// Trust & Security Report
Pepper Content, Inc. (product rebranded from "Peppertype.ai" to "Pepper")
Originally launched in 2020 as Peppertype.ai, a GPT-powered AI writing assistant. The company has since fully rebranded to "Pepper" (pepper.inc) - an AI + human-expert content, SEO/GEO, and creative growth platform. Sub-products include Pepper Creator (content production), Pepper Atlas (autonomous SEO/GEO AI agents), and a Talent Marketplace of freelance content experts. The standalone Peppertype.ai tool and peppercontent.io domain now redirect into this unified Pepper platform.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on pepper.inc“"This Policy has been drafted and published in accordance with the IT Act, IT Rules, CCPA, COPPA, DOPPA, and GDPR." / "The Users located in European Countries have the right to complain to a data protection authority about Our collection and Use of Your Personal Data and Sensitive Data in accordance with GDPR."”
> Show 8 unconfirmed / not-held certifications
source: pepper.incNo public evidence on Pepper's own domain (pepper.inc / peppercontent.io). Privacy policy, terms of service, security-related marketing pages, and sitemap contain no SOC 2 reference. A third-party vendor-risk site (Nudge Security) lists Pepper Content as 'SOC 2 Compliant', but this is not corroborated anywhere on the vendor's own domain and could not be independently verified.
source: pepper.incNo public evidence on Pepper's own domain. The only site occurrence of "ISO 27001" is in an unrelated blog post about choosing third-party ecommerce marketing automation platforms in general, not a claim about Pepper itself.
source: pepper.incNo public evidence. HIPAA is not mentioned anywhere on Pepper's privacy policy, terms of service, or marketing pages. Pepper is a content/SEO/creative marketing platform, not a healthcare data processor.
source: pepper.inc"Financial Information shall be collected using third-party intermediary PCI-DSS compliant service providers." - this describes Pepper's payment processor's certification, not a PCI-DSS certification of Pepper itself.
source: pepper.incNo public evidence found on vendor domain or via search.
source: pepper.incNo public evidence found on vendor domain or via search. No AI-governance certification is referenced anywhere on Pepper's site despite heavy AI-agent marketing (Atlas, Pepper AI).
source: pepper.incNo public evidence on vendor domain. A third-party vendor-risk profile (Nudge Security) lists 'CSA Star Level 1 Compliant' but this is not corroborated by any vendor-domain source and could not be verified.
source: pepper.incNo public evidence and implausible for this product category. A third-party vendor-risk profile (Nudge Security) lists 'FedRamp Compliant' with no supporting detail; this appears to be an automated/generic badge rather than a verified authorization and is not corroborated anywhere on Pepper's own domain.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not clearly published. Privacy policy states data may be stored via third-party cloud providers and that data from users outside India may be transferred to India for processing ("We may transfer such Personal Data to India to process the same"). No explicit EU/US data-residency guarantee or region selection is offered on the public site.
No explicit statement found on the privacy policy or terms of service about whether customer content/prompts are used to train Pepper's AI/agent models (Atlas, Pepper AI), and no opt-out mechanism is described. Marketing/blog pages describe 'AI agents trained on your brand, data, and processes' for the Atlas product but do not clarify data-training mechanics, retention, or opt-out in a verifiable, quotable way. Treat as unconfirmed pending direct vendor confirmation.
// Security controls
Encryption in transit / at rest
Only a general marketing claim: "Protected content and encrypted workflows designed for enterprise use." No specifics (TLS version, at-rest encryption standard, key management) are published.
pepper.incBreach notification
"We will notify as soon as possible but no later than 72 (seventy-two) hours from when We determine that Our systems have been hacked."
pepper.incData retention / deletion
Deletion requests processed "within 30 (thirty) days" of receipt; data otherwise retained "for as long as it is necessary to provide Our Services" or as required by law.
pepper.incPayment data handling
Financial information is collected via third-party PCI-DSS compliant payment processors rather than processed directly by Pepper.
pepper.incThird-party/cloud hosting
"Your Personal Data may also be stored by third parties via cloud services or other technology with whom the Company has contracted." Specific cloud providers are not named on the vendor's own site (a third-party vendor-risk scanner lists AWS, Google Cloud, and Cloudflare in its supply-chain inference, unverified against vendor-domain sources).
pepper.incGoogle API data use
"Our app complies with Google API Services User Data Policy, including the Limited Use requirements."
pepper.inc// Products & data scope
data: User prompts and generated marketing copy
The original 2020-launched product that matches this listing's slug. No longer marketed as a standalone product; peppercontent.io now 301-redirects into pepper.inc. Trustpilot reviews (~1.7/5) report lifetime-deal customers losing access after the 2024 rebrand - a reliability/trust concern independent of security posture.
data: Client briefs, brand guidelines, drafts, and produced content assets
Managed-service model connecting brands to vetted freelance writers/creators, layered with AI tooling.
data: Website/content data, competitive and search visibility data, brand entity data
Positioned for enterprise use ("enterprise controls", audit trails referenced in marketing) but no independent security certification is published to substantiate enterprise-grade claims.
data: Freelancer profiles/portfolios and client project data
Connects brands with subject-matter-expert freelancers; standard marketplace data flows.
// What to watch
- Over-claim risk: a third-party vendor-risk profile (Nudge Security) lists Pepper Content as SOC 2, ISO 27001, GDPR, HIPAA, PCI, FedRAMP, and CSA STAR compliant, but none of these (except a GDPR-aware privacy policy) appear anywhere on Pepper's own domain (pepper.inc / peppercontent.io). This pattern (a broad, unverified compliance badge set with FedRAMP for a mid-market content/SEO platform) looks like an automated inference rather than a genuine, audited certification. Do not surface these badges without direct vendor confirmation (e.g., a signed attestation or trust-center link).
- Identity/product drift: this listing's slug ("peppertype-ai") refers to the original Peppertype.ai product, which has been fully absorbed into the broader "Pepper" platform at pepper.inc following a 2024 rebrand. AIFOXX's listing should clarify this is now the Pepper platform, not the standalone legacy tool.
- PCI-DSS statement in the privacy policy describes Pepper's third-party payment processor's certification, not a certification held by Pepper itself - do not list PCI-DSS as a Pepper certification.
- No public trust center, security page, or downloadable DPA despite 'enterprise-grade' and 'enterprise controls' language in AI-agent marketing copy.
- AI-training posture on customer content (for Pepper Atlas / Pepper AI agents) is not clearly disclosed in the privacy policy; marketing copy alludes to agents trained on customer brand/data without a clear, quotable data-handling or opt-out statement.
- Independent reputational signal (not a security finding): Trustpilot rating around 1.7/5 with recurring complaints from legacy lifetime-deal customers losing access post-rebrand; relevant to buyer trust though outside strict security scope.
// At a glance
Pricing model
Not publicly listed; current site is demo/quote-based ("Book a demo") for enterprise engagements. Legacy Peppertype.ai previously sold self-serve subscription and lifetime-deal tiers, which were discontinued/altered in the 2024 rebrand.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Pepper Content, Inc. (product rebranded from "Peppertype.ai" to "Pepper")'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
pepper.inc