// Trust & Security Report

    Nexusbird, Inc. (dba Motion) logo

    Nexusbird, Inc. (dba Motion)

    Motion AI work platform: AI Task Planner, AI Project Manager, AI Calendar Assistant, AI Meeting Notetaker, AI Docs Assistant, AI Search, AI Workflow Builder, sold as a single SaaS product across Individual/Team/Business plans

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    NexusBird, Inc (dba Motion) successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. ... An unqualified opinion on a SOC 2 Type II audit report demonstrates to Motion's current and future customers that they manage their data with the highest standard of security and compliance.

    Verify on usemotion.com
    GDPR (posture, not a certification)
    HELD

    Security page displays a 'GDPR compliant badge'; the Data Processing Addendum defines 'Applicable Data Protection Laws' to include 'the General Data Protection Regulation 2016/679' and incorporates EU, UK, and Swiss Standard Contractual Clauses in Schedule 3 for international transfers.

    Verify on usemotion.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence Motion itself holds ISO 27001. The only mention of 'ISO' on Motion's security page is in a sentence describing what their SOC 2 auditor, Prescient Assurance, offers as a service line ('provide risk management and assurance services which includes but not limited to SOC 2, PCI, ISO, NIST, GDPR, CCPA, HIPAA, CSA STAR etc.') - that describes the auditor's service catalog, not a certification Motion holds.

    source: usemotion.com
    HIPAA
    NOT CONFIRMED

    Same as above: 'HIPAA' appears only inside the description of Prescient Assurance's general service offerings, not as a claim Motion makes about itself. No BAA, HIPAA program page, or HIPAA badge is published on Motion's site.

    source: usemotion.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. 'PCI' appears only in the same auditor-service-catalog sentence referenced above, not as a claim about Motion's own environment.

    source: usemotion.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. 'CSA STAR' appears only in the same auditor-service-catalog sentence, not as a claim Motion makes about its own program.

    source: usemotion.com
    FedRAMP
    NOT CONFIRMED

    No mention of FedRAMP anywhere on Motion's security page, privacy policy, or DPA. FedRAMP applies to US federal cloud services and there is no public evidence Motion pursues it.

    source: usemotion.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of an AI governance certification (ISO/IEC 42001 or CSA STAR for AI). Not mentioned on the security page, privacy policy, or DPA.

    source: usemotion.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Hosted on Google Cloud Platform (GCP). Security page: 'Data is stored in Google's Central-1 region, based in Iowa.' Same page explicitly states: 'Data is not stored in the European Union, and at this time unfortunately it is not possible to request your data to only be stored in the European Union.'

    Motion's security page states: 'Motion does not-and never will-train AI models using your data. Additionally, our third-party LLM providers, including OpenAI, do not use your inputs or outputs to train or improve their models.' Motion may temporarily store LLM inputs/outputs for performance optimization and debugging only. NOTE: the general Privacy Policy separately lists 'Training and developing machine learning algorithms ... and anonymous benchmarking' as a purpose for which collected information may be used, but immediately qualifies that any such information is first aggregated/de-identified/anonymized so it is 'no longer reasonably capable of being associated with you.' This is not a direct contradiction once read together, but the two documents use different framing and should be reconciled by Motion's own team; flagged below out of caution.

    // Security controls

    Encryption in transit

    "Our applications encrypt in transit with TLS/SSL only."

    usemotion.com

    Encryption at rest

    "All databases are encrypted at rest."

    usemotion.com

    Hosting infrastructure

    All services hosted on Google Cloud Platform (GCP), Central-1 region (Iowa, US); no EU-only data residency option available

    usemotion.com

    Independent audit

    SOC 2 Type II audit completed, performed by Prescient Assurance; detailed security kit (SOC 2 report, pen-test report, policies, security questionnaire) available on request to support@usemotion.com, not published openly

    usemotion.com

    Sub-processors (LLM providers)

    OpenAI, Anthropic, and Google listed as third-party LLM providers; contractually/publicly stated not to train on customer inputs/outputs

    usemotion.com

    International transfer mechanism

    DPA incorporates EU Standard Contractual Clauses (2021 version), UK SCCs, and Swiss SCCs for transfers out of Europe

    usemotion.com

    // Products & data scope

    Motion (single product, tiered plans)AI productivity / project & task management platform

    data: User account data, task/project/calendar content, meeting recordings and transcripts (AI Notetaker), documents (AI Docs), and any content routed to third-party LLM providers for AI features

    Motion does not appear to segment security/compliance posture by plan (Individual vs Team vs Business); the same security page and DPA apply platform-wide based on available evidence. No enterprise-only security tier (e.g.

    // What to watch

    • OVER-CLAIM RISK: multiple third-party SEO/security-scoring sites (not Motion's own domain) state Motion is 'HIPAA Compliant, SOC 2 Compliant, GDPR Compliant, ISO 27001 Compliant, FedRAMP Compliant, and CSA Star Level 1 Compliant.' This is not supported by Motion's own security page - those extra terms (ISO, HIPAA, PCI, CSA STAR, FedRAMP) appear on Motion's page only inside a sentence describing what their auditor, Prescient Assurance, offers as general services, not as certifications Motion itself holds. AIFOXX should NOT display ISO 27001, HIPAA, PCI DSS, CSA STAR, or FedRAMP badges for Motion based on current evidence - only SOC 2 Type II is vendor-confirmed.
    • No EU/UK data residency option: Motion stores all data in a single US region (Iowa) and explicitly states EU-only storage is not currently possible, despite displaying a 'GDPR compliant' badge and offering a DPA with SCCs - this is a real limitation for EU enterprise buyers with data-localization requirements.
    • No public trust center / self-serve compliance reports: SOC 2 report, pen-test report, and detailed security questionnaire answers are only available on request via email (support@usemotion.com), not published on a Vercel-style trust portal (e.g. no Drata/Vanta/SafeBase trust page found).
    • Minor documentation inconsistency: the general Privacy Policy lists 'training and developing machine learning algorithms' as a data use, while the security page states Motion 'does not-and never will-train AI models using your data.' The Privacy Policy immediately qualifies this with an aggregation/anonymization caveat, so the two are likely reconcilable, but AIFOXX should note this as a soft contradiction rather than treat it as fully resolved without vendor confirmation.
    • SOC 2 report cycle/date and current audit period were not independently confirmable from public pages (only the qualitative claim of completion), since the report itself is gated behind a request.

    // At a glance

    Pricing model

    Per-seat SaaS subscription (Individual, Team/Business plans), free trial

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Nexusbird, Inc. (dba Motion)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    usemotion.com

    > Browse all vendor trust reports