// Trust & Security Report

    Invideo (Whitesheep Technology Private Limited, India; Invideo Innovation Pte. Ltd., Singapore) logo

    Invideo (Whitesheep Technology Private Limited, India; Invideo Innovation Pte. Ltd., Singapore)

    AI video creation platform: Invideo AI / Agent One (agentic AI video generation), Invideo Studio (online video editor), Talking Avatar by Videocreek, plus Team & Enterprise tiers

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    Trust center overview (verbatim): 'This portal provides real-time access to our latest security certifications, compliance reports, and legal documentation (including SOC 2 and GDPR).' The vendor's own trust center thus names SOC 2 as a report it holds, but the report sits behind 'Request access' and could not be independently retrieved; the public homepage hedges the posture as 'SOC 2 & ISO Aligned' rather than 'SOC 2 certified'. Held kept as 'unknown' (a SOC 2 report is plausibly held but the gated report and audit period/type could not be verified); no public copy was found via web search.

    Verify on trust.invideo.io
    GDPR
    HELD

    GDPR Compliant — homepage trust badge; Privacy Policy enumerates Data Subject rights (access, rectification, erasure, restriction, portability, complaint to a supervisory authority) and lawful bases of processing.

    Verify on invideo.io
    PCI DSS
    HELD

    Payments are handled by Stripe (listed subprocessor: 'Stripe • Finance and payments'); no direct PCI claim by Invideo.

    Verify on trust.invideo.io
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Homepage badge (verbatim): 'Private & Secure / SOC 2 & ISO Aligned / GDPR Compliant' — 'aligned' denotes following the framework's controls, not holding an accredited certificate (a certified vendor states 'ISO 27001 certified'). Corroborating: the trust center, when enumerating the reports it makes available, names only 'SOC 2 and GDPR' and does not reference any ISO 27001 certificate, and no ISO certificate appears in the public control list. No ISO 27001 certificate for Invideo was found via web search. Held=false reflects 'aligned/aspirational, not certified'.

    source: invideo.io
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA anywhere on the trust center, security pages, or privacy policy; service is consumer/creator video tooling, not health data.

    source: trust.invideo.io

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Hosted on AWS; international transfers explicitly contemplated. Controllers are an Indian entity (Whitesheep Technology Pvt Ltd) and a Singapore entity (Invideo Innovation Pte Ltd). No customer-selectable data residency advertised.

    Two distinct regimes. ENTERPRISE (MSA-based) privacy policy: 'Such processing supports Service functionality and does not use Customer Personal Data to train general models for other customers, except as expressly permitted or using aggregated/de-identified data.' CONSUMER terms are broader: 'We may also use Customer Content/ Output generated using your Customer Content for the purpose of supporting and developing and further improving the Services' and grant Invideo an 'irrevocable, perpetual, non-exclusive, royalty-free' license; this content/improvement license explicitly 'do not apply to enterprise customers.' Biometric face data for avatars is 'never shared, sold, or disclosed,' processed on Invideo's own AI model, and 'immediately and permanently deleted' on avatar/account deletion. No model-training opt-out is documented for consumer users.

    // Security controls

    Encryption in transit

    Stated — 'Data transmission encrypted' control listed under Product security.

    trust.invideo.io

    Encryption / key management

    Stated — 'Encryption key access restricted' and 'Unique production database authentication enforced' under Infrastructure security.

    trust.invideo.io

    Vulnerability monitoring

    Stated — 'Vulnerability and system monitoring procedures established' under Product security.

    trust.invideo.io

    Penetration testing

    unknown — not explicitly named in the public (ungated) control list; full control set and audit reports are behind 'Request access.'

    trust.invideo.io

    Bug bounty / vulnerability disclosure

    No public HackerOne or Bugcrowd program found. Security contact is security@invideo.io. (An internal/in-house bounty effort has been referenced historically by an Invideo engineer, but no public program.)

    trust.invideo.io

    Org security controls

    Stated — 'Employee background checks performed', 'Anti-malware technology utilized', 'Production inventory maintained'.

    trust.invideo.io

    Business continuity / DR

    Stated — 'Continuity and Disaster Recovery plans established' and 'tested'.

    trust.invideo.io

    Subprocessors

    Disclosed: Amazon Web Services (cloud), Stripe (payments), OpenAI (data storage/processing), Anthropic (data storage/processing).

    trust.invideo.io

    Trust center platform

    Hosted, gated trust portal (Vanta-style) with live control list; full reports require requesting access.

    trust.invideo.io

    // Products & data scope

    Invideo AI / Agent One (Individual: Plus, Max, Generative, Elite)Consumer/prosumer agentic AI video generation

    data: Personal account data, prompts, uploaded Customer Content, generated Output, device/usage analytics, optional biometric face data for avatars. Routes prompts/content to third-party model subprocessors (OpenAI, Anthropic) and 200+ generation models.

    Governed by consumer Terms + consumer Privacy Policy. Broad perpetual content license; content/Output may be used to 'develop and improve the Services.' No documented training opt-out for consumers.

    Invideo StudioOnline video editor (template-based)

    data: Account, uploaded media, usage data; same consumer privacy regime.

    Bundled under the same 'Services' umbrella and consumer policies.

    Talking Avatar by VideocreekAI avatar / lip-sync video

    data: Facial coordinate (biometric) data from face scans; stored on Invideo servers, not shared with third parties, deleted on avatar/account deletion.

    May constitute biometric identifiers under applicable privacy laws (e.g., BIPA-type). Custom Avatar creation requires explicit recorded consent.

    Team & EnterpriseBusiness/enterprise AI video with collaboration (multiplayer, custom agents)

    data: Governed by a separate MSA, DPA, and the enterprise Privacy Policy. Customer Data/Content processed as a processor under the DPA.

    Materially stronger contractual posture: consumer broad-license terms do NOT apply; vendor states it does not use Customer Personal Data to train general models for other customers.

    // What to watch

    • SOC 2 status is ambiguous: trust center says it provides access to 'compliance reports... including SOC 2' but the public homepage hedges as 'SOC 2 & ISO Aligned' (aligned != certified). Actual SOC 2 report is behind 'Request access' and could not be directly verified.
    • ISO 27001 is 'aligned' only, not certified.
    • No public bug bounty (HackerOne/Bugcrowd); pentest not explicitly confirmed in ungated controls.
    • Consumer Terms grant a broad, perpetual, irrevocable license over Customer Content/Output and allow use to 'develop and improve the Services'; no consumer training opt-out. Enterprise carve-out is much stronger.
    • Biometric (face) data processing for avatars — relevant for jurisdictions with biometric privacy laws.
    • Subprocessors include OpenAI and Anthropic for data storage/processing, so prompts/content leave Invideo's infrastructure.

    // At a glance

    Pricing model

    Subscription, credit-based. Individual: Plus $17/mo, Max $85/mo, Generative $170/mo, Elite $900/mo (billed annually); plus Team & Enterprise tier and on-demand credit top-ups. Free tier with limited functionality.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Invideo (Whitesheep Technology Private Limited, India; Invideo Innovation Pte. Ltd., Singapore)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.invideo.io

    > Browse all vendor trust reports