// Trust & Security Report

    PathAI, Inc. logo

    PathAI, Inc.

    AI-powered digital pathology platform for biopharma drug/diagnostic development and anatomic pathology laboratories. Core product is AISight (cloud-native digital pathology image management and AI workflow platform, including FDA-cleared AISight Dx for primary diagnosis and AISight Clinical Trials for biopharma trial endpoints), plus BioPharma AI product menu and a CAP/CLIA-certified histopathology lab services business. Entered a definitive merger agreement to be acquired by Roche (announced May 2026, deal not yet closed).

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001
    HELD

    PathAI announced today that it received ISO 27001 certification, one of the highest internationally-recognized standards for information security management systems... PathAI underwent an in-depth assessment by A-LIGN, a leading accredited auditor, and confirmed that PathAI met or exceeded the standard in areas including application security, software development, business continuity, and human resources security.

    Verify on pathai.com
    ISO 13485
    HELD

    [PathAI] received certification of its quality management system for compliance with ISO 13485 and MDSAP for US regulations.

    Verify on pathai.com
    HIPAA
    HELD

    Certain of our affiliated entities are required to comply with applicable federal and state health care privacy and security rules, including HIPAA... our processing of PHI is governed by Customer Agreements, Terms of Use, and Business Associate Agreements, as applicable.

    Verify on pathai.com
    GDPR (posture)
    HELD

    For transfers from the EEA to countries not considered by the European Commission to have adequate protections we have implemented measures to protect your Personal Information, such as through use of standard contractual clauses.

    Verify on pathai.com
    > Show 6 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence of a SOC 2 report or attestation on any vendor-domain page (policies, vulnerability disclosure policy, or press resources). No dedicated trust center exists to host one.

    source: pathai.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence of ISO 27017, 27018, or 27701 on any vendor-domain page found.

    source: pathai.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 or any AI-governance-specific certification on vendor-domain pages.

    source: pathai.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification on vendor-domain pages.

    source: pathai.com
    PCI DSS
    NOT CONFIRMED

    No evidence found; PathAI is an enterprise B2B contract business (biopharma/lab customers), not a direct card-payment consumer product, so PCI DSS is likely out of scope. No public evidence either way.

    source: pathai.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on vendor-domain pages.

    source: pathai.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Primarily United States (HQ and lab operations in the US); EEA personal data is transferred out under standard contractual clauses per the Privacy Notice, implying no dedicated EU data residency option is advertised.

    Vendor-domain Terms of Use and Privacy Notice contain no explicit statement on whether customer/patient data (including pathology images or PHI) is used to train PathAI's AI models. The Privacy Notice does reference Business Associate Agreements governing PHI use 'as applicable,' and the Vulnerability Disclosure Policy separately protects 'machine learning models or training data' as proprietary, implying PathAI does train models on data acquired through its contributor/lab network, but no page states whether individual customer/biopharma data specifically is included, excluded, or opt-out capable. Flagged as unresolved rather than assumed.

    // Security controls

    Encryption in transit

    All communications between PathAI's servers are encrypted in transit.

    pathai.com

    Network/host controls

    Firewalls, access control lists, logging and monitoring, network isolation, and host-hardening techniques.

    pathai.com

    Vulnerability disclosure program

    Formal Vulnerability Disclosure Policy with a dedicated intake channel; commits to not pursuing legal action against good-faith researchers.

    pathai.com

    Information security management system

    ISO 27001-certified ISMS, audited by A-LIGN, covering application security, software development, business continuity, and HR security.

    pathai.com

    Quality management system

    ISO 13485 and MDSAP certified quality management system (relevant to its FDA-cleared AISight Dx medical device software).

    pathai.com

    // Products & data scope

    AISight (Digital Pathology Platform)Digital pathology image management / workflow

    data: Whole-slide pathology images, case metadata; used by hospitals, reference labs, and academic medical centers.

    Cloud-native, open-platform enterprise workflow solution; central hub for case/image management and AI applications.

    AISight DxClinical diagnostic AI (FDA-cleared)

    data: Patient PHI-linked pathology slide images used for primary diagnosis in clinical settings.

    FDA-cleared for primary diagnosis (June 2025); deployed with health systems including Labcorp and MedStar Health per PathAI press releases.

    AISight Clinical TrialsBiopharma clinical trial endpoints

    data: Histopathology images and derived endpoints from clinical trial subjects, used for standardized trial readouts (e.g. AIM-HI UC, IBDExplore).

    Used by biopharma sponsors; likely governed by sponsor-specific data use agreements rather than the consumer-facing privacy notice.

    BioPharma AI Product Menu / Lab ServicesDrug development AI + CAP/CLIA lab services

    data: De-identified and identified specimen/image data processed for biomarker discovery and drug development on behalf of biopharma customers.

    Includes an in-house CAP/CLIA-certified GCLP histopathology lab (built 2022).

    // What to watch

    • No dedicated trust center or live security/compliance hub found on the vendor domain (has_trust_center=false) — all security evidence comes from a 2019 press release and the general policies/VDP pages, so current-state confirmation (e.g. whether ISO 27001 has been maintained/recertified since 2019) could not be independently verified.
    • No SOC 2 report evidence found on the vendor domain; given the company processes PHI at enterprise/clinical scale, absence of a SOC 2 attestation or trust center is a notable gap for a company of this maturity, especially post-FDA clearance.
    • AI training posture on customer/patient data is not explicitly disclosed on any vendor-domain page (Terms of Use, Privacy Notice, or VDP) — cannot confirm whether customer pathology data is used for model training, graded as null/unresolved rather than assumed either way.
    • PathAI is in a pending acquisition by Roche (announced May 2026, not yet closed) — its trust/compliance posture, legal entity, and hosting may change materially once the deal closes; re-verify after close.
    • No evidence of AI-governance-specific certifications (ISO/IEC 42001, CSA STAR AI) despite PathAI operating an FDA-cleared diagnostic AI product — worth flagging as a maturity gap given the regulatory sensitivity of the product.

    // At a glance

    Pricing model

    Enterprise B2B contracts (biopharma services and lab/enterprise software licensing); no public self-serve pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on PathAI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pathai.com

    > Browse all vendor trust reports