// Trust & Security Report

    Grain Intelligence Inc. logo

    Grain Intelligence Inc.

    AI meeting notetaker and transcript enrichment platform for teams

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Grain is SOC 2 Type II certified. SOC 2 Type II audit ensures that we conform to the American Institute of Certified Public Accountants (AICPA) SOC 2 standard. We have received a clean Type II report implying that our customers' meeting data is properly managed, protected, and secured.

    Verify on grain.com
    GDPR
    HELD

    SOC 2 audited GDPR compliant [homepage trust badges, shown together under 'Top teams use Grain to power their AI']

    Verify on grain.com
    > Show 9 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of Grain holding ISO 27001. The security page notes that AWS (Grain's cloud host) provides ISO 27001 assurance ('Amazon provides an extensive list of compliance and regulatory assurances, including SOC 1-3, and ISO 27001'), but this is the host's certification, not Grain's.

    source: grain.com
    HIPAA
    NOT CONFIRMED

    A support article states 'Grain complies with industry regulations and standards, such as GDPR, HIPAA, and SOC 2, where applicable' but no BAA, HIPAA-specific controls, or explicit HIPAA compliance documentation was found. The qualifier 'where applicable' is a material hedge. No mention of HIPAA on grain.com/security or trust.grain.com resources list.

    source: support.grain.com
    PCI DSS
    NOT CONFIRMED

    No public evidence found on any grain.com domain page.

    source: grain.com
    ISO 27017
    NOT CONFIRMED

    No public evidence found on any grain.com domain page.

    source: grain.com
    ISO 27018
    NOT CONFIRMED

    No public evidence found on any grain.com domain page.

    source: grain.com
    ISO 27701
    NOT CONFIRMED

    No public evidence found on any grain.com domain page.

    source: grain.com
    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No public evidence found on any grain.com domain page.

    source: grain.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any grain.com domain page.

    source: grain.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found on any grain.com domain page.

    source: grain.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    USA only (Amazon Web Services facilities)

    Grain explicitly states 'Neither Grain nor its subprocessors use your data for model training.' OpenAI (a named subprocessor) does not train on API data per their API policy ('OpenAI does not use data submitted to and generated by our API to train OpenAI models or improve OpenAI service offering'). However, AI features cannot currently be disabled in Grain. OpenAI retains API data for up to 30 days for abuse monitoring before permanent deletion. The opt-out applies at an API level via OpenAI policy, not as a per-user toggle in Grain.

    // Security controls

    Encryption in transit

    SSL/TLS enforced on all connections; A+ grade on Qualys/SSL Labs; HTTP automatically redirected to HTTPS

    grain.com

    Encryption at rest

    All customer data including call recordings and transcripts encrypted at rest on AWS (PostgreSQL on EBS, object storage on S3)

    grain.com

    Infrastructure

    100% of primary application servers in Grain's own AWS Virtual Private Cloud (VPC) in the USA, protected by restricted security groups; deployments managed via Terraform with pre-deployment review

    grain.com

    Penetration testing

    Annual third-party penetration testing; results document available via trust center request

    trust.grain.com

    Access controls

    Unique production database authentication enforced; encryption key access restricted; unique account authentication enforced; only engineers with operational need have production access

    trust.grain.com

    Authentication options

    Google, Microsoft, or SSO supported across tiers; SAML available for Enterprise customers

    grain.com

    Application security

    Built with Elixir/Erlang and Phoenix framework following OWASP guidelines; mandatory code reviews for all changes; security review for new features

    grain.com

    Cybersecurity insurance

    Cybersecurity insurance maintained (listed as a security control in trust center)

    trust.grain.com

    Disaster recovery

    Continuity and Disaster Recovery plans established and tested (listed as trust center controls)

    trust.grain.com

    Data deletion

    Users can delete individual meetings, entire sets of recordings, or workspace data from within Grain; customer data deleted upon leaving per trust center controls

    trust.grain.com

    // Products & data scope

    FreeAI meeting notetaker

    data: Up to 20 meetings; audio/video transcription and AI summaries stored on Grain servers

    Free forever; same SOC 2 and data protection baseline as paid tiers; no SAML SSO

    StarterAI meeting notetaker

    data: Unlimited meetings; full transcription, CRM sync (HubSpot/Salesforce), team sharing

    $19/seat/month (monthly billing); team performance insights; standard authentication only

    BusinessAI meeting notetaker and AI coaching

    data: Unlimited meetings; AI coaching, custom AI follow-up emails, team interaction insights

    Pricing not publicly listed; advanced AI analytics; no SAML SSO confirmed at this tier

    EnterpriseAI meeting notetaker with enterprise security controls

    data: Unlimited meetings; full feature set with enterprise security

    SAML SSO; custom pricing; all seats must be on Enterprise plan; DPA likely available on request but not published; contact sales

    // What to watch

    • HIPAA claim qualified as 'where applicable' in a support article with no BAA evidence; do not treat as HIPAA-compliant without requesting a BAA directly from Grain.
    • No public DPA found despite GDPR compliance claim; EU-based teams must request DPA before deploying and should clarify the GDPR data transfer mechanism (SCCs) used for US-hosted data.
    • Data stored in USA only; no EU data residency option, which creates GDPR Chapter V transfer risk without confirmed SCCs.
    • AI features cannot currently be disabled per Grain support docs, limiting granular user control over AI subprocessor data flows.
    • OpenAI retains API data for up to 30 days for abuse monitoring before deletion; users should be aware their meeting content transits OpenAI infrastructure.
    • Trust center is powered by Vanta and is JavaScript-rendered; controls and subprocessor pages were inaccessible to automated fetching; some secondary details could not be fully independently verified.
    • ISO 27001 referenced on grain.com/security belongs to AWS (the cloud host), not Grain itself; do not credit Grain with ISO 27001.
    • No tier-specific data isolation confirmed; Enterprise tier adds SAML SSO but no documented data segregation beyond account-level access controls.

    // At a glance

    Pricing model

    Freemium with per-seat monthly or annual subscriptions; free plan available with 20 meeting cap

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Grain Intelligence Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.grain.com

    > Browse all vendor trust reports