// Trust & Security Report

    Pilot.com, Inc. logo

    Pilot.com, Inc.

    Outsourced back-office finance services for startups and small businesses: Bookkeeping, Tax, CFO/advisory Services, R&D Tax Credit, and Outsourced Operations (COO Services, including payroll-adjacent data); homepage also references a newer "Meridian" AI operating-system offering and an in-product "Pilot AI" chatbot for querying books.

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 9 unconfirmed / not-held certifications
    SOC 2 (Type I or II)
    NOT CONFIRMED

    No public evidence on pilot.com. IMPORTANT: web search surfaces a SOC 2 Type II announcement for a different, similarly named company, "PILOT Inc." at pilot.coach / pilotcoachinc.com (an employee-coaching startup, audited by Prescient Assurance) and a separate SOC 2 announcement from "Plane" (formerly branded "Pilot", a payroll/HR company). Neither is pilot.com, the bookkeeping/CFO-services vendor assessed here. No SOC 2 claim, badge, or report appears anywhere on pilot.com, /terms/privacy, /terms/client-terms, or /terms/subprocessors.

    source: pilot.com
    ISO 27001
    NOT CONFIRMED

    No public evidence on pilot.com. Not mentioned in Privacy Statement, Client Services Agreement, or subprocessors list.

    source: pilot.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence on pilot.com.

    source: pilot.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence on pilot.com. No AI-governance certification referenced despite the site describing AI-based data processing and a generative-AI chatbot feature.

    source: pilot.com
    CSA STAR / CSA STAR for AI
    NOT CONFIRMED

    No public evidence on pilot.com.

    source: pilot.com
    HIPAA
    NOT CONFIRMED

    "We do not represent or warrant that the Services, Pilot Platform or Internal Software comply with the Health Insurance Portability and Accountability Act of 1996" (Client Services Agreement, Section 12.10).

    source: pilot.com
    GDPR (formal posture statement)
    NOT CONFIRMED

    Pilot's Privacy Statement makes no mention of GDPR anywhere; it only addresses the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA): "If the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA), applies to you...you have the following rights with respect to personal information." No EU-specific rights, lawful-basis language, SCCs, or GDPR representative are documented.

    source: pilot.com
    PCI DSS
    NOT CONFIRMED

    No public evidence on pilot.com; Pilot does not appear to process cardholder payment data directly as a service.

    source: pilot.com
    FedRAMP
    NOT CONFIRMED

    No public evidence on pilot.com; not applicable to Pilot's SMB/startup-focused product.

    source: pilot.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Not publicly specified. Pilot is US-headquartered (San Francisco); the Privacy Statement reserves the right to "transfer your information and process and store it outside your country of residence," and service-fulfillment personnel may be located outside the United States. Cloud subprocessors (AWS, Google LLC, Snowflake) are all major US-based providers, but no dedicated data-residency commitment is published.

    Pilot's Privacy Statement says: "We develop and use AI-based methods of processing Customer Data to deliver the Services" and describes "Pilot AI", a "generative AI-powered chatbot" that lets customers ask about their books. The Client Services Agreement (Section 2.2) permits inputting Customer Data "into artificial intelligence tools" to deliver the service. Pilot's subprocessors list (https://pilot.com/terms/subprocessors) names Anthropic PBC and OpenAI, LLC as subprocessors, meaning Customer Data (which can include SSNs and government IDs for Outsourced Operations/payroll customers) is sent to third-party LLM providers for operational processing. It is NOT clear from public documentation whether this constitutes only inference/service-delivery use versus any model-training or retention by Pilot or its AI subprocessors, and no explicit customer opt-out for this AI processing is documented (a separate opt-out exists only for session-replay analytics, which is unrelated). This ambiguity should be confirmed directly with Pilot before enterprise use.

    // Security controls

    Encryption in transit / at rest

    Not publicly documented in general terms. The Client Services Agreement only states a narrow commitment: "Pilot will maintain Login Credentials in encrypted form and will only use them pursuant to the Agreement." No general customer-data encryption-at-rest or in-transit standard (e.g., TLS 1.2+/AES-256) is published on pilot.com.

    pilot.com

    Facility / infrastructure security standard

    Vague contractual commitment only: "all facilities that Pilot uses to store Customer Data or Login Credentials adhere to reasonable security standards" (Section 2.6) - no named framework or auditor.

    pilot.com

    Trust center / public security page

    None found. Pilot has no dedicated trust/security page comparable to a SafeBase or Vanta-hosted trust center on its own domain.

    pilot.com

    Third-party AI subprocessors

    Subprocessors list discloses Anthropic PBC and OpenAI, LLC as AI/ML subprocessors, plus AWS, Google LLC, and Snowflake Inc. for cloud infrastructure, and Fivetran, Mixpanel, Gong.io, Salesforce, Atlassian, Notion, Zapier, Zoom, Dropbox and others for business tooling (23 total subprocessors listed).

    pilot.com

    HIPAA / PHI handling

    Explicitly disclaimed - Pilot does not represent or warrant HIPAA compliance and should not be used for protected health information.

    pilot.com

    // Products & data scope

    BookkeepingCore accounting service

    data: Financial transaction data, bank/card feeds, QuickBooks Online integration

    Flagship product; monthly bookkeeping with software + human bookkeepers.

    CFO / Advisory ServicesFinancial advisory

    data: Financial statements, forecasts, cap table and fundraising data

    Strategic guidance from finance professionals layered on top of Bookkeeping data.

    Tax Services / R&D Tax CreditTax preparation and credits

    data: Tax filings, entity and owner identification data; retained at least 7 years per Privacy Statement

    Separate Tax Services Terms govern this offering.

    Outsourced Operations (COO Services, incl. payroll-adjacent work)Back-office operations

    data: Higher-sensitivity personal data: "may also include social security numbers, identification documents, other government identifiers, and individual contact information" per Client Services Agreement, used e.g. for payroll processing tasks.

    Materially higher data sensitivity than plain bookkeeping; no dedicated security certification is published to match this elevated data scope.

    Meridian / Pilot AIAI features

    data: Customer financial data processed by a generative-AI chatbot and AI-based automation

    Homepage banner ("Introducing Meridian, the AI operating system that closes your books") indicates a newer AI-forward push; only a brief in-product "Pilot AI" chatbot is documented in the Privacy Statement. No separate AI-governance certification or dedicated AI security page found.

    // What to watch

    • Identity-conflation risk (resolved but must not recur): generic 'Pilot SOC 2' web searches return results for a different company, 'PILOT Inc.' (employee-coaching startup at pilot.coach), and for 'Plane' (formerly branded 'Pilot', a payroll/HR company) - neither is pilot.com. Confirmed via cross-check of pilotcoachinc.com's own 'About PILOT' page. Do not credit pilot.com with any SOC 2 claim sourced from a generic search.
    • GDPR is not addressed at all in Pilot's own Privacy Statement (only CCPA/VCDPA are covered) despite Pilot serving startups that may have EU-resident stakeholders or data; buyers needing GDPR assurances should request this directly from Pilot.
    • HIPAA is explicitly disclaimed in the Client Services Agreement - do not list Pilot for healthcare/PHI-adjacent use cases.
    • No trust center, no standalone DPA, and no general customer-data encryption statement found on pilot.com; the only encryption commitment found is narrowly scoped to login credentials.
    • AI-training posture is ambiguous: Customer Data (including SSNs/government IDs for Outsourced Operations customers) is shared with Anthropic and OpenAI as subprocessors for AI-based processing/chatbot features, but no explicit statement rules out model training/retention by those subprocessors, and no dedicated opt-out for this AI processing is published (only an unrelated session-replay opt-out exists).
    • Data sensitivity for the Outsourced Operations (COO/payroll) product is materially higher (SSNs, government IDs) than for plain bookkeeping, yet no security certification is published to match that elevated scope - flag for enterprise/COO-service buyers specifically.

    // At a glance

    Pricing model

    Subscription-based (monthly plans per Client Services Agreement / Subscription Agreement); tiered by service scope (Bookkeeping, Tax, CFO, COO); exact pricing not published on the assessed pages.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Pilot.com, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pilot.com

    > Browse all vendor trust reports