// Trust & Security Report
Lately, Inc.
Lately is a single AI content/social-media marketing platform (AI Social Content Writer, Social Media Marketing, Social Selling, Social Media Analytics, Employee Advocacy modules) sold as one product tier per organization; the vendor is previewing a new conversational agent, "Kately," currently waitlist/pre-launch.
Certifications held
1
Maturity
Startup
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on lately.ai“"At Lately, Inc., we are committed to protecting the privacy and security of our users. This GDPR compliance page outlines the measures we have implemented to ensure that we handle personal data in accordance with the General Data Protection Regulation (GDPR) requirements." (page also documents data subject rights: access, rectification, erasure, restriction, portability, objection, and lists a named DPO contact and a subprocessor list)”
> Show 8 unconfirmed / not-held certifications
source: lately.aino public evidence: no trust center, security page, or SOC 2 mention found on lately.ai / trylately.com; site search for a dedicated security page returned 404
source: lately.aino public evidence: not mentioned on the home page, GDPR compliance page, or privacy policy
source: lately.aino public evidence of a BAA or HIPAA program; notably, the vendor's homepage lists "Healthcare & Pharma" as a served industry vertical with no accompanying HIPAA/BAA statement anywhere on the site
source: lately.aino public evidence of Lately holding its own PCI attestation; payment processing is delegated to Stripe as a subprocessor ("Stripe: Payment processing services"), so any PCI scope belongs to Stripe, not Lately
source: lately.aino public evidence found on any vendor-owned page
source: lately.aino public evidence: no AI-governance certification referenced anywhere on the vendor's site despite the product being AI-centric
source: lately.aino public evidence; product and marketing are aimed at commercial marketers, not government use
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Per the privacy policy: "The PII we receive may be held on our computers and systems in the European Union and in the computers and systems of our offices and datacenters in the United States," with users consenting to processing occurring "in the United States, where laws regarding data protection may be less stringent."
The GDPR page explicitly states, for its OpenAI subprocessor: "OpenAI: Only used to create longform content from prompt, not trained or given any client data." This rules out OpenAI training on customer content via Lately's integration, but there is no statement anywhere on the vendor's site about whether Lately's own models/algorithms are trained on customer data, so this remains unconfirmed (marked null/unknown) rather than assumed either way.
// Security controls
Encryption in transit / at rest
no public evidence: privacy policy only says the company has "security measures in place in our physical facilities and in our computer systems, databases, and communications networks that are designed reasonably to protect information" with no encryption specifics, and explicitly disclaims that it "cannot guarantee absolute security"
lately.aiSubprocessor disclosure
Published subprocessor list on the GDPR page: Amplitude, Asana, AWS, Calendly, Facebook, FullStory, Google, GitHub, HubSpot, Webflow, MongoDB, OpenAI, Slack, Stripe, Zapier, Zendesk
lately.aiData subject rights
GDPR page documents access, rectification, erasure, restriction, portability, and objection rights, with a named Data Protection Officer contact (support@lately.ai)
lately.aiDedicated security/trust page
None found; https://www.lately.ai/security returns HTTP 404 and no trust.lately.ai subdomain resolves
lately.ai// Products & data scope
data: Customer longform content (blogs, videos, podcasts), connected social account data (Facebook, Instagram, LinkedIn, X), CRM/marketing integrations (HubSpot, Salesforce, Hootsuite, Sprinklr)
General availability, marketed to businesses of all sizes across many verticals including "Healthcare & Pharma" and "Financial Services" with no corresponding HIPAA or financial-sector compliance evidence published.
data: Expected to be same as core platform (social content, brand voice, audience data); not yet launched
// What to watch
- No SOC 2, ISO 27001, HIPAA, or any third-party security certification found anywhere on the vendor's own domains (lately.ai, trylately.com) despite active gap-fill search and fetch of privacy, terms, GDPR, and an attempted security page (404).
- Potential over-claim risk: the vendor's homepage lists "Healthcare & Pharma" as a served industry, but there is no HIPAA statement, BAA offering, or any healthcare-specific compliance language anywhere on the site. AIFOXX should not imply HIPAA readiness for this vendor.
- Terms of Service page references the privacy policy at a legacy domain (www.trylately.com/privacy) while the live site is lately.ai; confirmed via Crunchbase (organization slug "trylately") that this is the same legal entity (Lately, Inc., Stone Ridge, NY) that migrated domains, not a different company, but the stale cross-reference is a minor documentation-hygiene issue.
- Small, thinly-capitalized company ($3.4M total raised across 12 rounds since 2016 per Crunchbase) consistent with startup-tier security maturity and the absence of a trust center; this is not being held against the vendor per the fairness-to-startups principle, but buyers with strict vendor-risk requirements (e.g. SOC 2 mandatory) should be informed.
- No explicit standalone Data Processing Agreement (DPA) is offered/linked publicly; only a subprocessor list embedded in the GDPR page was found.
// At a glance
Pricing model
Subscription SaaS (tiered plans referenced via a public Pricing page; per-seat/usage tiers not captured in evidence)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Lately, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
lately.ai