// Trust & Security Report

    Pepper Content, Inc. (product rebranded from "Peppertype.ai" to "Pepper") logo

    Pepper Content, Inc. (product rebranded from "Peppertype.ai" to "Pepper")

    Originally launched in 2020 as Peppertype.ai, a GPT-powered AI writing assistant. The company has since fully rebranded to "Pepper" (pepper.inc) - an AI + human-expert content, SEO/GEO, and creative growth platform. Sub-products include Pepper Creator (content production), Pepper Atlas (autonomous SEO/GEO AI agents), and a Talent Marketplace of freelance content experts. The standalone Peppertype.ai tool and peppercontent.io domain now redirect into this unified Pepper platform.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture)
    HELD

    "This Policy has been drafted and published in accordance with the IT Act, IT Rules, CCPA, COPPA, DOPPA, and GDPR." / "The Users located in European Countries have the right to complain to a data protection authority about Our collection and Use of Your Personal Data and Sensitive Data in accordance with GDPR."

    Verify on pepper.inc
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type I/II)
    NOT CONFIRMED

    No public evidence on Pepper's own domain (pepper.inc / peppercontent.io). Privacy policy, terms of service, security-related marketing pages, and sitemap contain no SOC 2 reference. A third-party vendor-risk site (Nudge Security) lists Pepper Content as 'SOC 2 Compliant', but this is not corroborated anywhere on the vendor's own domain and could not be independently verified.

    source: pepper.inc
    ISO 27001
    NOT CONFIRMED

    No public evidence on Pepper's own domain. The only site occurrence of "ISO 27001" is in an unrelated blog post about choosing third-party ecommerce marketing automation platforms in general, not a claim about Pepper itself.

    source: pepper.inc
    HIPAA
    NOT CONFIRMED

    No public evidence. HIPAA is not mentioned anywhere on Pepper's privacy policy, terms of service, or marketing pages. Pepper is a content/SEO/creative marketing platform, not a healthcare data processor.

    source: pepper.inc
    PCI DSS
    NOT CONFIRMED

    "Financial Information shall be collected using third-party intermediary PCI-DSS compliant service providers." - this describes Pepper's payment processor's certification, not a PCI-DSS certification of Pepper itself.

    source: pepper.inc
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence found on vendor domain or via search.

    source: pepper.inc
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence found on vendor domain or via search. No AI-governance certification is referenced anywhere on Pepper's site despite heavy AI-agent marketing (Atlas, Pepper AI).

    source: pepper.inc
    CSA STAR
    NOT CONFIRMED

    No public evidence on vendor domain. A third-party vendor-risk profile (Nudge Security) lists 'CSA Star Level 1 Compliant' but this is not corroborated by any vendor-domain source and could not be verified.

    source: pepper.inc
    FedRAMP
    NOT CONFIRMED

    No public evidence and implausible for this product category. A third-party vendor-risk profile (Nudge Security) lists 'FedRamp Compliant' with no supporting detail; this appears to be an automated/generic badge rather than a verified authorization and is not corroborated anywhere on Pepper's own domain.

    source: pepper.inc

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Not clearly published. Privacy policy states data may be stored via third-party cloud providers and that data from users outside India may be transferred to India for processing ("We may transfer such Personal Data to India to process the same"). No explicit EU/US data-residency guarantee or region selection is offered on the public site.

    No explicit statement found on the privacy policy or terms of service about whether customer content/prompts are used to train Pepper's AI/agent models (Atlas, Pepper AI), and no opt-out mechanism is described. Marketing/blog pages describe 'AI agents trained on your brand, data, and processes' for the Atlas product but do not clarify data-training mechanics, retention, or opt-out in a verifiable, quotable way. Treat as unconfirmed pending direct vendor confirmation.

    // Security controls

    Encryption in transit / at rest

    Only a general marketing claim: "Protected content and encrypted workflows designed for enterprise use." No specifics (TLS version, at-rest encryption standard, key management) are published.

    pepper.inc

    Breach notification

    "We will notify as soon as possible but no later than 72 (seventy-two) hours from when We determine that Our systems have been hacked."

    pepper.inc

    Data retention / deletion

    Deletion requests processed "within 30 (thirty) days" of receipt; data otherwise retained "for as long as it is necessary to provide Our Services" or as required by law.

    pepper.inc

    Payment data handling

    Financial information is collected via third-party PCI-DSS compliant payment processors rather than processed directly by Pepper.

    pepper.inc

    Third-party/cloud hosting

    "Your Personal Data may also be stored by third parties via cloud services or other technology with whom the Company has contracted." Specific cloud providers are not named on the vendor's own site (a third-party vendor-risk scanner lists AWS, Google Cloud, and Cloudflare in its supply-chain inference, unverified against vendor-domain sources).

    pepper.inc

    Google API data use

    "Our app complies with Google API Services User Data Policy, including the Limited Use requirements."

    pepper.inc

    // Products & data scope

    Peppertype.ai (legacy)AI writing assistant

    data: User prompts and generated marketing copy

    The original 2020-launched product that matches this listing's slug. No longer marketed as a standalone product; peppercontent.io now 301-redirects into pepper.inc. Trustpilot reviews (~1.7/5) report lifetime-deal customers losing access after the 2024 rebrand - a reliability/trust concern independent of security posture.

    Pepper Creator / Content MarketplaceHuman + AI content production service

    data: Client briefs, brand guidelines, drafts, and produced content assets

    Managed-service model connecting brands to vetted freelance writers/creators, layered with AI tooling.

    Pepper AtlasAutonomous AI agents for SEO / GEO (generative-engine optimization)

    data: Website/content data, competitive and search visibility data, brand entity data

    Positioned for enterprise use ("enterprise controls", audit trails referenced in marketing) but no independent security certification is published to substantiate enterprise-grade claims.

    Talent MarketplaceFreelance expert/creator marketplace

    data: Freelancer profiles/portfolios and client project data

    Connects brands with subject-matter-expert freelancers; standard marketplace data flows.

    // What to watch

    • Over-claim risk: a third-party vendor-risk profile (Nudge Security) lists Pepper Content as SOC 2, ISO 27001, GDPR, HIPAA, PCI, FedRAMP, and CSA STAR compliant, but none of these (except a GDPR-aware privacy policy) appear anywhere on Pepper's own domain (pepper.inc / peppercontent.io). This pattern (a broad, unverified compliance badge set with FedRAMP for a mid-market content/SEO platform) looks like an automated inference rather than a genuine, audited certification. Do not surface these badges without direct vendor confirmation (e.g., a signed attestation or trust-center link).
    • Identity/product drift: this listing's slug ("peppertype-ai") refers to the original Peppertype.ai product, which has been fully absorbed into the broader "Pepper" platform at pepper.inc following a 2024 rebrand. AIFOXX's listing should clarify this is now the Pepper platform, not the standalone legacy tool.
    • PCI-DSS statement in the privacy policy describes Pepper's third-party payment processor's certification, not a certification held by Pepper itself - do not list PCI-DSS as a Pepper certification.
    • No public trust center, security page, or downloadable DPA despite 'enterprise-grade' and 'enterprise controls' language in AI-agent marketing copy.
    • AI-training posture on customer content (for Pepper Atlas / Pepper AI agents) is not clearly disclosed in the privacy policy; marketing copy alludes to agents trained on customer brand/data without a clear, quotable data-handling or opt-out statement.
    • Independent reputational signal (not a security finding): Trustpilot rating around 1.7/5 with recurring complaints from legacy lifetime-deal customers losing access post-rebrand; relevant to buyer trust though outside strict security scope.

    // At a glance

    Pricing model

    Not publicly listed; current site is demo/quote-based ("Book a demo") for enterprise engagements. Legacy Peppertype.ai previously sold self-serve subscription and lifetime-deal tiers, which were discontinued/altered in the 2024 rebrand.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Pepper Content, Inc. (product rebranded from "Peppertype.ai" to "Pepper")'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pepper.inc

    > Browse all vendor trust reports