// Trust & Security Report
Pilot.com, Inc.
Outsourced back-office finance services for startups and small businesses: Bookkeeping, Tax, CFO/advisory Services, R&D Tax Credit, and Outsourced Operations (COO Services, including payroll-adjacent data); homepage also references a newer "Meridian" AI operating-system offering and an in-product "Pilot AI" chatbot for querying books.
Certifications held
0
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 9 unconfirmed / not-held certifications
source: pilot.comNo public evidence on pilot.com. IMPORTANT: web search surfaces a SOC 2 Type II announcement for a different, similarly named company, "PILOT Inc." at pilot.coach / pilotcoachinc.com (an employee-coaching startup, audited by Prescient Assurance) and a separate SOC 2 announcement from "Plane" (formerly branded "Pilot", a payroll/HR company). Neither is pilot.com, the bookkeeping/CFO-services vendor assessed here. No SOC 2 claim, badge, or report appears anywhere on pilot.com, /terms/privacy, /terms/client-terms, or /terms/subprocessors.
source: pilot.comNo public evidence on pilot.com. Not mentioned in Privacy Statement, Client Services Agreement, or subprocessors list.
source: pilot.comNo public evidence on pilot.com. No AI-governance certification referenced despite the site describing AI-based data processing and a generative-AI chatbot feature.
source: pilot.com"We do not represent or warrant that the Services, Pilot Platform or Internal Software comply with the Health Insurance Portability and Accountability Act of 1996" (Client Services Agreement, Section 12.10).
source: pilot.comPilot's Privacy Statement makes no mention of GDPR anywhere; it only addresses the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA): "If the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA), applies to you...you have the following rights with respect to personal information." No EU-specific rights, lawful-basis language, SCCs, or GDPR representative are documented.
source: pilot.comNo public evidence on pilot.com; Pilot does not appear to process cardholder payment data directly as a service.
source: pilot.comNo public evidence on pilot.com; not applicable to Pilot's SMB/startup-focused product.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not publicly specified. Pilot is US-headquartered (San Francisco); the Privacy Statement reserves the right to "transfer your information and process and store it outside your country of residence," and service-fulfillment personnel may be located outside the United States. Cloud subprocessors (AWS, Google LLC, Snowflake) are all major US-based providers, but no dedicated data-residency commitment is published.
Pilot's Privacy Statement says: "We develop and use AI-based methods of processing Customer Data to deliver the Services" and describes "Pilot AI", a "generative AI-powered chatbot" that lets customers ask about their books. The Client Services Agreement (Section 2.2) permits inputting Customer Data "into artificial intelligence tools" to deliver the service. Pilot's subprocessors list (https://pilot.com/terms/subprocessors) names Anthropic PBC and OpenAI, LLC as subprocessors, meaning Customer Data (which can include SSNs and government IDs for Outsourced Operations/payroll customers) is sent to third-party LLM providers for operational processing. It is NOT clear from public documentation whether this constitutes only inference/service-delivery use versus any model-training or retention by Pilot or its AI subprocessors, and no explicit customer opt-out for this AI processing is documented (a separate opt-out exists only for session-replay analytics, which is unrelated). This ambiguity should be confirmed directly with Pilot before enterprise use.
// Security controls
Encryption in transit / at rest
Not publicly documented in general terms. The Client Services Agreement only states a narrow commitment: "Pilot will maintain Login Credentials in encrypted form and will only use them pursuant to the Agreement." No general customer-data encryption-at-rest or in-transit standard (e.g., TLS 1.2+/AES-256) is published on pilot.com.
pilot.comFacility / infrastructure security standard
Vague contractual commitment only: "all facilities that Pilot uses to store Customer Data or Login Credentials adhere to reasonable security standards" (Section 2.6) - no named framework or auditor.
pilot.comTrust center / public security page
None found. Pilot has no dedicated trust/security page comparable to a SafeBase or Vanta-hosted trust center on its own domain.
pilot.comThird-party AI subprocessors
Subprocessors list discloses Anthropic PBC and OpenAI, LLC as AI/ML subprocessors, plus AWS, Google LLC, and Snowflake Inc. for cloud infrastructure, and Fivetran, Mixpanel, Gong.io, Salesforce, Atlassian, Notion, Zapier, Zoom, Dropbox and others for business tooling (23 total subprocessors listed).
pilot.comHIPAA / PHI handling
Explicitly disclaimed - Pilot does not represent or warrant HIPAA compliance and should not be used for protected health information.
pilot.com// Products & data scope
data: Financial transaction data, bank/card feeds, QuickBooks Online integration
Flagship product; monthly bookkeeping with software + human bookkeepers.
data: Financial statements, forecasts, cap table and fundraising data
Strategic guidance from finance professionals layered on top of Bookkeeping data.
data: Tax filings, entity and owner identification data; retained at least 7 years per Privacy Statement
Separate Tax Services Terms govern this offering.
data: Higher-sensitivity personal data: "may also include social security numbers, identification documents, other government identifiers, and individual contact information" per Client Services Agreement, used e.g. for payroll processing tasks.
Materially higher data sensitivity than plain bookkeeping; no dedicated security certification is published to match this elevated data scope.
data: Customer financial data processed by a generative-AI chatbot and AI-based automation
Homepage banner ("Introducing Meridian, the AI operating system that closes your books") indicates a newer AI-forward push; only a brief in-product "Pilot AI" chatbot is documented in the Privacy Statement. No separate AI-governance certification or dedicated AI security page found.
// What to watch
- Identity-conflation risk (resolved but must not recur): generic 'Pilot SOC 2' web searches return results for a different company, 'PILOT Inc.' (employee-coaching startup at pilot.coach), and for 'Plane' (formerly branded 'Pilot', a payroll/HR company) - neither is pilot.com. Confirmed via cross-check of pilotcoachinc.com's own 'About PILOT' page. Do not credit pilot.com with any SOC 2 claim sourced from a generic search.
- GDPR is not addressed at all in Pilot's own Privacy Statement (only CCPA/VCDPA are covered) despite Pilot serving startups that may have EU-resident stakeholders or data; buyers needing GDPR assurances should request this directly from Pilot.
- HIPAA is explicitly disclaimed in the Client Services Agreement - do not list Pilot for healthcare/PHI-adjacent use cases.
- No trust center, no standalone DPA, and no general customer-data encryption statement found on pilot.com; the only encryption commitment found is narrowly scoped to login credentials.
- AI-training posture is ambiguous: Customer Data (including SSNs/government IDs for Outsourced Operations customers) is shared with Anthropic and OpenAI as subprocessors for AI-based processing/chatbot features, but no explicit statement rules out model training/retention by those subprocessors, and no dedicated opt-out for this AI processing is published (only an unrelated session-replay opt-out exists).
- Data sensitivity for the Outsourced Operations (COO/payroll) product is materially higher (SSNs, government IDs) than for plain bookkeeping, yet no security certification is published to match that elevated scope - flag for enterprise/COO-service buyers specifically.
// At a glance
Pricing model
Subscription-based (monthly plans per Client Services Agreement / Subscription Agreement); tiered by service scope (Bookkeeping, Tax, CFO, COO); exact pricing not published on the assessed pages.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Pilot.com, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
pilot.com