// Trust & Security Report
Inflection AI, Inc.
Pi is a consumer conversational AI assistant (web at pi.ai / hey.pi.ai, iOS/Android apps) built by Inflection AI. Inflection AI also offers a developer API (developers.inflection.ai) and "Inflection for Enterprise" (on-prem/hybrid deployment of fine-tuned models, co-developed with Intel).
Certifications held
1
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on inflection.ai“"For residents of the EEA and UK... we use appropriate safeguards for transferring data, including signing Standard Contractual Clauses" and lists an EU representative: "DataRep, at The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland", reachable at inflectionai@datarep.com, plus a DPO contact at privacy@inflection.ai”
> Show 7 unconfirmed / not-held certifications
source: inflection.aiNo public evidence on any inflection.ai page (privacy policy, enterprise page, or footer) of a SOC 2 report or attestation. A SOC 2 Type 2 announcement exists but belongs to "Inflection.io", a separate revenue-marketing SaaS company with a similar name and a different domain (inflection.io) - not Inflection AI, Inc. (inflection.ai), the maker of Pi. This is a name-collision, not evidence for this vendor.
source: inflection.aino public evidence - not mentioned on inflection.ai privacy policy, enterprise page, or training-data-transparency-statement page
source: inflection.aino public evidence of ISO 42001 certification on any inflection.ai page
source: inflection.aino public evidence found on inflection.ai domain
source: inflection.aino public evidence of HIPAA compliance or BAA availability; Privacy Policy makes no health-data-specific commitments despite Pi's use for emotional/personal conversations
source: inflection.aino public evidence; Pi's consumer app does not appear to process payment cards directly (subscriptions likely via app stores)
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
United States (Inflection AI's "computer systems are based in the United States, so personal information will be processed there"); EU/UK users' data is transferred under Standard Contractual Clauses; Inflection for Enterprise offers customer-controlled deployment location ("purpose-built server" / on-prem / hybrid) to help meet data-locality requirements
Inflection AI explicitly trains/fine-tunes models on product usage data: "Inflection AI continues to improve its services, including by post-training and fine-tuning models, based on information from our products and services." Users can opt out of this via account settings per the privacy policy. The company states personal information is not intentionally used for training ("it is not our intention to train our models on personal information") and describes privacy-by-design safeguards. Data retention for Pi: user inputs are kept "at most 15 days after user deletion" (longer for fraud/security/legal/financial-recordkeeping reasons), while outputs are retained indefinitely. The API Terms of Service separately state Inflection may use aggregated, anonymized API performance data to improve products. No explicit statement was found distinguishing training posture for consumer Pi vs. API vs. Inflection for Enterprise customers - enterprise marketing implies customer-owned/isolated fine-tuned models ("fine-tuned models that are the customer's alone and never shared outside their organization") but this was not corroborated by a dedicated enterprise DPA or contract-terms page reviewed here.
// Security controls
Trust center / security page
None found. No dedicated security or trust page exists on inflection.ai or pi.ai; only a Privacy Policy, Terms of Service, and a Training Data Transparency Statement are published.
inflection.aiThird-party processors
Privacy Policy discloses that personal information is shared with "vendors, service providers, contractors and consultants" for web hosting, cloud computing/storage, maintenance, security, content moderation, marketing/advertising, and customer support, without naming specific subprocessors.
inflection.aiEncryption in transit / at rest
Not documented on any vendor-domain page reviewed - no public evidence.
inflection.aiEnterprise deployment isolation
Enterprise marketing claims customer-owned fine-tuned models that are "never shared outside their organization," with hosting choice of on-premises, cloud, or hybrid via Intel Gaudi / Intel Tiber AI Cloud - a data-locality and isolation control for the enterprise tier only, not verified with independent proof beyond the marketing page.
inflection.ai// Products & data scope
data: Collects account info, free-text/voice inputs, device/usage data, and derived emotional-state inferences (opt-out available for emotion inference). Inputs deleted within ~15 days of account deletion; outputs retained indefinitely.
Primary product evaluated. No enterprise-grade security controls or certifications surfaced for this consumer tier.
data: API Terms of Service permit aggregated, anonymized use of API performance data for product improvement; prohibits sending regulated personal information through the API.
Separate legal terms (developers.inflection.ai/tos) from the consumer Pi product; no certifications disclosed.
data: Customer-owned fine-tuned models; deployable on-prem, cloud, or hybrid to meet data-locality needs.
Marketing-stage claims about isolation and locality; no independent compliance documentation (SOC 2, ISO 27001, DPA template) was found to substantiate enterprise-grade claims.
// What to watch
- Identity-conflation risk: a widely-indexed 'SOC 2 Type 2' announcement belongs to Inflection.io (a revenue-marketing SaaS company), not Inflection AI, Inc. (pi.ai / inflection.ai). Do not credit Pi with this certification.
- No trust center or dedicated security page found on the vendor's own domain (pi.ai or inflection.ai) - only privacy policy, ToS, and a training-data transparency statement.
- Pi is marketed for emotionally sensitive, personal conversations, but the vendor makes no HIPAA commitment and no explicit statement that health-adjacent disclosures receive special handling.
- Consumer product trains on user interaction data by default (with an opt-out); no vendor-domain evidence of a formal DPA template or enterprise data-processing addendum was located.
- Evidence-capture for pi.ai/policy returned HTTP 403 (likely bot protection); privacy content was instead confirmed via the same-entity inflection.ai/privacy-policy page, which is Inflection AI, Inc.'s own domain, so identity is not in question, but a direct pi.ai-hosted policy fetch could not be independently verified live.
// At a glance
Pricing model
Freemium consumer app (Pi); usage-based/commercial terms for the developer API; custom/enterprise contracts for Inflection for Enterprise
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Inflection AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
inflection.ai