// Trust & Security Report
Plus Docs, Inc.
AI assistant for creating and editing presentations directly inside Google Slides and Microsoft PowerPoint; also offers a Presentations API, a Presentation Agent API, a Plus AI MCP server, and "Live Snapshots" (shareable, encrypted presentation links)
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on plusai.com“"Plus has achieved SOC 2 Type II compliance" following an independent audit; encryption details given as AES-256 at rest and TLS in transit.”
> Show 8 unconfirmed / not-held certifications
source: plusai.comNo mention of ISO 27001 on plusai.com/security, the privacy policy, the enterprise page, or the company page. Note: an unrelated company also named "PlusAI" / "Plus" (autonomous trucking, plus.ai) holds ISO 27001 certifications -- that cert belongs to the trucking company, not to Plus Docs, Inc. (plusai.com), and must not be attributed here.
source: plusai.comThe privacy policy contains no use of the terms "GDPR", "European", "EEA", "Standard Contractual Clauses", "data subject rights", "controller", or "processor". It states only: "Information that we collect from the Site will be transferred to, and processed in the United States and in any other country where Plus or its affiliates, subsidiaries or third party service providers maintain facilities or personnel." No published DPA or SCC documentation was found on plusai.com. Third-party review sites claim Plus AI "publishes GDPR-compliant DPAs with SCCs," but this could not be confirmed on the vendor's own domain, so it is graded unconfirmed.
source: plusai.comNo mention of HIPAA or a Business Associate Agreement anywhere on plusai.com (security page, privacy policy, or enterprise page).
source: plusai.comNo public evidence of PCI DSS compliance on plusai.com. Billing is handled through third-party payment processors; no vendor-domain statement addresses cardholder data handling.
source: plusai.comNo public evidence of ISO/IEC 42001 certification on plusai.com.
source: plusai.comNo public evidence of CSA STAR registration or certification on plusai.com.
source: plusai.comNo public evidence of ISO 27017, 27018, or 27701 certification on plusai.com.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
United States; privacy policy states data "will be transferred to, and processed in the United States and in any other country where Plus or its affiliates, subsidiaries or third party service providers maintain facilities or personnel"; infrastructure runs on AWS.
No public, general statement that customer content is or is not used to train Plus's own models. Two specific, vendor-sourced facts exist: (1) Enterprise plan: "We do not use Enterprise customer data to train or fine-tune our AI models. We only work with AI providers with enterprise-grade APIs that contractually guarantee data submitted through their services is not retained or used for training purposes." (2) Google Workspace integration: "Plus Docs Inc. does not use Google Workspace API data to develop, improve, or train generalized artificial intelligence (AI) and/or machine learning (ML) models." The privacy policy separately notes Plus "may use aggregated, de-identified and/or anonymized data" to improve the Service, with no explicit opt-out mechanism described for that use. It is unclear whether the Enterprise no-training commitment also applies to lower (Basic/Pro/Team/Max) tiers -- flagged below.
// Security controls
Encryption in transit
TLS (Transport Layer Security) used for data in transit; vendor states servers sit behind a firewall and data is transferred via "best-in-class encryption algorithms."
plusai.comAccess controls
"Access to customer data is strictly limited to authorized employees who require it for their jobs. Any access to customer data is monitored and logged." By default only the account owner can access their Snapshots/Pages unless explicitly shared.
plusai.comHosting infrastructure
AWS (Amazon Web Services) used for staging and production environments; vendor cites AWS's own data-center security and certifications, which are the host's, not an independent Plus certification.
plusai.comData deletion / ownership
"You have complete control over your data and can delete a Snapshot and permanently remove it from Plus systems at any time."
plusai.comData retention
"Plus retains data as long as it has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it is securely disposed of or archived." No specific retention period disclosed.
plusai.comSub-processors
No published sub-processor list; privacy policy only names general categories: "hosting or infrastructure providers, help desk ticket providers, customer relationship management providers, email providers, collaboration tools."
plusai.comMCP server authentication
Plus AI MCP server uses OAuth for connection setup; described as "secure, enterprise-ready." No further protocol detail published.
plusai.comDetailed security documentation
Vendor references a "Security Portal" for additional policies and procedures, but no working link or URL to that portal was found on any crawled page.
plusai.com// Products & data scope
data: User prompts, uploaded documents (PDF/Word/PowerPoint/text), generated slide content, account/billing data
No AI-training statement specific to these tiers was found; the explicit no-training commitment on plusai.com is scoped to "Enterprise customer data" only. No SSO, no published DPA, no SOC 2 report access mentioned at these tiers.
data: Same as above plus custom template libraries, brand assets, and white-glove template conversion
Vendor states Enterprise customer data is not used to train or fine-tune AI models, and that only AI providers with enterprise-grade, no-retention API terms are used. Pricing and specific contractual protections (DPA, SSO, audit logs) require contacting sales; not detailed publicly.
data: Presentation content shared via a link; private by default (only creator can access) until explicitly shared
Data encrypted at rest and in transit; not searchable unless shared; deletable at any time by the owner.
data: Content submitted programmatically via API or MCP tool calls
Marketed as "secure, enterprise-ready" with OAuth-based connection; no distinct compliance documentation beyond the general security page was found.
// What to watch
- IDENTITY RISK: A separate, unrelated company also uses the "PlusAI" / "Plus" name -- an autonomous-trucking company at plus.ai / trustplus.ai holding its own ISO 27001 and other certifications, and a GDPR notice at www.plus.ai/eu-data-protection-notice/. None of that company's certifications or policies belong to Plus Docs, Inc. (plusai.com), the AI presentation vendor assessed here. Any listing must link only to plusai.com pages.
- GDPR POSTURE UNCLEAR: Third-party review sites (not the vendor's own domain) claim Plus AI publishes a GDPR-compliant DPA with Standard Contractual Clauses, but no DPA, SCC reference, or the word "GDPR" itself could be found anywhere on plusai.com's privacy policy, security page, or enterprise page. Treat GDPR posture as unconfirmed until a vendor-domain DPA is located; do not list GDPR as a held cert.
- AI-TRAINING TIER GAP: The only explicit "we do not train on your data" commitment found applies to the Enterprise tier and to Google Workspace API data specifically. It is unclear whether Basic/Pro/Team/Max tier customer content is excluded from training by the underlying AI providers Plus uses, or whether the more general "aggregated, de-identified" data-use clause in the privacy policy could apply more broadly. Buyers on non-Enterprise plans should ask Plus directly before assuming no-training.
- NO PUBLIC TRUST CENTER: Plus does not operate a self-service Vanta/Drata-style trust center; the SOC 2 Type II report itself is not publicly downloadable and a referenced "Security Portal" has no discoverable public URL. SOC 2 status rests on the vendor's own unlinked text claim rather than an auditable public artifact.
- NO HIPAA / NO BAA: Not suitable for protected health information; no Business Associate Agreement or HIPAA statement offered.
// At a glance
Pricing model
Freemium/subscription: Basic ~$10-15/mo, Pro ~$20-25/mo, Team ~$30-40/mo, Max ~$200-240/mo (annual vs monthly billing), plus a custom-priced Enterprise tier
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Plus Docs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
plusai.com