// Trust & Security Report

    Mellis, Inc. (dba Pika) logo

    Mellis, Inc. (dba Pika)

    Consumer/prosumer generative AI video platform (pika.art / pika.me): text-to-video, image-to-video, and effects tools (Pikaffects, Pikascenes, Pikadditions, Pikaswaps, Pikatwists, Pikaframes). Also offers 'Pika Agent' (persistent AI creative agent), 'Pika MCP' (MCP server exposing Pika's models to third-party agents), and a Pika API that is delivered through a third party, Fal.ai, rather than a first-party Pika-hosted API.

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 9 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. Not mentioned on pika.art home page, Privacy Policy, Terms of Service, or Acceptable Use Policy; no dedicated trust/security page exists on the domain.

    source: pika.art
    ISO 27001
    NOT CONFIRMED

    No public evidence. Term 'ISO' does not appear anywhere in Pika's Privacy Policy or Terms of Service.

    source: pika.art
    GDPR
    NOT CONFIRMED

    Pika demonstrates a GDPR-aware posture (not a certification, since GDPR has none) rather than a verified attestation: the Privacy Policy names Mellis, Inc. as controller, describes EEA/UK data-subject rights, and states 'we rely on appropriate legal mechanisms ... including the Standard Contractual Clauses ("SCCs") ... and the UK Data Transfer Addendum.' Graded held=false because this is a self-declared policy posture, not a third-party-verified certification.

    source: pika.art
    HIPAA
    NOT CONFIRMED

    No public evidence. Acceptable Use Policy / Terms of Service instead prohibit uploading 'personal, financial, or sensitive information (such as government IDs, social security numbers, or health data) without proper authorization or consent' -- indicating the product is not positioned for regulated health data.

    source: pika.art
    PCI DSS
    NOT CONFIRMED

    No public evidence. Payment processing is handled by a third-party payment processor per the Privacy Policy, but no PCI DSS attestation for Pika/Mellis, Inc. itself is published.

    source: pika.art
    FedRAMP
    NOT CONFIRMED

    No public evidence on vendor domain. A third-party SaaS-inventory tool's AI-generated summary claimed Pika holds FedRAMP, but Pika's own listed 'Security Certifications' section on that same third-party profile is empty, and no certification is referenced anywhere on pika.art.

    source: pika.art
    CSA STAR
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: pika.art
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of an AI-governance certification on vendor domain.

    source: pika.art
    CSA STAR AI
    NOT CONFIRMED

    No public evidence on vendor domain.

    source: pika.art

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    United States (Mellis, Inc. is based in Palo Alto, CA). Privacy Policy states personal information may be processed, stored, and transferred internationally, including to the US, with SCCs and the UK Data Transfer Addendum used for EEA/UK/Switzerland transfers. No dedicated EU/regional data residency option is offered.

    Terms of Service state: 'Pika may use Content -- including Inputs, Outputs, and your interactions with the Service -- to train, improve, and develop its machine learning models, algorithms, and related technologies and services.' The Privacy Policy similarly states content may be used 'for training, evaluation, moderation, and optimization purposes' where permitted by law or with consent. No opt-out mechanism for this general training use was found anywhere on the site (the only 'opt out' language in the Terms concerns opting out of arbitration, not AI training). One carve-out exists: data submitted specifically to build a user's 'AI Self' (likeness/voice/personal characteristics) is stated to be used only for that AI Self and not to train other models. No enterprise/no-training tier is advertised; the pricing page lists only Basic/Standard/Pro/Fancy consumer subscription tiers with identical data-handling language.

    // Security controls

    Encryption in transit

    Sensitive information (e.g. payment details) is 'transmitted using encryption technologies such as SSL.' Policy does not describe blanket TLS coverage for all traffic.

    pika.art

    Encryption at rest

    n/a -- not described

    pika.art

    Infrastructure security

    General statement only: 'Information you provide is stored on secure servers behind firewalls.' No architecture, hosting provider, or audit detail disclosed.

    pika.art

    Data retention

    Personal information retained only as long as necessary for the purpose collected. Biometric data (facial scans/voice recordings) retained for up to 3 years after account deletion, whichever is earlier. On full 'AI Self' account deletion, associated data is stated to be permanently deleted.

    pika.art

    Vulnerability / audit program

    n/a -- no penetration testing, bug bounty, or audit program disclosed on vendor domain

    pika.art

    Sub-processors / API delivery

    Pika's public API is delivered through third-party platform Fal.ai ('Get the power of Pika's video models from the comfort of your own product on Fal AI'), rather than a first-party Pika-hosted API endpoint -- meaning API customer data flows through Fal.ai's infrastructure and security posture, not solely Pika's.

    pika.art

    // Products & data scope

    Pika (core video app)Consumer text-to-video / image-to-video generation

    data: User-uploaded images, video, text prompts, voice samples, generated outputs, account/billing info

    Subscription tiers: Basic (free), Standard ($8/mo), Pro ($28/mo), Fancy ($76/mo billed yearly). No enterprise tier or dedicated business data-handling terms found.

    Pika Agent / AI SelfPersistent AI creative agent built on user likeness/voice

    data: Biometric-adjacent data: facial scans, voice samples, likeness, personal characteristics used to build an autonomous agent that interacts with other users

    Per ToS, data used for a given AI Self is scoped to that AI Self only and is not used to train Pika's general models; deleted on account deletion. This is the most sensitive data category Pika handles and warrants extra buyer scrutiny for any PII/biometric-averse use case.

    Pika MCPMCP server / developer integration

    data: Prompts and content routed from third-party AI agents into Pika's generation models

    Described as giving 'any existing agent the ability to make rich content with access to the best creative models and Pika-made skills.' No separate data-handling terms found for this surface.

    Pika APIDeveloper API

    data: API requests/content submitted by developers integrating Pika's video models

    Delivered via Fal.ai (third-party inference platform), not a first-party Pika API endpoint. Buyers evaluating the API should independently review Fal.ai's security posture as a data processor in this flow.

    // What to watch

    • OVER-CLAIM RISK: A third-party SaaS-inventory/security-profile aggregator's AI-generated search summary asserted Pika holds SOC 2, GDPR, ISO 27001, FedRAMP, and CSA STAR certifications. Direct inspection of that same vendor's own profile page for Pika showed an empty 'Security Certifications' section, and none of these certifications appear anywhere on pika.art (home page, Privacy Policy, Terms of Service, Acceptable Use Policy, Pricing, or API page). This is graded as a fabricated/hallucinated third-party summary, not vendor evidence, and none of these certs are marked held=true.
    • IDENTITY-CONFLATION RISK: Search results also surfaced two differently-named/differently-domained companies that appear to hold real certifications and could easily be confused with this vendor: (1) 'Pica' / Pica9, Inc. (pica9.com, picaos.com) -- a marketing/agentic-tooling company with a genuine SOC 2 Type II press release, and (2) 'Pika' at pika.tools -- a separate 'AI agent platform' distinct from pika.art that is reported to hold SOC 2/ISO 27001/HIPAA. Neither of these is the vendor in this evidence file (pika.art / Mellis, Inc.); no certifications from either were credited to this vendor.
    • No DPA (Data Processing Agreement) or dedicated trust/security page could be found on pika.art -- notable for any team-plan or API buyer needing standard vendor security documentation.
    • AI training on customer content is on by default with no visible opt-out for the general product (only an arbitration opt-out exists in the ToS); enterprise/regulated buyers should treat this as a hard blocker until Pika publishes an opt-out or no-training tier.
    • Terms of Service prohibit users from uploading health data, government IDs, or SSNs -- consistent with, but not a substitute for, an actual HIPAA/PCI compliance program.

    // At a glance

    Pricing model

    Consumer subscription (credit-based), monthly/yearly billing, four tiers from free to $76/mo; no published enterprise/custom pricing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Mellis, Inc. (dba Pika)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pika.art

    > Browse all vendor trust reports