// Trust & Security Report
PathAI, Inc.
AI-powered digital pathology platform for biopharma drug/diagnostic development and anatomic pathology laboratories. Core product is AISight (cloud-native digital pathology image management and AI workflow platform, including FDA-cleared AISight Dx for primary diagnosis and AISight Clinical Trials for biopharma trial endpoints), plus BioPharma AI product menu and a CAP/CLIA-certified histopathology lab services business. Entered a definitive merger agreement to be acquired by Roche (announced May 2026, deal not yet closed).
Certifications held
4
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on pathai.com“PathAI announced today that it received ISO 27001 certification, one of the highest internationally-recognized standards for information security management systems... PathAI underwent an in-depth assessment by A-LIGN, a leading accredited auditor, and confirmed that PathAI met or exceeded the standard in areas including application security, software development, business continuity, and human resources security.”
Verify on pathai.com“[PathAI] received certification of its quality management system for compliance with ISO 13485 and MDSAP for US regulations.”
Verify on pathai.com“Certain of our affiliated entities are required to comply with applicable federal and state health care privacy and security rules, including HIPAA... our processing of PHI is governed by Customer Agreements, Terms of Use, and Business Associate Agreements, as applicable.”
Verify on pathai.com“For transfers from the EEA to countries not considered by the European Commission to have adequate protections we have implemented measures to protect your Personal Information, such as through use of standard contractual clauses.”
> Show 6 unconfirmed / not-held certifications
source: pathai.comNo public evidence of a SOC 2 report or attestation on any vendor-domain page (policies, vulnerability disclosure policy, or press resources). No dedicated trust center exists to host one.
source: pathai.comNo public evidence of ISO 27017, 27018, or 27701 on any vendor-domain page found.
source: pathai.comNo public evidence of ISO/IEC 42001 or any AI-governance-specific certification on vendor-domain pages.
source: pathai.comNo public evidence of CSA STAR registration or certification on vendor-domain pages.
source: pathai.comNo evidence found; PathAI is an enterprise B2B contract business (biopharma/lab customers), not a direct card-payment consumer product, so PCI DSS is likely out of scope. No public evidence either way.
source: pathai.comNo public evidence of FedRAMP authorization on vendor-domain pages.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Primarily United States (HQ and lab operations in the US); EEA personal data is transferred out under standard contractual clauses per the Privacy Notice, implying no dedicated EU data residency option is advertised.
Vendor-domain Terms of Use and Privacy Notice contain no explicit statement on whether customer/patient data (including pathology images or PHI) is used to train PathAI's AI models. The Privacy Notice does reference Business Associate Agreements governing PHI use 'as applicable,' and the Vulnerability Disclosure Policy separately protects 'machine learning models or training data' as proprietary, implying PathAI does train models on data acquired through its contributor/lab network, but no page states whether individual customer/biopharma data specifically is included, excluded, or opt-out capable. Flagged as unresolved rather than assumed.
// Security controls
Encryption in transit
All communications between PathAI's servers are encrypted in transit.
pathai.comNetwork/host controls
Firewalls, access control lists, logging and monitoring, network isolation, and host-hardening techniques.
pathai.comVulnerability disclosure program
Formal Vulnerability Disclosure Policy with a dedicated intake channel; commits to not pursuing legal action against good-faith researchers.
pathai.comInformation security management system
ISO 27001-certified ISMS, audited by A-LIGN, covering application security, software development, business continuity, and HR security.
pathai.comQuality management system
ISO 13485 and MDSAP certified quality management system (relevant to its FDA-cleared AISight Dx medical device software).
pathai.com// Products & data scope
data: Whole-slide pathology images, case metadata; used by hospitals, reference labs, and academic medical centers.
Cloud-native, open-platform enterprise workflow solution; central hub for case/image management and AI applications.
data: Patient PHI-linked pathology slide images used for primary diagnosis in clinical settings.
FDA-cleared for primary diagnosis (June 2025); deployed with health systems including Labcorp and MedStar Health per PathAI press releases.
data: Histopathology images and derived endpoints from clinical trial subjects, used for standardized trial readouts (e.g. AIM-HI UC, IBDExplore).
Used by biopharma sponsors; likely governed by sponsor-specific data use agreements rather than the consumer-facing privacy notice.
data: De-identified and identified specimen/image data processed for biomarker discovery and drug development on behalf of biopharma customers.
Includes an in-house CAP/CLIA-certified GCLP histopathology lab (built 2022).
// What to watch
- No dedicated trust center or live security/compliance hub found on the vendor domain (has_trust_center=false) — all security evidence comes from a 2019 press release and the general policies/VDP pages, so current-state confirmation (e.g. whether ISO 27001 has been maintained/recertified since 2019) could not be independently verified.
- No SOC 2 report evidence found on the vendor domain; given the company processes PHI at enterprise/clinical scale, absence of a SOC 2 attestation or trust center is a notable gap for a company of this maturity, especially post-FDA clearance.
- AI training posture on customer/patient data is not explicitly disclosed on any vendor-domain page (Terms of Use, Privacy Notice, or VDP) — cannot confirm whether customer pathology data is used for model training, graded as null/unresolved rather than assumed either way.
- PathAI is in a pending acquisition by Roche (announced May 2026, not yet closed) — its trust/compliance posture, legal entity, and hosting may change materially once the deal closes; re-verify after close.
- No evidence of AI-governance-specific certifications (ISO/IEC 42001, CSA STAR AI) despite PathAI operating an FDA-cleared diagnostic AI product — worth flagging as a maturity gap given the regulatory sensitivity of the product.
// At a glance
Pricing model
Enterprise B2B contracts (biopharma services and lab/enterprise software licensing); no public self-serve pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on PathAI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
pathai.com