// Trust & Security Report
Podia Labs, Inc.
Creator platform offering online courses, community spaces, email marketing, coaching, events, and website builder for independent creators. Three tiers: Mover, Shaker, Earthquaker.
Certifications held
0
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: help.podia.comNo public evidence on vendor domain. Third-party aggregator Nudge Security lists SOC 2 compliance, but this is not sourced from podia.com and may reflect the AWS hosting infrastructure rather than Podia's own attestation. No SOC 2 report referenced on podia.com, help.podia.com security policy, or privacy policy.
source: podia.comNo public evidence on vendor domain. Third-party profile lists ISO 27001 but no certificate, surveillance audit, or ISMS scope statement appears on any podia.com page. Likely reflects AWS infrastructure certification, not Podia's own ISMS.
source: podia.comGDPR is a regulation, not a certification. Podia acknowledges GDPR applicability and offers a DPA for EU controller-processor relationships: 'We offer a data processing addendum (DPA) for our customers that operate in the EU that would be considered controllers of personal data for purposes of the General Data Protection Regulation (the GDPR).' The full DPA document is hosted on Google Drive rather than on podia.com. GDPR compliance posture exists but no formal adequacy or certification is held.
source: help.podia.comNo public evidence on vendor domain. Podia is a general-purpose creator platform; no Business Associate Agreement (BAA) or HIPAA safeguards program is referenced on any podia.com page. Nudge Security third-party profile lists HIPAA but this cannot be verified from vendor domain evidence.
source: podia.comPayment processing is handled by Stripe, Inc. as the payment processor: 'Our payment processing partner Stripe, Inc. (Stripe), collects your voluntarily-provided payment card information necessary to process your payment.' PCI DSS compliance belongs to Stripe, not Podia. Podia itself does not hold a PCI DSS attestation.
source: podia.comNo public evidence on vendor domain. FedRAMP is implausible for a SMB creator platform. Nudge Security lists FedRAMP compliance, but this almost certainly reflects AWS's FedRAMP Authorization-to-Operate being attributed to Podia as a hosted customer, not Podia itself.
source: podia.comNo public evidence on vendor domain. CSA STAR listing referenced by Nudge Security but not verifiable from any podia.com page. No self-assessment questionnaire or certification found.
source: podia.comNo public evidence. Podia does not publicly disclose AI features or an AI governance program; no ISO 42001 reference found on any vendor page.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States
No explicit policy on AI training found. Podia does not publicly disclose AI features that consume creator or student content. The Terms of Service grants a broad royalty-free, perpetual, sublicensable, irrevocable license to user content 'to enable us to operate the Services,' but this is framed as operational necessity. No AI training opt-out or opt-in mechanism is disclosed. The absence of an explicit prohibition is a gap worth monitoring.
// Security controls
Encryption in transit
Claimed via general policy language ('appropriate physical, technical, organizational and administrative security measures'). No specific protocol version (e.g., TLS 1.2+) stated on vendor domain.
podia.comEncryption at rest
Implied by general security measures language in privacy policy. No explicit at-rest encryption specification or key management details disclosed.
podia.comCloud infrastructure
Amazon Web Services (AWS) used for hosting. Stripe for payment processing.
security-profiles.nudgesecurity.comVulnerability disclosure
Responsible disclosure program maintained. No public bug bounty. Reports to security@podia.com. In scope: app.podia.com, *.podia.com subdomains, Zapier integration.
help.podia.comAuthentication
Login with Google and Microsoft OAuth supported. Two-factor authentication options referenced in third-party profile (SMS, TOTP). SSO via Okta referenced in Nudge Security profile but not confirmed on vendor domain.
security-profiles.nudgesecurity.comPenetration testing
No public disclosure of penetration testing cadence or third-party assessment reports.
help.podia.comSubprocessors
No public subprocessor list found on vendor domain. Known third parties include Stripe (payments), Customer.io, ActiveCampaign, Intercom (communications), Google Analytics, Segment, FullStory (analytics).
podia.comIncident response
GDPR help article mentions mandatory breach notification for personally identifying information. No formal incident response policy published.
help.podia.com// Products & data scope
data: Creator and student personal data, course content, community posts, email subscriber data (up to 100). Payment data via Stripe.
$42/mo billed annually. 5% transaction fee. 50 products, 500 videos, 25 community spaces. No security-tier differences from higher plans.
data: Same as Mover plus expanded capacity. Up to 500 email subscribers. No Podia transaction fee.
$84/mo billed annually. Adds affiliate marketing, upsells, PayPal, Zapier. 1 assistant. No additional security or compliance controls versus Mover.
data: Same data types as Shaker. Up to 1,000 email subscribers. Unlimited products, videos, spaces, assistants.
$150/mo billed annually. No Podia transaction fee. No additional security or compliance controls versus lower tiers. No enterprise SSO or DLP differentiation found.
// What to watch
- HOST-VS-VENDOR CERT RISK: Third-party aggregator Nudge Security attributes SOC 2, ISO 27001, HIPAA, FedRAMP, PCI, and CSA STAR Level 1 to Podia. None of these are verifiable from vendor-owned domain (podia.com). These likely reflect AWS infrastructure certifications being attributed to Podia as a hosted customer, plus Stripe PCI compliance. Procurement teams must not rely on Nudge Security data without direct vendor confirmation.
- NO TRUST CENTER: Podia has no public trust center or dedicated security page at podia.com. Security policy covers only responsible vulnerability disclosure.
- NO SUBPROCESSOR LIST: No public list of subprocessors on vendor domain, complicating GDPR Article 28 due diligence.
- BROAD USER CONTENT LICENSE: Terms of Service grants a royalty-free, perpetual, sublicensable, irrevocable license to user content for service operation. No explicit AI training opt-out; worth monitoring if Podia adds AI features.
- US-ONLY DATA RESIDENCY: All data stored in the United States. EU/UK customers relying on DPA must assess transfer mechanisms, which are only partially described on the public DPA page.
- DPA ON GOOGLE DRIVE: The actual DPA document is hosted on Google Drive (not podia.com), making it harder to audit from vendor domain. The DPA landing page confirms it exists but the full text requires a separate Google Drive access.
// At a glance
Pricing model
Monthly SaaS subscription with three tiers (Mover $42/mo, Shaker $84/mo, Earthquaker $150/mo, billed annually). No per-seat pricing. Stripe/PayPal processor fees apply separately.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Podia Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
podia.com