// Trust & Security Report
Grain Intelligence Inc.
AI meeting notetaker and transcript enrichment platform for teams
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on grain.com“Grain is SOC 2 Type II certified. SOC 2 Type II audit ensures that we conform to the American Institute of Certified Public Accountants (AICPA) SOC 2 standard. We have received a clean Type II report implying that our customers' meeting data is properly managed, protected, and secured.”
Verify on grain.com“SOC 2 audited GDPR compliant [homepage trust badges, shown together under 'Top teams use Grain to power their AI']”
> Show 9 unconfirmed / not-held certifications
source: grain.comNo public evidence of Grain holding ISO 27001. The security page notes that AWS (Grain's cloud host) provides ISO 27001 assurance ('Amazon provides an extensive list of compliance and regulatory assurances, including SOC 1-3, and ISO 27001'), but this is the host's certification, not Grain's.
source: support.grain.comA support article states 'Grain complies with industry regulations and standards, such as GDPR, HIPAA, and SOC 2, where applicable' but no BAA, HIPAA-specific controls, or explicit HIPAA compliance documentation was found. The qualifier 'where applicable' is a material hedge. No mention of HIPAA on grain.com/security or trust.grain.com resources list.
source: grain.comNo public evidence found on any grain.com domain page.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
USA only (Amazon Web Services facilities)
Grain explicitly states 'Neither Grain nor its subprocessors use your data for model training.' OpenAI (a named subprocessor) does not train on API data per their API policy ('OpenAI does not use data submitted to and generated by our API to train OpenAI models or improve OpenAI service offering'). However, AI features cannot currently be disabled in Grain. OpenAI retains API data for up to 30 days for abuse monitoring before permanent deletion. The opt-out applies at an API level via OpenAI policy, not as a per-user toggle in Grain.
// Security controls
Encryption in transit
SSL/TLS enforced on all connections; A+ grade on Qualys/SSL Labs; HTTP automatically redirected to HTTPS
grain.comEncryption at rest
All customer data including call recordings and transcripts encrypted at rest on AWS (PostgreSQL on EBS, object storage on S3)
grain.comInfrastructure
100% of primary application servers in Grain's own AWS Virtual Private Cloud (VPC) in the USA, protected by restricted security groups; deployments managed via Terraform with pre-deployment review
grain.comPenetration testing
Annual third-party penetration testing; results document available via trust center request
trust.grain.comAccess controls
Unique production database authentication enforced; encryption key access restricted; unique account authentication enforced; only engineers with operational need have production access
trust.grain.comAuthentication options
Google, Microsoft, or SSO supported across tiers; SAML available for Enterprise customers
grain.comApplication security
Built with Elixir/Erlang and Phoenix framework following OWASP guidelines; mandatory code reviews for all changes; security review for new features
grain.comCybersecurity insurance
Cybersecurity insurance maintained (listed as a security control in trust center)
trust.grain.comDisaster recovery
Continuity and Disaster Recovery plans established and tested (listed as trust center controls)
trust.grain.comData deletion
Users can delete individual meetings, entire sets of recordings, or workspace data from within Grain; customer data deleted upon leaving per trust center controls
trust.grain.com// Products & data scope
data: Up to 20 meetings; audio/video transcription and AI summaries stored on Grain servers
Free forever; same SOC 2 and data protection baseline as paid tiers; no SAML SSO
data: Unlimited meetings; full transcription, CRM sync (HubSpot/Salesforce), team sharing
$19/seat/month (monthly billing); team performance insights; standard authentication only
data: Unlimited meetings; AI coaching, custom AI follow-up emails, team interaction insights
Pricing not publicly listed; advanced AI analytics; no SAML SSO confirmed at this tier
data: Unlimited meetings; full feature set with enterprise security
SAML SSO; custom pricing; all seats must be on Enterprise plan; DPA likely available on request but not published; contact sales
// What to watch
- HIPAA claim qualified as 'where applicable' in a support article with no BAA evidence; do not treat as HIPAA-compliant without requesting a BAA directly from Grain.
- No public DPA found despite GDPR compliance claim; EU-based teams must request DPA before deploying and should clarify the GDPR data transfer mechanism (SCCs) used for US-hosted data.
- Data stored in USA only; no EU data residency option, which creates GDPR Chapter V transfer risk without confirmed SCCs.
- AI features cannot currently be disabled per Grain support docs, limiting granular user control over AI subprocessor data flows.
- OpenAI retains API data for up to 30 days for abuse monitoring before deletion; users should be aware their meeting content transits OpenAI infrastructure.
- Trust center is powered by Vanta and is JavaScript-rendered; controls and subprocessor pages were inaccessible to automated fetching; some secondary details could not be fully independently verified.
- ISO 27001 referenced on grain.com/security belongs to AWS (the cloud host), not Grain itself; do not credit Grain with ISO 27001.
- No tier-specific data isolation confirmed; Enterprise tier adds SAML SSO but no documented data segregation beyond account-level access controls.
// At a glance
Pricing model
Freemium with per-seat monthly or annual subscriptions; free plan available with 20 meeting cap
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Grain Intelligence Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.grain.com