// Trust & Security Report

    Podia Labs, Inc. logo

    Podia Labs, Inc.

    Creator platform offering online courses, community spaces, email marketing, coaching, events, and website builder for independent creators. Three tiers: Mover, Shaker, Earthquaker.

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence on vendor domain. Third-party aggregator Nudge Security lists SOC 2 compliance, but this is not sourced from podia.com and may reflect the AWS hosting infrastructure rather than Podia's own attestation. No SOC 2 report referenced on podia.com, help.podia.com security policy, or privacy policy.

    source: help.podia.com
    ISO 27001
    NOT CONFIRMED

    No public evidence on vendor domain. Third-party profile lists ISO 27001 but no certificate, surveillance audit, or ISMS scope statement appears on any podia.com page. Likely reflects AWS infrastructure certification, not Podia's own ISMS.

    source: podia.com
    GDPR (compliance posture)
    NOT CONFIRMED

    GDPR is a regulation, not a certification. Podia acknowledges GDPR applicability and offers a DPA for EU controller-processor relationships: 'We offer a data processing addendum (DPA) for our customers that operate in the EU that would be considered controllers of personal data for purposes of the General Data Protection Regulation (the GDPR).' The full DPA document is hosted on Google Drive rather than on podia.com. GDPR compliance posture exists but no formal adequacy or certification is held.

    source: podia.com
    HIPAA
    NOT CONFIRMED

    No public evidence on vendor domain. Podia is a general-purpose creator platform; no Business Associate Agreement (BAA) or HIPAA safeguards program is referenced on any podia.com page. Nudge Security third-party profile lists HIPAA but this cannot be verified from vendor domain evidence.

    source: help.podia.com
    PCI DSS
    NOT CONFIRMED

    Payment processing is handled by Stripe, Inc. as the payment processor: 'Our payment processing partner Stripe, Inc. (Stripe), collects your voluntarily-provided payment card information necessary to process your payment.' PCI DSS compliance belongs to Stripe, not Podia. Podia itself does not hold a PCI DSS attestation.

    source: podia.com
    FedRAMP
    NOT CONFIRMED

    No public evidence on vendor domain. FedRAMP is implausible for a SMB creator platform. Nudge Security lists FedRAMP compliance, but this almost certainly reflects AWS's FedRAMP Authorization-to-Operate being attributed to Podia as a hosted customer, not Podia itself.

    source: podia.com
    CSA STAR
    NOT CONFIRMED

    No public evidence on vendor domain. CSA STAR listing referenced by Nudge Security but not verifiable from any podia.com page. No self-assessment questionnaire or certification found.

    source: podia.com
    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No public evidence. Podia does not publicly disclose AI features or an AI governance program; no ISO 42001 reference found on any vendor page.

    source: podia.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    United States

    No explicit policy on AI training found. Podia does not publicly disclose AI features that consume creator or student content. The Terms of Service grants a broad royalty-free, perpetual, sublicensable, irrevocable license to user content 'to enable us to operate the Services,' but this is framed as operational necessity. No AI training opt-out or opt-in mechanism is disclosed. The absence of an explicit prohibition is a gap worth monitoring.

    // Security controls

    Encryption in transit

    Claimed via general policy language ('appropriate physical, technical, organizational and administrative security measures'). No specific protocol version (e.g., TLS 1.2+) stated on vendor domain.

    podia.com

    Encryption at rest

    Implied by general security measures language in privacy policy. No explicit at-rest encryption specification or key management details disclosed.

    podia.com

    Cloud infrastructure

    Amazon Web Services (AWS) used for hosting. Stripe for payment processing.

    security-profiles.nudgesecurity.com

    Vulnerability disclosure

    Responsible disclosure program maintained. No public bug bounty. Reports to security@podia.com. In scope: app.podia.com, *.podia.com subdomains, Zapier integration.

    help.podia.com

    Authentication

    Login with Google and Microsoft OAuth supported. Two-factor authentication options referenced in third-party profile (SMS, TOTP). SSO via Okta referenced in Nudge Security profile but not confirmed on vendor domain.

    security-profiles.nudgesecurity.com

    Penetration testing

    No public disclosure of penetration testing cadence or third-party assessment reports.

    help.podia.com

    Subprocessors

    No public subprocessor list found on vendor domain. Known third parties include Stripe (payments), Customer.io, ActiveCampaign, Intercom (communications), Google Analytics, Segment, FullStory (analytics).

    podia.com

    Incident response

    GDPR help article mentions mandatory breach notification for personally identifying information. No formal incident response policy published.

    help.podia.com

    // Products & data scope

    MoverCreator platform - entry tier

    data: Creator and student personal data, course content, community posts, email subscriber data (up to 100). Payment data via Stripe.

    $42/mo billed annually. 5% transaction fee. 50 products, 500 videos, 25 community spaces. No security-tier differences from higher plans.

    ShakerCreator platform - growth tier

    data: Same as Mover plus expanded capacity. Up to 500 email subscribers. No Podia transaction fee.

    $84/mo billed annually. Adds affiliate marketing, upsells, PayPal, Zapier. 1 assistant. No additional security or compliance controls versus Mover.

    EarthquakerCreator platform - unlimited tier

    data: Same data types as Shaker. Up to 1,000 email subscribers. Unlimited products, videos, spaces, assistants.

    $150/mo billed annually. No Podia transaction fee. No additional security or compliance controls versus lower tiers. No enterprise SSO or DLP differentiation found.

    // What to watch

    • HOST-VS-VENDOR CERT RISK: Third-party aggregator Nudge Security attributes SOC 2, ISO 27001, HIPAA, FedRAMP, PCI, and CSA STAR Level 1 to Podia. None of these are verifiable from vendor-owned domain (podia.com). These likely reflect AWS infrastructure certifications being attributed to Podia as a hosted customer, plus Stripe PCI compliance. Procurement teams must not rely on Nudge Security data without direct vendor confirmation.
    • NO TRUST CENTER: Podia has no public trust center or dedicated security page at podia.com. Security policy covers only responsible vulnerability disclosure.
    • NO SUBPROCESSOR LIST: No public list of subprocessors on vendor domain, complicating GDPR Article 28 due diligence.
    • BROAD USER CONTENT LICENSE: Terms of Service grants a royalty-free, perpetual, sublicensable, irrevocable license to user content for service operation. No explicit AI training opt-out; worth monitoring if Podia adds AI features.
    • US-ONLY DATA RESIDENCY: All data stored in the United States. EU/UK customers relying on DPA must assess transfer mechanisms, which are only partially described on the public DPA page.
    • DPA ON GOOGLE DRIVE: The actual DPA document is hosted on Google Drive (not podia.com), making it harder to audit from vendor domain. The DPA landing page confirms it exists but the full text requires a separate Google Drive access.

    // At a glance

    Pricing model

    Monthly SaaS subscription with three tiers (Mover $42/mo, Shaker $84/mo, Earthquaker $150/mo, billed annually). No per-seat pricing. Stripe/PayPal processor fees apply separately.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Podia Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    podia.com

    > Browse all vendor trust reports