// Trust & Security Report

    Tilda Technologies Inc. (DBA Humata) logo

    Tilda Technologies Inc. (DBA Humata)

    Humata AI — document/PDF question-answering assistant

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    We are SOC-2 Type II compliant, underscoring our commitment to superior security practices and operational effectiveness.

    Verify on humata.ai
    SOC 2 Type II (corroboration)
    HELD

    Humata is SOC 2 Type II compliant, demonstrating our commitment to secure and reliable systems.

    Verify on humata.ai
    GDPR
    HELD

    Our privacy and security program is informed by industry standards like SOC 2, ISO 27001, and GDPR.

    Verify on humata.ai
    HIPAA
    HELD

    Compliance program lists HIPAA Privacy Policy, HIPAA Security Policy, HIPAA Privacy Procedure, and HIPAA Security Procedure, but no BAA or HIPAA attestation/audit is published.

    Verify on humata.ai
    > Show 1 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Our privacy and security program is informed by industry standards like SOC 2, ISO 27001, and GDPR.

    source: humata.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    unknown

    Vendor explicitly states it does not train AI models on customer data: 'We do not use any of the data provided by our users to train our AI models.' Per supplementary sources, document data used by the model is not retained beyond 30 days, while dashboard data is retained until the user deletes it. Users own and can permanently delete their data.

    // Security controls

    Encryption at rest

    AES-256 at rest (security page); note the marketing/home page imprecisely calls this 'SHA 256-bit encryption' — SHA is a hash, not a cipher, so treat AES-256 as the authoritative claim

    humata.ai

    Encryption in transit

    TLS 1.3, HTTPS over signed Cloudflare and Google Cloud connections

    humata.ai

    SSO / SAML

    Single sign-on via SAML 2.0 (Okta, Google) supported

    humata.ai

    Access control

    Role-based access control, least-privilege procedures, department/folder-level permissions on Team plan

    humata.ai

    Penetration testing

    Regular third-party penetration tests and security audits by reputable firms (e.g. Kobalt.io)

    humata.ai

    Bug bounty

    No public bug-bounty program (HackerOne/Bugcrowd) found; security page invites users to report suspected vulnerabilities directly

    humata.ai

    Data retention

    Document data used by the model not retained beyond 30 days; dashboard data retained until user deletes it; users can permanently delete data at any time

    humata.ai

    Cloud infrastructure

    Hosted on Google Cloud, fronted by Cloudflare; 'secured private cloud' data rooms

    humata.ai

    // Products & data scope

    Humata FreeConsumer / individual PDF AI

    data: Individual uploads (up to 60 pages, 10 answers); same no-training, encrypted-at-rest posture

    Free tier, no credit card required

    Humata ExpertIndividual / small-team PDF AI ($9.99/mo)

    data: Up to 500 free pages, 3 users; individual document workspaces

    Per-page overage pricing

    Humata TeamTeam document AI ($49/user/mo)

    data: Shared private-cloud data rooms; department & folder-level permissions, RBAC, OCR; SAML SSO available

    Enterprise-grade access controls; up to 5,000 free pages, 10 users

    Humata EnterpriseEnterprise (sales-led, 10+ users)

    data: Same SOC 2 Type II controls, SSO/SAML, RBAC; pricing via sales

    Contact sales for scope/DPA; specifics not published

    Humata APIDeveloper API

    data: Programmatic document Q&A; data handling inherits the no-training, encrypted posture; embeddable web widget

    Public API offering; detailed API data terms not published on trust pages

    // What to watch

    • ISO 27001 is only referenced as a standard their program is 'informed by' — NOT certified; the security page shows a Completed/Nearly complete/Pending legend but does not assert ISO 27001 as held.
    • HIPAA: internal HIPAA policies/procedures are listed, but no BAA or HIPAA attestation is published — do not represent as HIPAA-compliant for regulated use.
    • Marketing/home page says 'SHA 256-bit encryption' which is technically incorrect terminology (SHA is a hash function); the security page's AES-256 claim is the accurate one.
    • No published DPA, sub-processor list, or data-residency/region detail; enterprise buyers must request these from sales.
    • No public bug-bounty program; vulnerability reporting is ad-hoc via direct contact.
    • Vendor is a small Gradient Ventures-backed startup (DBA of Tilda Technologies Inc.) — SOC 2 Type II + third-party pentests are genuinely strong for its size.

    // At a glance

    Pricing model

    Freemium + per-seat/per-page subscription (Free, Expert $9.99/mo, Team $49/user/mo, Enterprise sales-led) plus API

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Tilda Technologies Inc. (DBA Humata)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    humata.ai

    > Browse all vendor trust reports