Unlimited recordings, transcripts, AI summaries. Calendar, meeting content (audio, video, transcript), user data.
Permanently free for individuals. No SSO or SCIM. AI de-identified training opt-out applies here too. HIPAA BAA not available on this tier.
data: Same as Free, plus advanced AI summary templates and conversational meeting assistant.
$20/month or $16/month annually. No SSO. No HIPAA BAA.
data: Shared team recordings, global search across calls, team folders, keyword alerts. Calendar and meeting content data shared within workspace.
$19/user/month (min 2 users). Basic SSO included. No HIPAA BAA at this tier.
data: Team data plus CRM field sync (Salesforce, HubSpot), AI scorecards, coaching metrics.
$34/user/month (min 2 users). SSO included. No explicit HIPAA BAA noted at this tier.
data: All Business features plus organization-wide security controls, custom data retention, SCIM provisioning.
Custom pricing. HIPAA BAA available. SCIM provisioning. Custom data retention policies. Organization-wide security controls. Dedicated success manager.
// What to watch
- AI training opt-out required: Fathom trains its in-house AI models on de-identified meeting content by default; users must manually opt out in account settings. This is not an opt-in consent model.
- No ISO 27001 certification confirmed on vendor's own domain. Third-party aggregator (nudgesecurity.com) lists ISO 27001 but this is unverified and conflicts with the vendor's own trust center which does not list it. Do not list as ISO 27001 certified.
- HIPAA BAA is only explicitly available on the Enterprise plan (custom pricing); lower tiers are not covered. Buyers needing HIPAA coverage must negotiate Enterprise.
- All data is hosted in the United States (GCP); no EU or UK data residency option exists. EU/UK customers rely on SCCs and Data Privacy Framework for transfer compliance.
- FedRAMP not listed on vendor's own domain; third-party aggregator claims unverified.
- CSA STAR not listed on vendor's own domain; third-party aggregator claims unverified.
- SSO available from Team tier; SCIM only on Enterprise. Free and Premium plans lack enterprise identity controls.
- Fathom HQ (fathomhq.com) is a separate company with ISO 27001 - do not conflate with Fathom Video Inc. (fathom.ai).
// At a glance
Pricing model
Freemium: free forever for individuals; team/enterprise plans from $15-34/user/month; enterprise custom pricing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Fathom Video Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.fathom.video