// Trust & Security Report
Pictory, Corp.
AI text-to-video generation platform (Pictory.ai): script/blog/URL/PPT/image-to-video, AI avatars, AI Studio image/video generation, plus a separate Pictory API product and an Enterprise tier with Pictory Central video hosting.
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on pictory-corp.trust.site“SOC 2 Compliant (trust center compliance tile); homepage/privacy-policy footer badge reads 'SOC 2 & GDPR compliant'. Report type (Type I vs Type II) is not specified on the public trust center page.”
Verify on pictory.ai“'SOC 2 & GDPR compliant' badge shown on the pictory.ai homepage footer (confirmed in raw scraped page text); Privacy Policy also describes GDPR-aligned data subject rights and international transfer language. Note: this is a self-declared compliance posture, not a third-party GDPR certification (no such formal certification scheme is referenced).”
> Show 5 unconfirmed / not-held certifications
source: pictory.aiNo HIPAA or Business Associate Agreement (BAA) language found in the Terms of Service or Privacy Policy; ToS directs regulated-data customers to 'contact Pictory's sales team.' Not listed on the trust center. No public evidence of HIPAA compliance.
source: pictory.aiPrivacy Policy states payments are processed via Stripe and PayPal ('powered by Stripe and PayPal'), i.e. PCI scope is handled by the payment processors, not by Pictory itself. Not listed as a Pictory-held certification on the trust center. No public evidence Pictory itself holds PCI DSS.
source: pictory-corp.trust.siteNo public evidence on pictory.ai or the trust center. Not listed among the two trust-center compliance tiles (SOC 2, ISO 27001). A third-party SaaS-security aggregator page (not the vendor's own domain) claims FedRAMP compliance, but this could not be verified on any Pictory-owned page and is treated as an unverified/likely inaccurate third-party claim.
source: pictory-corp.trust.siteNo public evidence on pictory.ai or the trust center. A third-party aggregator claims 'CSA Star Level 1' but this is not corroborated by any vendor-owned page.
source: pictory-corp.trust.siteNo public evidence of ISO 42001 or any AI-governance-specific certification on pictory.ai or the trust center.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
United States (Privacy Policy: 'Our production data is processed and hosted in the United States on a self serve platform.')
Terms of Service state: 'Pictory will not use your Customer Content or Pictoried Content to train or fine-tune its general artificial intelligence or machine learning models, except as expressly agreed by you in writing.' Pictory does reserve the right to use content in a 'non-identifiable aggregated manner' for evaluating/improving the service. No explicit free-vs-paid-tier distinction on training policy was found; the same ToS applies across tiers. No dedicated DPA download/self-serve link was found on the privacy policy or trust center pages during this review.
// Security controls
Encryption in transit
Privacy Policy states personal information transfers are made 'in encrypted formats'; trust center lists 'Encryption in Transit' as a data-security control category.
pictory.aiEncryption at rest
Trust center lists 'Encryption at Rest' under its Data Security control category (control name only; no further technical detail publicly disclosed).
pictory-corp.trust.siteAccess monitoring
Trust center lists 'Access Monitoring' under Data Security controls.
pictory-corp.trust.siteNetwork security
Trust center lists Firewall, Data Loss Prevention, and Virtual Private Cloud under Network Security controls.
pictory-corp.trust.siteApplication security
Trust center lists Code Analysis, Software Development Life Cycle, and Credential Management under App Security controls.
pictory-corp.trust.siteEndpoint security
Trust center lists Disk Encryption and Threat Detection under Endpoint Security controls.
pictory-corp.trust.sitePolicy documentation
Trust center publishes 33+ named policy/procedure documents (e.g. Acceptable Usage Policy, Access Control Policy, Data Retention Policy, Incident Management Procedure); no downloadable SOC 2 report, audit certificate, penetration-test report, or subprocessor list was found publicly accessible without a request/NDA.
pictory-corp.trust.site// Products & data scope
data: User-uploaded scripts, blogs, URLs, images, and generated video content; 1 seat per account.
Lowest tiers; same ToS/privacy terms apply as higher tiers per available evidence.
data: Shared workspace content across 3+ seats, team Brand Kits, shared storage.
Adds team workspace and collaboration features; no distinct security posture disclosed vs self-serve tiers.
data: 10+ seats, custom allocations, Pictory Central (interactive video hosting), SSO.
Enterprise tier adds SSO and a dedicated success manager; likely the tier through which a DPA/BAA could be negotiated via sales, though this was not directly confirmed on a public page.
data: Programmatic submission of content for automated video generation at scale.
Offered as a separate custom-priced product; no distinct security/compliance documentation found for the API specifically.
// What to watch
- Trust center (pictory-corp.trust.site) shows SOC 2 and ISO 27001 as 'Compliant' but does not disclose SOC 2 report type (Type I vs Type II) or provide a downloadable report publicly.
- A third-party SaaS-security aggregator page (not a Pictory-owned domain) claims Pictory also holds PCI DSS, HIPAA, FedRAMP, and CSA STAR Level 1 certifications. None of these could be corroborated on pictory.ai or the vendor's own trust center, which lists only SOC 2 and ISO 27001. This looks like an over-claim/inaccurate aggregation by the third-party site and should not be treated as vendor-confirmed.
- PCI-related payment security is provided by Stripe/PayPal (the payment processors), not by Pictory directly - do not conflate this with a Pictory-held PCI DSS certification.
- No explicit DPA download link or HIPAA/BAA offering was found; enterprise customers with regulated data are directed to contact sales, so DPA/BAA availability could not be confirmed as a public self-serve fact.
// At a glance
Pricing model
Freemium/subscription (Starter, Professional, Team) plus custom-priced Enterprise and a separate API product.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Pictory, Corp.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
pictory-corp.trust.site