// Trust & Security Report

    Pictory, Corp. logo

    Pictory, Corp.

    AI text-to-video generation platform (Pictory.ai): script/blog/URL/PPT/image-to-video, AI avatars, AI Studio image/video generation, plus a separate Pictory API product and an Enterprise tier with Pictory Central video hosting.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    SOC 2 Compliant (trust center compliance tile); homepage/privacy-policy footer badge reads 'SOC 2 & GDPR compliant'. Report type (Type I vs Type II) is not specified on the public trust center page.

    Verify on pictory-corp.trust.site
    ISO 27001
    HELD

    ISO 27001 Compliant (trust center compliance tile).

    Verify on pictory-corp.trust.site
    GDPR
    HELD

    'SOC 2 & GDPR compliant' badge shown on the pictory.ai homepage footer (confirmed in raw scraped page text); Privacy Policy also describes GDPR-aligned data subject rights and international transfer language. Note: this is a self-declared compliance posture, not a third-party GDPR certification (no such formal certification scheme is referenced).

    Verify on pictory.ai
    > Show 5 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No HIPAA or Business Associate Agreement (BAA) language found in the Terms of Service or Privacy Policy; ToS directs regulated-data customers to 'contact Pictory's sales team.' Not listed on the trust center. No public evidence of HIPAA compliance.

    source: pictory.ai
    PCI DSS
    NOT CONFIRMED

    Privacy Policy states payments are processed via Stripe and PayPal ('powered by Stripe and PayPal'), i.e. PCI scope is handled by the payment processors, not by Pictory itself. Not listed as a Pictory-held certification on the trust center. No public evidence Pictory itself holds PCI DSS.

    source: pictory.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence on pictory.ai or the trust center. Not listed among the two trust-center compliance tiles (SOC 2, ISO 27001). A third-party SaaS-security aggregator page (not the vendor's own domain) claims FedRAMP compliance, but this could not be verified on any Pictory-owned page and is treated as an unverified/likely inaccurate third-party claim.

    source: pictory-corp.trust.site
    CSA STAR
    NOT CONFIRMED

    No public evidence on pictory.ai or the trust center. A third-party aggregator claims 'CSA Star Level 1' but this is not corroborated by any vendor-owned page.

    source: pictory-corp.trust.site
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of ISO 42001 or any AI-governance-specific certification on pictory.ai or the trust center.

    source: pictory-corp.trust.site

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    United States (Privacy Policy: 'Our production data is processed and hosted in the United States on a self serve platform.')

    Terms of Service state: 'Pictory will not use your Customer Content or Pictoried Content to train or fine-tune its general artificial intelligence or machine learning models, except as expressly agreed by you in writing.' Pictory does reserve the right to use content in a 'non-identifiable aggregated manner' for evaluating/improving the service. No explicit free-vs-paid-tier distinction on training policy was found; the same ToS applies across tiers. No dedicated DPA download/self-serve link was found on the privacy policy or trust center pages during this review.

    // Security controls

    Encryption in transit

    Privacy Policy states personal information transfers are made 'in encrypted formats'; trust center lists 'Encryption in Transit' as a data-security control category.

    pictory.ai

    Encryption at rest

    Trust center lists 'Encryption at Rest' under its Data Security control category (control name only; no further technical detail publicly disclosed).

    pictory-corp.trust.site

    Access monitoring

    Trust center lists 'Access Monitoring' under Data Security controls.

    pictory-corp.trust.site

    Network security

    Trust center lists Firewall, Data Loss Prevention, and Virtual Private Cloud under Network Security controls.

    pictory-corp.trust.site

    Application security

    Trust center lists Code Analysis, Software Development Life Cycle, and Credential Management under App Security controls.

    pictory-corp.trust.site

    Endpoint security

    Trust center lists Disk Encryption and Threat Detection under Endpoint Security controls.

    pictory-corp.trust.site

    Policy documentation

    Trust center publishes 33+ named policy/procedure documents (e.g. Acceptable Usage Policy, Access Control Policy, Data Retention Policy, Incident Management Procedure); no downloadable SOC 2 report, audit certificate, penetration-test report, or subprocessor list was found publicly accessible without a request/NDA.

    pictory-corp.trust.site

    // Products & data scope

    Pictory Starter/Professional (self-serve)Consumer / prosumer text-to-video generation

    data: User-uploaded scripts, blogs, URLs, images, and generated video content; 1 seat per account.

    Lowest tiers; same ToS/privacy terms apply as higher tiers per available evidence.

    Pictory TeamTeam collaboration video generation

    data: Shared workspace content across 3+ seats, team Brand Kits, shared storage.

    Adds team workspace and collaboration features; no distinct security posture disclosed vs self-serve tiers.

    Pictory EnterpriseEnterprise video generation + hosting

    data: 10+ seats, custom allocations, Pictory Central (interactive video hosting), SSO.

    Enterprise tier adds SSO and a dedicated success manager; likely the tier through which a DPA/BAA could be negotiated via sales, though this was not directly confirmed on a public page.

    Pictory APIDeveloper / programmatic video generation

    data: Programmatic submission of content for automated video generation at scale.

    Offered as a separate custom-priced product; no distinct security/compliance documentation found for the API specifically.

    // What to watch

    • Trust center (pictory-corp.trust.site) shows SOC 2 and ISO 27001 as 'Compliant' but does not disclose SOC 2 report type (Type I vs Type II) or provide a downloadable report publicly.
    • A third-party SaaS-security aggregator page (not a Pictory-owned domain) claims Pictory also holds PCI DSS, HIPAA, FedRAMP, and CSA STAR Level 1 certifications. None of these could be corroborated on pictory.ai or the vendor's own trust center, which lists only SOC 2 and ISO 27001. This looks like an over-claim/inaccurate aggregation by the third-party site and should not be treated as vendor-confirmed.
    • PCI-related payment security is provided by Stripe/PayPal (the payment processors), not by Pictory directly - do not conflate this with a Pictory-held PCI DSS certification.
    • No explicit DPA download link or HIPAA/BAA offering was found; enterprise customers with regulated data are directed to contact sales, so DPA/BAA availability could not be confirmed as a public self-serve fact.

    // At a glance

    Pricing model

    Freemium/subscription (Starter, Professional, Team) plus custom-priced Enterprise and a separate API product.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Pictory, Corp.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pictory-corp.trust.site

    > Browse all vendor trust reports