// Trust & Security Report
Mellis, Inc. (dba Pika)
Consumer/prosumer generative AI video platform (pika.art / pika.me): text-to-video, image-to-video, and effects tools (Pikaffects, Pikascenes, Pikadditions, Pikaswaps, Pikatwists, Pikaframes). Also offers 'Pika Agent' (persistent AI creative agent), 'Pika MCP' (MCP server exposing Pika's models to third-party agents), and a Pika API that is delivered through a third party, Fal.ai, rather than a first-party Pika-hosted API.
Certifications held
0
Maturity
Startup
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 9 unconfirmed / not-held certifications
source: pika.artNo public evidence. Not mentioned on pika.art home page, Privacy Policy, Terms of Service, or Acceptable Use Policy; no dedicated trust/security page exists on the domain.
source: pika.artNo public evidence. Term 'ISO' does not appear anywhere in Pika's Privacy Policy or Terms of Service.
source: pika.artPika demonstrates a GDPR-aware posture (not a certification, since GDPR has none) rather than a verified attestation: the Privacy Policy names Mellis, Inc. as controller, describes EEA/UK data-subject rights, and states 'we rely on appropriate legal mechanisms ... including the Standard Contractual Clauses ("SCCs") ... and the UK Data Transfer Addendum.' Graded held=false because this is a self-declared policy posture, not a third-party-verified certification.
source: pika.artNo public evidence. Acceptable Use Policy / Terms of Service instead prohibit uploading 'personal, financial, or sensitive information (such as government IDs, social security numbers, or health data) without proper authorization or consent' -- indicating the product is not positioned for regulated health data.
source: pika.artNo public evidence. Payment processing is handled by a third-party payment processor per the Privacy Policy, but no PCI DSS attestation for Pika/Mellis, Inc. itself is published.
source: pika.artNo public evidence on vendor domain. A third-party SaaS-inventory tool's AI-generated summary claimed Pika holds FedRAMP, but Pika's own listed 'Security Certifications' section on that same third-party profile is empty, and no certification is referenced anywhere on pika.art.
source: pika.artNo public evidence of an AI-governance certification on vendor domain.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
United States (Mellis, Inc. is based in Palo Alto, CA). Privacy Policy states personal information may be processed, stored, and transferred internationally, including to the US, with SCCs and the UK Data Transfer Addendum used for EEA/UK/Switzerland transfers. No dedicated EU/regional data residency option is offered.
Terms of Service state: 'Pika may use Content -- including Inputs, Outputs, and your interactions with the Service -- to train, improve, and develop its machine learning models, algorithms, and related technologies and services.' The Privacy Policy similarly states content may be used 'for training, evaluation, moderation, and optimization purposes' where permitted by law or with consent. No opt-out mechanism for this general training use was found anywhere on the site (the only 'opt out' language in the Terms concerns opting out of arbitration, not AI training). One carve-out exists: data submitted specifically to build a user's 'AI Self' (likeness/voice/personal characteristics) is stated to be used only for that AI Self and not to train other models. No enterprise/no-training tier is advertised; the pricing page lists only Basic/Standard/Pro/Fancy consumer subscription tiers with identical data-handling language.
// Security controls
Encryption in transit
Sensitive information (e.g. payment details) is 'transmitted using encryption technologies such as SSL.' Policy does not describe blanket TLS coverage for all traffic.
pika.artInfrastructure security
General statement only: 'Information you provide is stored on secure servers behind firewalls.' No architecture, hosting provider, or audit detail disclosed.
pika.artData retention
Personal information retained only as long as necessary for the purpose collected. Biometric data (facial scans/voice recordings) retained for up to 3 years after account deletion, whichever is earlier. On full 'AI Self' account deletion, associated data is stated to be permanently deleted.
pika.artVulnerability / audit program
n/a -- no penetration testing, bug bounty, or audit program disclosed on vendor domain
pika.artSub-processors / API delivery
Pika's public API is delivered through third-party platform Fal.ai ('Get the power of Pika's video models from the comfort of your own product on Fal AI'), rather than a first-party Pika-hosted API endpoint -- meaning API customer data flows through Fal.ai's infrastructure and security posture, not solely Pika's.
pika.art// Products & data scope
data: User-uploaded images, video, text prompts, voice samples, generated outputs, account/billing info
Subscription tiers: Basic (free), Standard ($8/mo), Pro ($28/mo), Fancy ($76/mo billed yearly). No enterprise tier or dedicated business data-handling terms found.
data: Biometric-adjacent data: facial scans, voice samples, likeness, personal characteristics used to build an autonomous agent that interacts with other users
Per ToS, data used for a given AI Self is scoped to that AI Self only and is not used to train Pika's general models; deleted on account deletion. This is the most sensitive data category Pika handles and warrants extra buyer scrutiny for any PII/biometric-averse use case.
data: Prompts and content routed from third-party AI agents into Pika's generation models
Described as giving 'any existing agent the ability to make rich content with access to the best creative models and Pika-made skills.' No separate data-handling terms found for this surface.
data: API requests/content submitted by developers integrating Pika's video models
Delivered via Fal.ai (third-party inference platform), not a first-party Pika API endpoint. Buyers evaluating the API should independently review Fal.ai's security posture as a data processor in this flow.
// What to watch
- OVER-CLAIM RISK: A third-party SaaS-inventory/security-profile aggregator's AI-generated search summary asserted Pika holds SOC 2, GDPR, ISO 27001, FedRAMP, and CSA STAR certifications. Direct inspection of that same vendor's own profile page for Pika showed an empty 'Security Certifications' section, and none of these certifications appear anywhere on pika.art (home page, Privacy Policy, Terms of Service, Acceptable Use Policy, Pricing, or API page). This is graded as a fabricated/hallucinated third-party summary, not vendor evidence, and none of these certs are marked held=true.
- IDENTITY-CONFLATION RISK: Search results also surfaced two differently-named/differently-domained companies that appear to hold real certifications and could easily be confused with this vendor: (1) 'Pica' / Pica9, Inc. (pica9.com, picaos.com) -- a marketing/agentic-tooling company with a genuine SOC 2 Type II press release, and (2) 'Pika' at pika.tools -- a separate 'AI agent platform' distinct from pika.art that is reported to hold SOC 2/ISO 27001/HIPAA. Neither of these is the vendor in this evidence file (pika.art / Mellis, Inc.); no certifications from either were credited to this vendor.
- No DPA (Data Processing Agreement) or dedicated trust/security page could be found on pika.art -- notable for any team-plan or API buyer needing standard vendor security documentation.
- AI training on customer content is on by default with no visible opt-out for the general product (only an arbitration opt-out exists in the ToS); enterprise/regulated buyers should treat this as a hard blocker until Pika publishes an opt-out or no-training tier.
- Terms of Service prohibit users from uploading health data, government IDs, or SSNs -- consistent with, but not a substitute for, an actual HIPAA/PCI compliance program.
// At a glance
Pricing model
Consumer subscription (credit-based), monthly/yearly billing, four tiers from free to $76/mo; no published enterprise/custom pricing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Mellis, Inc. (dba Pika)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
pika.art