// Trust & Security Report

    PathFactory Inc. (PathFactory Corp.), acquired by Kaltura logo

    PathFactory Inc. (PathFactory Corp.), acquired by Kaltura

    B2B content intelligence and AI-powered buyer journey platform (PathFactory Experiences, ChatFactory AI Buying Agents, PathFactory Intelligence, AI Search Optimization)

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    PathFactory announced that the company has earned the rigorous SOC2 Type 2 certification ... PathFactory has committed to participating in annual SOC2 Type 2 audits to ensure its compliance is always verified and up to date. The audit was performed by a leading Big 4 accounting firm.

    Verify on pathfactory.com
    EU-U.S. / UK / Swiss-U.S. Data Privacy Framework (DPF)
    HELD

    PathFactory Corp. has self-certified its compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce.

    Verify on pathfactory.com
    ISO 27001
    HELD

    No ISO 27001 certification claim found on PathFactory's own security/compliance, GDPR FAQ, or press pages.

    Verify on support.pathfactory.com
    HIPAA
    HELD

    No HIPAA compliance claim found; PathFactory is a B2B marketing/content engagement platform not positioned for PHI.

    Verify on support.pathfactory.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (Amazon Web Services; primary and disaster-recovery hosting plus daily backups in Virginia). Vendor HQ in Toronto, Canada; US office in Washington, DC.

    ChatFactory sends content-specific data to third-party LLMs (OpenAI, Llama) for processing but contractually prohibits providers from using customer content to train their models. Quote: 'there are contractual safeguards in place to ensure that the content is secure and it is not used to train third party LLMs ... this data is neither used to train these models nor shared further.' Each customer instance is isolated and AI models are not shared across customers. Customers control which assets enter ChatFactory 'Collections'. No visitor identification or engagement data is shared with the LLM.

    // Security controls

    Encryption at rest

    AES-256 (industry standard)

    support.pathfactory.com

    Encryption in transit

    Yes (TLS, referenced as 'encryption in transit')

    support.pathfactory.com

    Penetration testing / vulnerability assessment

    Yearly vulnerability assessment, penetration testing, web application testing, open-source testing, SAST and DAST through an industry-leading security auditing firm

    pathfactory.com

    Bug bounty program

    None found (no HackerOne or Bugcrowd program disclosed on vendor domain)

    support.pathfactory.com

    Hosting / infrastructure

    Amazon Web Services (AWS); per-customer instance isolation

    support.pathfactory.com

    Backups / disaster recovery

    Daily backups and GDPR-compliant disaster recovery located in Virginia

    support.pathfactory.com

    Single Sign-On (SSO)

    Supported (SSO overview and access protection documentation available)

    support.pathfactory.com

    // Products & data scope

    PathFactory ExperiencesContent engagement / personalized content hubs and playlists

    data: First-party visitor engagement data (known and anonymous), behavioral/click data, content interactions; customer-uploaded marketing content and contact data per customer instructions.

    Core platform. Customer determines what Personal Information is uploaded and stored; PathFactory processes only per customer instructions (processor role).

    ChatFactory (AI Buying Agents)Generative AI conversational agent

    data: Customer content within curated 'Collections' is sent to third-party LLMs (OpenAI, Llama) for inference only; no visitor identification or engagement data sent to LLM; per-customer AI model isolation.

    AI-specific data flow. Contractual safeguards bar LLM providers from training on customer content; data not used to train PathFactory's proprietary or third-party AI beyond the customer's own instance.

    PathFactory IntelligenceEngagement analytics / revenue attribution

    data: Aggregated and account/individual-level engagement signals tied to pipeline; integrates with CRM/MAP (Salesforce, Marketo, HubSpot, 6sense, Demandbase, ZoomInfo, etc.).

    Analytics layer. Data shared with connected revenue-stack tools per customer configuration.

    AI Search OptimizationContent discoverability

    data: Customer content metadata for search/AI optimization.

    Newer module; limited public data/compliance detail.

    // What to watch

    • Vendor acquired by Kaltura; long-term compliance posture and trust documentation may shift under new parent. Current evidence is PathFactory-branded and self-consistent.
    • No standalone trust center portal (e.g., Vanta/SafeBase) or public SOC 2 report download; SOC 2 evidence is a press announcement plus support-page references, not a live attestation portal. Report likely available under NDA.
    • Data hosting is US-only (Virginia); EU customers rely on DPF/SCCs rather than EU data residency.
    • ISO 27001 and HIPAA not claimed - correctly marked unknown, not asserted.

    // At a glance

    Pricing model

    Enterprise SaaS, subscription, sales-led (book a demo / contact sales; no public pricing)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on PathFactory Inc. (PathFactory Corp.), acquired by Kaltura's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    support.pathfactory.com

    > Browse all vendor trust reports