// Trust & Security Report
Nexusbird, Inc. (dba Motion)
Motion AI work platform: AI Task Planner, AI Project Manager, AI Calendar Assistant, AI Meeting Notetaker, AI Docs Assistant, AI Search, AI Workflow Builder, sold as a single SaaS product across Individual/Team/Business plans
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on usemotion.com“NexusBird, Inc (dba Motion) successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. ... An unqualified opinion on a SOC 2 Type II audit report demonstrates to Motion's current and future customers that they manage their data with the highest standard of security and compliance.”
Verify on usemotion.com“Security page displays a 'GDPR compliant badge'; the Data Processing Addendum defines 'Applicable Data Protection Laws' to include 'the General Data Protection Regulation 2016/679' and incorporates EU, UK, and Swiss Standard Contractual Clauses in Schedule 3 for international transfers.”
> Show 6 unconfirmed / not-held certifications
source: usemotion.comNo public evidence Motion itself holds ISO 27001. The only mention of 'ISO' on Motion's security page is in a sentence describing what their SOC 2 auditor, Prescient Assurance, offers as a service line ('provide risk management and assurance services which includes but not limited to SOC 2, PCI, ISO, NIST, GDPR, CCPA, HIPAA, CSA STAR etc.') - that describes the auditor's service catalog, not a certification Motion holds.
source: usemotion.comSame as above: 'HIPAA' appears only inside the description of Prescient Assurance's general service offerings, not as a claim Motion makes about itself. No BAA, HIPAA program page, or HIPAA badge is published on Motion's site.
source: usemotion.comNo public evidence. 'PCI' appears only in the same auditor-service-catalog sentence referenced above, not as a claim about Motion's own environment.
source: usemotion.comNo public evidence. 'CSA STAR' appears only in the same auditor-service-catalog sentence, not as a claim Motion makes about its own program.
source: usemotion.comNo mention of FedRAMP anywhere on Motion's security page, privacy policy, or DPA. FedRAMP applies to US federal cloud services and there is no public evidence Motion pursues it.
source: usemotion.comNo public evidence of an AI governance certification (ISO/IEC 42001 or CSA STAR for AI). Not mentioned on the security page, privacy policy, or DPA.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Hosted on Google Cloud Platform (GCP). Security page: 'Data is stored in Google's Central-1 region, based in Iowa.' Same page explicitly states: 'Data is not stored in the European Union, and at this time unfortunately it is not possible to request your data to only be stored in the European Union.'
Motion's security page states: 'Motion does not-and never will-train AI models using your data. Additionally, our third-party LLM providers, including OpenAI, do not use your inputs or outputs to train or improve their models.' Motion may temporarily store LLM inputs/outputs for performance optimization and debugging only. NOTE: the general Privacy Policy separately lists 'Training and developing machine learning algorithms ... and anonymous benchmarking' as a purpose for which collected information may be used, but immediately qualifies that any such information is first aggregated/de-identified/anonymized so it is 'no longer reasonably capable of being associated with you.' This is not a direct contradiction once read together, but the two documents use different framing and should be reconciled by Motion's own team; flagged below out of caution.
// Security controls
Hosting infrastructure
All services hosted on Google Cloud Platform (GCP), Central-1 region (Iowa, US); no EU-only data residency option available
usemotion.comIndependent audit
SOC 2 Type II audit completed, performed by Prescient Assurance; detailed security kit (SOC 2 report, pen-test report, policies, security questionnaire) available on request to support@usemotion.com, not published openly
usemotion.comSub-processors (LLM providers)
OpenAI, Anthropic, and Google listed as third-party LLM providers; contractually/publicly stated not to train on customer inputs/outputs
usemotion.comInternational transfer mechanism
DPA incorporates EU Standard Contractual Clauses (2021 version), UK SCCs, and Swiss SCCs for transfers out of Europe
usemotion.com// Products & data scope
data: User account data, task/project/calendar content, meeting recordings and transcripts (AI Notetaker), documents (AI Docs), and any content routed to third-party LLM providers for AI features
Motion does not appear to segment security/compliance posture by plan (Individual vs Team vs Business); the same security page and DPA apply platform-wide based on available evidence. No enterprise-only security tier (e.g.
// What to watch
- OVER-CLAIM RISK: multiple third-party SEO/security-scoring sites (not Motion's own domain) state Motion is 'HIPAA Compliant, SOC 2 Compliant, GDPR Compliant, ISO 27001 Compliant, FedRAMP Compliant, and CSA Star Level 1 Compliant.' This is not supported by Motion's own security page - those extra terms (ISO, HIPAA, PCI, CSA STAR, FedRAMP) appear on Motion's page only inside a sentence describing what their auditor, Prescient Assurance, offers as general services, not as certifications Motion itself holds. AIFOXX should NOT display ISO 27001, HIPAA, PCI DSS, CSA STAR, or FedRAMP badges for Motion based on current evidence - only SOC 2 Type II is vendor-confirmed.
- No EU/UK data residency option: Motion stores all data in a single US region (Iowa) and explicitly states EU-only storage is not currently possible, despite displaying a 'GDPR compliant' badge and offering a DPA with SCCs - this is a real limitation for EU enterprise buyers with data-localization requirements.
- No public trust center / self-serve compliance reports: SOC 2 report, pen-test report, and detailed security questionnaire answers are only available on request via email (support@usemotion.com), not published on a Vercel-style trust portal (e.g. no Drata/Vanta/SafeBase trust page found).
- Minor documentation inconsistency: the general Privacy Policy lists 'training and developing machine learning algorithms' as a data use, while the security page states Motion 'does not-and never will-train AI models using your data.' The Privacy Policy immediately qualifies this with an aggregation/anonymization caveat, so the two are likely reconcilable, but AIFOXX should note this as a soft contradiction rather than treat it as fully resolved without vendor confirmation.
- SOC 2 report cycle/date and current audit period were not independently confirmable from public pages (only the qualitative claim of completion), since the report itself is gated behind a request.
// At a glance
Pricing model
Per-seat SaaS subscription (Individual, Team/Business plans), free trial
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Nexusbird, Inc. (dba Motion)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
usemotion.com