// Trust & Security Report
Three Sigma AI (dba PDF.ai)
AI-powered PDF/document tool: chat with PDFs, document parsing, field extraction, and document splitting. Offered as a consumer web app, a Chrome extension, and a developer-facing REST API (Parse/Extract/Split/Ask endpoints). The same company also operates several adjacent single-purpose tools (Resume AI scanner, Invoice AI scanner, Quiz AI generator, PDF generator, QuickyAI, Docsium) linked from the PDF.ai footer, which are out of scope for this assessment.
Certifications held
0
Maturity
Startup
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 9 unconfirmed / not-held certifications
source: pdf.aiYour uploaded documents undergo encryption both during storage and while being transferred. They are securely stored by our data storage provider, who holds a SOC2 Type II certification.
No public evidence found. Not mentioned on the homepage, privacy policy, or FAQ.
source: pdf.aiNo public evidence found. The privacy policy does not use the word 'GDPR' anywhere, does not name a legal basis for EU processing, and does not mention Standard Contractual Clauses or an EU representative.
No public evidence found. Not mentioned anywhere on the vendor's site; no Business Associate Agreement (BAA) offering is advertised.
No public evidence found. Payment handling is not described on the vendor's own domain (likely delegated to a third-party payment processor, but this is not documented by the vendor).
No public evidence found. Not mentioned anywhere on the vendor's site.
No public evidence found. Not mentioned anywhere on the vendor's site.
No public evidence found on the vendor's own domain. A third-party aggregator (Nudge Security) lists 'CSA Star Level 1 Compliant' as a badge with no methodology or sourcing shown; not corroborated anywhere on pdf.ai.
No public evidence found on the vendor's own domain, and implausible for a small consumer/API tool of this size. Same third-party aggregator (Nudge Security) lists 'FedRamp Compliant' with no supporting documentation.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not disclosed. FAQ only states documents are 'securely stored by our data storage provider' without naming the provider or region.
Neither the privacy policy nor the FAQ makes any statement about whether uploaded documents or chat content are used to train AI models, and no opt-out mechanism is documented. Given the product routes document text through third-party/first-party LLMs to answer questions, some processing by model providers is inherent to the feature, but the vendor does not disclose which model providers are used, their retention terms, or a no-training commitment.
// Security controls
Encryption in transit and at rest
"Your uploaded documents undergo encryption both during storage and while being transferred."
pdf.aiStorage subprocessor certification (not PDF.ai's own)
FAQ states documents are stored by an unnamed 'data storage provider' that holds SOC 2 Type II - this is the host/subprocessor's certification, not a PDF.ai/Three Sigma AI certification.
pdf.aiPrivate processing option
"We offer a private document option for processing PDF documents. By choosing this option, your documents will never come into contact with our cloud storage."
pdf.aiFile deletion claim
Homepage API section states "Enterprise-grade security, files deleted after processing" for the API product; not detailed further (no retention window given) and not repeated in the privacy policy.
pdf.aiThird-party data sharing
"We do not sell or share your personal information with third parties except as required by law or as necessary to fulfill your requests."
pdf.aiTrust Center / Security Portal
Not available. No dedicated security or trust page exists in the site's sitemap.
Bug bounty / vulnerability disclosure program
Not mentioned anywhere on the vendor's site.
// Products & data scope
data: Uploaded PDFs are stored (unless the private-processing option is used) and processed to answer user questions.
Free plan (200 credits/month) plus paid tiers ($49-$599/month) differentiated purely by monthly credit volume, not by data-handling or security posture.
data: Documents submitted via REST API for OCR/layout parsing, field extraction, or splitting; marketed as deleting files after processing.
Usage-based credit pricing, same underlying infra as the consumer app; no separate enterprise security tier or BAA/DPA offering found.
data: Chat with PDFs encountered while browsing.
Referenced in footer navigation; no separate privacy terms found for the extension specifically.
// What to watch
- OVER-CLAIM RISK: A third-party aggregator (Nudge Security) lists PDF.ai as 'SOC 2 Compliant', 'ISO 27001 Compliant', 'HIPAA Compliant', 'PCI Compliant', 'GDPR Compliant', 'FedRamp Compliant', and 'CSA Star Level 1 Compliant' with no disclaimer, methodology, or sourcing shown. None of these are corroborated on the vendor's own domain (privacy policy, FAQ, homepage). FedRAMP in particular is implausible for a 2-10 person bootstrapped consumer/API tool. Do not surface these aggregator badges as vendor-confirmed certifications.
- HOST-VS-VENDOR CONFUSION: The FAQ's only certification-adjacent statement ('our data storage provider... holds a SOC2 Type II certification') is about an unnamed subprocessor, not PDF.ai/Three Sigma AI itself. Marketing language could be misread by a buyer as PDF.ai being SOC 2 certified.
- IDENTITY: The vendor's own site (privacy policy, footer) never states its legal entity name. 'Three Sigma AI' as the operating company and founder Sergey Filimonov were corroborated via Crunchbase, LinkedIn, and threesigma.ai, not via pdf.ai's own domain - treat with medium confidence.
- NO AI-TRAINING STATEMENT: No opt-in/opt-out language, no named model providers, and no retention commitment for chat/document content is published anywhere on the vendor's site.
- THIN PRIVACY POLICY: The privacy policy is generic and short; it does not mention GDPR, CCPA, data retention windows, encryption, subprocessors, or a DPA.
- NO DEDICATED TERMS OF SERVICE PAGE FOUND: Only a privacy policy exists in the site's sitemap; a separate Terms of Service URL could not be located.
// At a glance
Pricing model
Freemium, usage-based credits (Free 200 credits/mo; Starter $49; Pro $99; Scale $249; Growth $599; custom enterprise credits available on request)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Three Sigma AI (dba PDF.ai)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
pdf.ai