// Trust & Security Report

    Lately, Inc. logo

    Lately, Inc.

    Lately is a single AI content/social-media marketing platform (AI Social Content Writer, Social Media Marketing, Social Selling, Social Media Analytics, Employee Advocacy modules) sold as one product tier per organization; the vendor is previewing a new conversational agent, "Kately," currently waitlist/pre-launch.

    Certifications held

    1

    Maturity

    Startup

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture)
    HELD

    "At Lately, Inc., we are committed to protecting the privacy and security of our users. This GDPR compliance page outlines the measures we have implemented to ensure that we handle personal data in accordance with the General Data Protection Regulation (GDPR) requirements." (page also documents data subject rights: access, rectification, erasure, restriction, portability, objection, and lists a named DPO contact and a subprocessor list)

    Verify on lately.ai
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    no public evidence: no trust center, security page, or SOC 2 mention found on lately.ai / trylately.com; site search for a dedicated security page returned 404

    source: lately.ai
    ISO 27001
    NOT CONFIRMED

    no public evidence: not mentioned on the home page, GDPR compliance page, or privacy policy

    source: lately.ai
    HIPAA
    NOT CONFIRMED

    no public evidence of a BAA or HIPAA program; notably, the vendor's homepage lists "Healthcare & Pharma" as a served industry vertical with no accompanying HIPAA/BAA statement anywhere on the site

    source: lately.ai
    PCI DSS
    NOT CONFIRMED

    no public evidence of Lately holding its own PCI attestation; payment processing is delegated to Stripe as a subprocessor ("Stripe: Payment processing services"), so any PCI scope belongs to Stripe, not Lately

    source: lately.ai
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    no public evidence found on any vendor-owned page

    source: lately.ai
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    no public evidence: no AI-governance certification referenced anywhere on the vendor's site despite the product being AI-centric

    source: lately.ai
    CSA STAR
    NOT CONFIRMED

    no public evidence found on any vendor-owned page

    source: lately.ai
    FedRAMP
    NOT CONFIRMED

    no public evidence; product and marketing are aimed at commercial marketers, not government use

    source: lately.ai

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Per the privacy policy: "The PII we receive may be held on our computers and systems in the European Union and in the computers and systems of our offices and datacenters in the United States," with users consenting to processing occurring "in the United States, where laws regarding data protection may be less stringent."

    The GDPR page explicitly states, for its OpenAI subprocessor: "OpenAI: Only used to create longform content from prompt, not trained or given any client data." This rules out OpenAI training on customer content via Lately's integration, but there is no statement anywhere on the vendor's site about whether Lately's own models/algorithms are trained on customer data, so this remains unconfirmed (marked null/unknown) rather than assumed either way.

    // Security controls

    Encryption in transit / at rest

    no public evidence: privacy policy only says the company has "security measures in place in our physical facilities and in our computer systems, databases, and communications networks that are designed reasonably to protect information" with no encryption specifics, and explicitly disclaims that it "cannot guarantee absolute security"

    lately.ai

    Subprocessor disclosure

    Published subprocessor list on the GDPR page: Amplitude, Asana, AWS, Calendly, Facebook, FullStory, Google, GitHub, HubSpot, Webflow, MongoDB, OpenAI, Slack, Stripe, Zapier, Zendesk

    lately.ai

    Data subject rights

    GDPR page documents access, rectification, erasure, restriction, portability, and objection rights, with a named Data Protection Officer contact (support@lately.ai)

    lately.ai

    Dedicated security/trust page

    None found; https://www.lately.ai/security returns HTTP 404 and no trust.lately.ai subdomain resolves

    lately.ai

    // Products & data scope

    Lately (core platform)AI social media content creation, employee advocacy, social analytics

    data: Customer longform content (blogs, videos, podcasts), connected social account data (Facebook, Instagram, LinkedIn, X), CRM/marketing integrations (HubSpot, Salesforce, Hootsuite, Sprinklr)

    General availability, marketed to businesses of all sizes across many verticals including "Healthcare & Pharma" and "Financial Services" with no corresponding HIPAA or financial-sector compliance evidence published.

    KatelyConversational AI social media management agent (pre-launch)

    data: Expected to be same as core platform (social content, brand voice, audience data); not yet launched

    // What to watch

    • No SOC 2, ISO 27001, HIPAA, or any third-party security certification found anywhere on the vendor's own domains (lately.ai, trylately.com) despite active gap-fill search and fetch of privacy, terms, GDPR, and an attempted security page (404).
    • Potential over-claim risk: the vendor's homepage lists "Healthcare & Pharma" as a served industry, but there is no HIPAA statement, BAA offering, or any healthcare-specific compliance language anywhere on the site. AIFOXX should not imply HIPAA readiness for this vendor.
    • Terms of Service page references the privacy policy at a legacy domain (www.trylately.com/privacy) while the live site is lately.ai; confirmed via Crunchbase (organization slug "trylately") that this is the same legal entity (Lately, Inc., Stone Ridge, NY) that migrated domains, not a different company, but the stale cross-reference is a minor documentation-hygiene issue.
    • Small, thinly-capitalized company ($3.4M total raised across 12 rounds since 2016 per Crunchbase) consistent with startup-tier security maturity and the absence of a trust center; this is not being held against the vendor per the fairness-to-startups principle, but buyers with strict vendor-risk requirements (e.g. SOC 2 mandatory) should be informed.
    • No explicit standalone Data Processing Agreement (DPA) is offered/linked publicly; only a subprocessor list embedded in the GDPR page was found.

    // At a glance

    Pricing model

    Subscription SaaS (tiered plans referenced via a public Pricing page; per-seat/usage tiers not captured in evidence)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Lately, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    lately.ai

    > Browse all vendor trust reports