// Trust & Security Report

    People.ai, Inc. (d/b/a Backstory) logo

    People.ai, Inc. (d/b/a Backstory)

    Backstory (formerly People.ai) — AI-powered revenue intelligence platform for sales teams, providing deal risk analysis, pipeline intelligence, and CRM hygiene through automatic activity capture from email, meetings, calls, and chat integrations.

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2 Type 2 certification validates security controls over time

    Verify on backstory.ai
    ISO 27001
    HELD

    ISO 27001 framework with information security program based on NIST and ISO 27001 frameworks

    Verify on backstory.ai
    ISO 27701 (Privacy Management)
    HELD

    ISO 27701:2019 — Privacy management extension to ISO 27001, represents dedication to data privacy

    Verify on dbta.com
    ISO 27017 (Cloud Security)
    HELD

    ISO 27017:2015 — Cloud security standard for secure cloud computing environments

    Verify on dbta.com
    CSA STAR Level Two
    HELD

    CSA STAR Level Two — Cloud Security Alliance certification denoting vigorous cloud security protocols

    Verify on backstory.ai
    GDPR
    HELD

    GDPR compliant. Data Processing Agreement (DPA) applies when processing personal data subject to GDPR

    Verify on backstory.ai
    CCPA
    HELD

    CCPA compliant — meets requirements for handling personal data from California residents

    Verify on backstory.ai
    > Show 4 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification found on vendor domain

    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP certification found on vendor domain

    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on vendor domain

    ISO 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 or AI-specific governance certifications found

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    US (AWS-based infrastructure; no documented options for EU or other regional data residency)

    Service Agreement Section 5.4 permits Backstory to use Customer Data for AI model training to 'improve and modify the Services (including for training or retraining artificial intelligence models)' without explicit per-instance consent. However, training of GenAI Systems models requires explicit prior written consent. Model Data (aggregated insights) remain Backstory property. This is a default-enabled training model, not default-disabled.

    // Security controls

    Encryption in transit

    All data encrypted in transit within Backstory environment

    backstory.ai

    Encryption at rest

    All data encrypted at rest within Backstory environment

    backstory.ai

    Infrastructure

    AWS with highly available configuration; DDoS protection via AWS Shield; 99.5% uptime SLA

    backstory.ai

    Security governance

    NIST-based information security program; Chief Information Security Officer (Victor Chang) in place

    backstory.ai

    Penetration testing

    Regular pen testing with Google Mandiant noted as security practice

    backstory.ai

    // Products & data scope

    Backstory (Revenue Intelligence Platform)Sales & Revenue Intelligence

    data: CRM data (Salesforce, Microsoft Dynamics), emails, meetings, calls, chat integrations (Zoom, Teams, Outlook); automatic activity capture and aggregation

    Single unified product family; formerly branded as People.ai; rebranded to Backstory in April 2026; designed for sales leaders and CROs; provides deal risk analysis, pipeline intelligence, and CRM hygiene

    // What to watch

    • AI TRAINING ON CUSTOMER DATA: Service Agreement Section 5.4 permits default AI training on Customer Data for service improvement. This is not a 'no training' posture. GenAI model training requires explicit written consent, but non-GenAI model training is enabled by default. Customers should verify training opt-out mechanisms or restrictions in their contract.
    • NO HIPAA CERTIFICATION: Backstory holds no public HIPAA certification, making it unsuitable for healthcare organizations handling PHI without additional contractual safeguards.
    • DATA RESIDENCY LIMITED: No documented data residency options beyond US (AWS-based). Organizations requiring EU/UK/APAC data storage should verify with vendor directly.
    • IDENTITY CLARITY: Company rebranded from People.ai to Backstory in April 2026. Evidence correctly identifies the legal entity as People.ai, Inc. d/b/a Backstory (San Carlos, CA). No conflation risk; evidence is consistent.
    • CERTIFICATIONS VERIFIED: All claimed certifications (SOC 2 Type 2, ISO 27001, ISO 27701, ISO 27017, CSA STAR) are independently audited and publicly documented. No over-claims detected.

    // At a glance

    Pricing model

    Not public; vendor-provided demo and pricing inquiry required

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on People.ai, Inc. (d/b/a Backstory)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    backstory.ai

    > Browse all vendor trust reports