// Trust & Security Report
GPTZero (acquired by Superhuman, Inc. in June 2026)
AI content detection and writing verification platform with AI detection, hallucination detection, plagiarism checking, grammar checking, and writing replay features for education, hiring, publishing, and legal sectors
Certifications held
5
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on gptzero.me“We are very proud to share that we are SOC 2 Type II compliant.”
Verify on gptzero.me“We have designed our systems to be in compliance with the General Data Protection Regulation (GDPR).”
Verify on gptzero.me“By being fully compliant with these standards we have further been able to allow full for users to access and delete their information at will.”
Verify on gptzero.me“We comply with the requirements of the Family Education Rights and Privacy Act ("FERPA") because we currently do NOT store student "educational records," and only receive the minimally required information from teachers (e.g. document uploads) needed to perform services.”
Verify on gptzero.me“Under the Children's Online Privacy Protection Act ("COPPA"), consistent with the position of the Federal Trade Commission (FTC), we rely on our education institution customers to obtain the necessary parental consents prior to collecting only the minimally required personal information from students under age 13.”
> Show 5 unconfirmed / not-held certifications
source: gptzero.meNo public evidence found on vendor domain; third-party sources (Nudge Security) claim this cert but vendor's official privacy-and-security page does not list it
source: gptzero.meGPTZero Terms of Use explicitly states: 'The Site is not tailored to comply with industry-specific regulations (Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), etc.)' and 'if your interactions would be subjected to such laws, you may not use this Site.'
source: gptzero.meNo public evidence found on vendor domain; not mentioned in official privacy-and-security page or other compliance documentation
source: gptzero.meNo public evidence found on vendor domain; not mentioned in official privacy-and-security page
source: gptzero.meNo public evidence found on vendor domain; third-party sources claim CSA STAR Level 1 but vendor does not list this on official pages
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Not specified - GDPR compliant but no explicit data residency requirements stated; no information on which regions data is stored
Text and file contents submitted by API subscribers are not stored by default nor used for product improvement. Subscribers may voluntarily opt-in to storage solely for the purpose of viewing within the application. Dashboard submissions (gptzero.me or app.gptzero.me) are stored and used in aggregate for product improvement. No automatic training on customer data.
// Security controls
Encryption
Sensitive information is appropriately labeled, encrypted, and only retained as long as needed
gptzero.meVulnerability Management
Regular vulnerability scans and penetration testing performed; Responsible Disclosure Policy in place for security researchers
gptzero.meAccess Controls
Multi-factor authentication (MFA) enforced across all systems; strong access controls implemented
gptzero.meVendor Management
Vendors held to strict data protection standards; automated compliance monitoring via Drata
gptzero.meSecure Development
Secure Software Development Life Cycle (SDLC) ensures security is embedded from start of development
gptzero.meData Retention
Personal information retained no longer than 3 months past account termination; API data not stored by default
gptzero.meAccessibility
Completed VPAT (Voluntary Product Accessibility Template) assessment; follows WCAG and Section 508 standards
gptzero.me// Products & data scope
data: Text and document analysis; can detect AI from ChatGPT, GPT-4, Gemini, Claude, Llama, Deepseek and other LLMs
Core product; detects AI-generated content with 99% accuracy; supports multiple languages (English, German, Portuguese, French, Spanish)
data: Enhanced detection with detailed sentence-level analysis and color-coded highlights
Premium feature; best-in-class accuracy; de-biased for ESL (English Second Language) learners
data: Video proof of writing process; captures copy-pastes and unnatural typing patterns
Helps verify authentic human authorship; works in Google Docs
data: Identifies false or inaccurate claims in AI-generated content
Detects factual errors and hallucinations in AI outputs
data: Checks if content was copied from outside sources without attribution
Available as standalone product and integrated feature
data: Identifies and suggests corrections for grammar errors
Free online grammar checking tool
data: AI-powered feedback on writing quality with custom suggestions
Helps build responsible writing habits with personalized guidance
data: Verifies that content is genuinely written by the claimed author
Used in legal, hiring, and publishing contexts
data: Analyzes images for AI-generated content
Extends detection capabilities beyond text
// What to watch
- HIPAA OVER-CLAIM: Third-party security profiles (e.g., Nudge Security) claim HIPAA compliance, but GPTZero's own Terms of Use explicitly state 'not tailored to comply with HIPAA' and prohibit HIPAA-regulated users from using the service. This is a critical discrepancy.
- ISO 27001 NOT CONFIRMED: While some third-party sources claim ISO 27001 certification, it is not mentioned on GPTZero's official privacy-and-security page. Vendor claims SOC 2 Type II instead.
- ACQUIRED JUNE 2026: GPTZero was acquired by Superhuman in June 2026; future compliance posture may change under new ownership. Current assessment reflects pre-acquisition compliance claims.
- NO DATA RESIDENCY SPECS: While GDPR compliant, vendor does not specify which geographic regions store customer data or offer EU/US data residency options.
- EXPLICITLY NOT HIPAA-SUITABLE: Per ToU, any organization subject to HIPAA must not use GPTZero. Clear prohibition in terms should be highlighted to healthcare/regulated entities.
// At a glance
Pricing model
Freemium with paid tiers: Premium (€9.99/month, 300K words/month) and Professional (€19.99/month, 500K words/month), billed annually; Enterprise grade security available
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on GPTZero (acquired by Superhuman, Inc. in June 2026)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
gptzero.me