// Trust & Security Report

    Hedra Inc. logo

    Hedra Inc.

    AI video, image, and audio generation platform with proprietary Character-3 and Infinite Canvas models. Core product is web-based creative studio with agent-assisted content creation. 125k+ businesses using the platform.

    Certifications held

    1

    Maturity

    Startup

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR Posture
    HELD

    Privacy policy states: 'Hedra is the controller in respect of the processing of your personal information covered by its Privacy Policy for purposes of the GDPR.' Privacy policy includes GDPR-specific provisions and data transfer disclosures.

    Verify on hedra.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence of SOC 2 Type 1 certification found on vendor website or public sources.

    source: hedra.com
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of SOC 2 Type 2 certification found on vendor website or public sources.

    source: hedra.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on vendor website or public sources.

    source: hedra.com
    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found on vendor website or public sources.

    source: hedra.com
    ISO 42001
    NOT CONFIRMED

    No public evidence of ISO 42001 (AI governance) certification found on vendor website or public sources.

    source: hedra.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance found. Privacy policy does not mention HIPAA.

    source: hedra.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on vendor website or public sources.

    source: hedra.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP certification found on vendor website or public sources.

    source: hedra.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    United States (with possible third-party transfers)

    Privacy policy explicitly permits creating 'aggregated, de-identified and/or anonymized data' and sharing with third parties to train AI models and for machine learning purposes. API Terms state: 'Hedra is entitled to use Customer Content to provide and improve the Solution, including improving and training any algorithmic models underpinning the Solution, and to share the Customer Content with AI Services as necessary to provide the Solution.' No clear opt-out mechanism for AI training is documented; only de-identification/anonymization is mentioned.

    // Security controls

    Encryption in Transit

    Not explicitly documented in public-facing policies

    hedra.com

    Encryption at Rest

    Not explicitly documented in public-facing policies

    hedra.com

    General Security Safeguards

    Privacy policy states: 'We employ technical, organizational and physical safeguards.' However, also explicitly disclaims: 'we cannot guarantee the security of your personal information.'

    hedra.com

    Data Retention

    Vague policy: 'We retain personal information to fulfill the purposes for which we collected it.' Biometric data retention: maximum 3 years following last interaction.

    hedra.com

    International Data Transfers

    Privacy policy acknowledges: 'Personal information may be transferred to the United States or other locations where privacy laws may not be as protective as those under which you provided the personal information.'

    hedra.com

    // Products & data scope

    Hedra Studio (Free & Paid Tiers)AI Video/Image/Audio Generation

    data: User-uploaded content (images, video, audio), profile data, usage data; de-identified/anonymized for model training

    Web-based platform. Proprietary Character-3 model plus integrations with other leading AI models. 125k+ businesses using platform.

    Hedra APIAPI for Generative AI

    data: Customer Content as defined in API Terms; Hedra explicitly reserves rights to use for model improvement and training

    API Terms (https://www.hedra.com/api-terms) grant Hedra perpetual rights to use Customer Content for training and improvement, with data sharing to third-party AI Services.

    // What to watch

    • OVER-CLAIM RISK: Marketing materials reference 'responsible AI' and 'transparency, consent, and quality as foundations of trust,' but privacy policy permits broad AI training on customer data with only de-identification/anonymization, not explicit customer opt-out. The responsible AI framing may overstate actual compliance rigor.
    • AI TRAINING POSTURE: Broad grants of perpetual, irrevocable rights to user content for model training (both for platform users and API customers). For API customers specifically, Hedra reserves rights to share Customer Content with third-party AI Services for training purposes.
    • DATA TRANSFER RISK: Privacy policy explicitly acknowledges data may be transferred to US and other jurisdictions with lower privacy protections. No DPA template or specific data residency guarantees published.
    • STARTUP MATURITY: 35 employees, founded 2023-2024, Series A in May 2025. No enterprise-grade compliance certifications (SOC 2, ISO 27001). Liability capped at 3 months fees/$100/statutory minimum. Services offered AS-IS with no warranties.
    • NO TRUST CENTER: Hedra does not maintain a dedicated trust center or security documentation page. Security/compliance info must be gathered from scattered policy pages.
    • BIOMETRIC DATA: Platform collects facial geometry and voice biometric data. While compliant with BIPA/CUBI/HB 1493, this is a material data type not covered by standard privacy frameworks.
    • SECURITY DISCLAIMER: Privacy policy explicitly states 'we cannot guarantee the security of your personal information.' This is an unusually strong disclaimer relative to claims of employing safeguards.
    • NO DPA TEMPLATE: While privacy policy mentions customer agreements may govern data use, no public DPA template is offered. Enterprise customers must negotiate custom agreements.

    // At a glance

    Pricing model

    Freemium (free tier + paid credits/subscription)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Hedra Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    hedra.com

    > Browse all vendor trust reports