// Trust & Security Report
Tilda Technologies Inc. (DBA Humata)
Humata AI — document/PDF question-answering assistant
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on humata.ai“We are SOC-2 Type II compliant, underscoring our commitment to superior security practices and operational effectiveness.”
Verify on humata.ai“Humata is SOC 2 Type II compliant, demonstrating our commitment to secure and reliable systems.”
Verify on humata.ai“Our privacy and security program is informed by industry standards like SOC 2, ISO 27001, and GDPR.”
Verify on humata.ai“Compliance program lists HIPAA Privacy Policy, HIPAA Security Policy, HIPAA Privacy Procedure, and HIPAA Security Procedure, but no BAA or HIPAA attestation/audit is published.”
> Show 1 unconfirmed / not-held certifications
source: humata.aiOur privacy and security program is informed by industry standards like SOC 2, ISO 27001, and GDPR.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
unknown
Vendor explicitly states it does not train AI models on customer data: 'We do not use any of the data provided by our users to train our AI models.' Per supplementary sources, document data used by the model is not retained beyond 30 days, while dashboard data is retained until the user deletes it. Users own and can permanently delete their data.
// Security controls
Encryption at rest
AES-256 at rest (security page); note the marketing/home page imprecisely calls this 'SHA 256-bit encryption' — SHA is a hash, not a cipher, so treat AES-256 as the authoritative claim
humata.aiAccess control
Role-based access control, least-privilege procedures, department/folder-level permissions on Team plan
humata.aiPenetration testing
Regular third-party penetration tests and security audits by reputable firms (e.g. Kobalt.io)
humata.aiBug bounty
No public bug-bounty program (HackerOne/Bugcrowd) found; security page invites users to report suspected vulnerabilities directly
humata.aiData retention
Document data used by the model not retained beyond 30 days; dashboard data retained until user deletes it; users can permanently delete data at any time
humata.aiCloud infrastructure
Hosted on Google Cloud, fronted by Cloudflare; 'secured private cloud' data rooms
humata.ai// Products & data scope
data: Individual uploads (up to 60 pages, 10 answers); same no-training, encrypted-at-rest posture
Free tier, no credit card required
data: Up to 500 free pages, 3 users; individual document workspaces
Per-page overage pricing
data: Shared private-cloud data rooms; department & folder-level permissions, RBAC, OCR; SAML SSO available
Enterprise-grade access controls; up to 5,000 free pages, 10 users
data: Same SOC 2 Type II controls, SSO/SAML, RBAC; pricing via sales
Contact sales for scope/DPA; specifics not published
data: Programmatic document Q&A; data handling inherits the no-training, encrypted posture; embeddable web widget
Public API offering; detailed API data terms not published on trust pages
// What to watch
- ISO 27001 is only referenced as a standard their program is 'informed by' — NOT certified; the security page shows a Completed/Nearly complete/Pending legend but does not assert ISO 27001 as held.
- HIPAA: internal HIPAA policies/procedures are listed, but no BAA or HIPAA attestation is published — do not represent as HIPAA-compliant for regulated use.
- Marketing/home page says 'SHA 256-bit encryption' which is technically incorrect terminology (SHA is a hash function); the security page's AES-256 claim is the accurate one.
- No published DPA, sub-processor list, or data-residency/region detail; enterprise buyers must request these from sales.
- No public bug-bounty program; vulnerability reporting is ad-hoc via direct contact.
- Vendor is a small Gradient Ventures-backed startup (DBA of Tilda Technologies Inc.) — SOC 2 Type II + third-party pentests are genuinely strong for its size.
// At a glance
Pricing model
Freemium + per-seat/per-page subscription (Free, Expert $9.99/mo, Team $49/user/mo, Enterprise sales-led) plus API
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Tilda Technologies Inc. (DBA Humata)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
humata.ai