// Trust & Security Report

    Inflection AI, Inc. logo

    Inflection AI, Inc.

    Pi is a consumer conversational AI assistant (web at pi.ai / hey.pi.ai, iOS/Android apps) built by Inflection AI. Inflection AI also offers a developer API (developers.inflection.ai) and "Inflection for Enterprise" (on-prem/hybrid deployment of fine-tuned models, co-developed with Intel).

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture, not a certification)
    HELD

    "For residents of the EEA and UK... we use appropriate safeguards for transferring data, including signing Standard Contractual Clauses" and lists an EU representative: "DataRep, at The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland", reachable at inflectionai@datarep.com, plus a DPO contact at privacy@inflection.ai

    Verify on inflection.ai
    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence on any inflection.ai page (privacy policy, enterprise page, or footer) of a SOC 2 report or attestation. A SOC 2 Type 2 announcement exists but belongs to "Inflection.io", a separate revenue-marketing SaaS company with a similar name and a different domain (inflection.io) - not Inflection AI, Inc. (inflection.ai), the maker of Pi. This is a name-collision, not evidence for this vendor.

    source: inflection.ai
    ISO 27001
    NOT CONFIRMED

    no public evidence - not mentioned on inflection.ai privacy policy, enterprise page, or training-data-transparency-statement page

    source: inflection.ai
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    no public evidence of ISO 42001 certification on any inflection.ai page

    source: inflection.ai
    CSA STAR / CSA STAR AI
    NOT CONFIRMED

    no public evidence found on inflection.ai domain

    source: inflection.ai
    HIPAA
    NOT CONFIRMED

    no public evidence of HIPAA compliance or BAA availability; Privacy Policy makes no health-data-specific commitments despite Pi's use for emotional/personal conversations

    source: inflection.ai
    PCI DSS
    NOT CONFIRMED

    no public evidence; Pi's consumer app does not appear to process payment cards directly (subscriptions likely via app stores)

    source: inflection.ai
    FedRAMP
    NOT CONFIRMED

    no public evidence found on inflection.ai domain

    source: inflection.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    United States (Inflection AI's "computer systems are based in the United States, so personal information will be processed there"); EU/UK users' data is transferred under Standard Contractual Clauses; Inflection for Enterprise offers customer-controlled deployment location ("purpose-built server" / on-prem / hybrid) to help meet data-locality requirements

    Inflection AI explicitly trains/fine-tunes models on product usage data: "Inflection AI continues to improve its services, including by post-training and fine-tuning models, based on information from our products and services." Users can opt out of this via account settings per the privacy policy. The company states personal information is not intentionally used for training ("it is not our intention to train our models on personal information") and describes privacy-by-design safeguards. Data retention for Pi: user inputs are kept "at most 15 days after user deletion" (longer for fraud/security/legal/financial-recordkeeping reasons), while outputs are retained indefinitely. The API Terms of Service separately state Inflection may use aggregated, anonymized API performance data to improve products. No explicit statement was found distinguishing training posture for consumer Pi vs. API vs. Inflection for Enterprise customers - enterprise marketing implies customer-owned/isolated fine-tuned models ("fine-tuned models that are the customer's alone and never shared outside their organization") but this was not corroborated by a dedicated enterprise DPA or contract-terms page reviewed here.

    // Security controls

    Trust center / security page

    None found. No dedicated security or trust page exists on inflection.ai or pi.ai; only a Privacy Policy, Terms of Service, and a Training Data Transparency Statement are published.

    inflection.ai

    Third-party processors

    Privacy Policy discloses that personal information is shared with "vendors, service providers, contractors and consultants" for web hosting, cloud computing/storage, maintenance, security, content moderation, marketing/advertising, and customer support, without naming specific subprocessors.

    inflection.ai

    Encryption in transit / at rest

    Not documented on any vendor-domain page reviewed - no public evidence.

    inflection.ai

    Enterprise deployment isolation

    Enterprise marketing claims customer-owned fine-tuned models that are "never shared outside their organization," with hosting choice of on-premises, cloud, or hybrid via Intel Gaudi / Intel Tiber AI Cloud - a data-locality and isolation control for the enterprise tier only, not verified with independent proof beyond the marketing page.

    inflection.ai

    // Products & data scope

    Pi (consumer app / web)Consumer conversational AI / companion chatbot

    data: Collects account info, free-text/voice inputs, device/usage data, and derived emotional-state inferences (opt-out available for emotion inference). Inputs deleted within ~15 days of account deletion; outputs retained indefinitely.

    Primary product evaluated. No enterprise-grade security controls or certifications surfaced for this consumer tier.

    Inflection AI APIDeveloper API access to Inflection's LLM

    data: API Terms of Service permit aggregated, anonymized use of API performance data for product improvement; prohibits sending regulated personal information through the API.

    Separate legal terms (developers.inflection.ai/tos) from the consumer Pi product; no certifications disclosed.

    Inflection for EnterpriseEnterprise/on-prem generative AI deployment (with Intel)

    data: Customer-owned fine-tuned models; deployable on-prem, cloud, or hybrid to meet data-locality needs.

    Marketing-stage claims about isolation and locality; no independent compliance documentation (SOC 2, ISO 27001, DPA template) was found to substantiate enterprise-grade claims.

    // What to watch

    • Identity-conflation risk: a widely-indexed 'SOC 2 Type 2' announcement belongs to Inflection.io (a revenue-marketing SaaS company), not Inflection AI, Inc. (pi.ai / inflection.ai). Do not credit Pi with this certification.
    • No trust center or dedicated security page found on the vendor's own domain (pi.ai or inflection.ai) - only privacy policy, ToS, and a training-data transparency statement.
    • Pi is marketed for emotionally sensitive, personal conversations, but the vendor makes no HIPAA commitment and no explicit statement that health-adjacent disclosures receive special handling.
    • Consumer product trains on user interaction data by default (with an opt-out); no vendor-domain evidence of a formal DPA template or enterprise data-processing addendum was located.
    • Evidence-capture for pi.ai/policy returned HTTP 403 (likely bot protection); privacy content was instead confirmed via the same-entity inflection.ai/privacy-policy page, which is Inflection AI, Inc.'s own domain, so identity is not in question, but a direct pi.ai-hosted policy fetch could not be independently verified live.

    // At a glance

    Pricing model

    Freemium consumer app (Pi); usage-based/commercial terms for the developer API; custom/enterprise contracts for Inflection for Enterprise

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Inflection AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    inflection.ai

    > Browse all vendor trust reports