// Trust & Security Report
Hedra Inc.
AI video, image, and audio generation platform with proprietary Character-3 and Infinite Canvas models. Core product is web-based creative studio with agent-assisted content creation. 125k+ businesses using the platform.
Certifications held
1
Maturity
Startup
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on hedra.com“Privacy policy states: 'Hedra is the controller in respect of the processing of your personal information covered by its Privacy Policy for purposes of the GDPR.' Privacy policy includes GDPR-specific provisions and data transfer disclosures.”
> Show 8 unconfirmed / not-held certifications
source: hedra.comNo public evidence of SOC 2 Type 1 certification found on vendor website or public sources.
source: hedra.comNo public evidence of SOC 2 Type 2 certification found on vendor website or public sources.
source: hedra.comNo public evidence of ISO 27001 certification found on vendor website or public sources.
source: hedra.comNo public evidence of ISO 27018 certification found on vendor website or public sources.
source: hedra.comNo public evidence of ISO 42001 (AI governance) certification found on vendor website or public sources.
source: hedra.comNo public evidence of HIPAA compliance found. Privacy policy does not mention HIPAA.
source: hedra.comNo public evidence of PCI DSS certification found on vendor website or public sources.
source: hedra.comNo public evidence of FedRAMP certification found on vendor website or public sources.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
United States (with possible third-party transfers)
Privacy policy explicitly permits creating 'aggregated, de-identified and/or anonymized data' and sharing with third parties to train AI models and for machine learning purposes. API Terms state: 'Hedra is entitled to use Customer Content to provide and improve the Solution, including improving and training any algorithmic models underpinning the Solution, and to share the Customer Content with AI Services as necessary to provide the Solution.' No clear opt-out mechanism for AI training is documented; only de-identification/anonymization is mentioned.
// Security controls
General Security Safeguards
Privacy policy states: 'We employ technical, organizational and physical safeguards.' However, also explicitly disclaims: 'we cannot guarantee the security of your personal information.'
hedra.comData Retention
Vague policy: 'We retain personal information to fulfill the purposes for which we collected it.' Biometric data retention: maximum 3 years following last interaction.
hedra.comInternational Data Transfers
Privacy policy acknowledges: 'Personal information may be transferred to the United States or other locations where privacy laws may not be as protective as those under which you provided the personal information.'
hedra.com// Products & data scope
data: User-uploaded content (images, video, audio), profile data, usage data; de-identified/anonymized for model training
Web-based platform. Proprietary Character-3 model plus integrations with other leading AI models. 125k+ businesses using platform.
data: Customer Content as defined in API Terms; Hedra explicitly reserves rights to use for model improvement and training
API Terms (https://www.hedra.com/api-terms) grant Hedra perpetual rights to use Customer Content for training and improvement, with data sharing to third-party AI Services.
// What to watch
- OVER-CLAIM RISK: Marketing materials reference 'responsible AI' and 'transparency, consent, and quality as foundations of trust,' but privacy policy permits broad AI training on customer data with only de-identification/anonymization, not explicit customer opt-out. The responsible AI framing may overstate actual compliance rigor.
- AI TRAINING POSTURE: Broad grants of perpetual, irrevocable rights to user content for model training (both for platform users and API customers). For API customers specifically, Hedra reserves rights to share Customer Content with third-party AI Services for training purposes.
- DATA TRANSFER RISK: Privacy policy explicitly acknowledges data may be transferred to US and other jurisdictions with lower privacy protections. No DPA template or specific data residency guarantees published.
- STARTUP MATURITY: 35 employees, founded 2023-2024, Series A in May 2025. No enterprise-grade compliance certifications (SOC 2, ISO 27001). Liability capped at 3 months fees/$100/statutory minimum. Services offered AS-IS with no warranties.
- NO TRUST CENTER: Hedra does not maintain a dedicated trust center or security documentation page. Security/compliance info must be gathered from scattered policy pages.
- BIOMETRIC DATA: Platform collects facial geometry and voice biometric data. While compliant with BIPA/CUBI/HB 1493, this is a material data type not covered by standard privacy frameworks.
- SECURITY DISCLAIMER: Privacy policy explicitly states 'we cannot guarantee the security of your personal information.' This is an unusually strong disclaimer relative to claims of employing safeguards.
- NO DPA TEMPLATE: While privacy policy mentions customer agreements may govern data use, no public DPA template is offered. Enterprise customers must negotiate custom agreements.
// At a glance
Pricing model
Freemium (free tier + paid credits/subscription)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Hedra Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
hedra.com