// Trust & Security Report

    Rev.com, Inc. (dba Rev) logo

    Rev.com, Inc. (dba Rev)

    Rev AI is the developer-facing speech-to-text API line (pre-recorded and streaming ASR, forced alignment/timestamps, and AI Insights such as sentiment, topic extraction, summarization, translation) built by Rev.com, Inc., the same company behind the human-powered Rev.com transcription/captioning marketplace. Rev AI has consumer/self-serve, business, and enterprise tiers, with HIPAA and CJIS features gated to enterprise accounts.

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    That's why we're pleased to announce that we have successfully achieved our Service Organization Controls 2 (SOC 2) Type II certification... a copy of Rev's SOC 2 Type II report is available to both current and prospective customers upon request.

    Verify on rev.com
    HIPAA
    HELD

    Rev's enterprise tier provides HIPAA-compliant* transcription services to protect sensitive healthcare data.

    Verify on rev.ai
    GDPR (compliance posture, not a certification)
    HELD

    Rev follows best practices handling Personally Identifiable Information (PII) with guidance from the published General Data Protection Regulation (GDPR).

    Verify on cf-public.rev.com
    PCI DSS
    HELD

    Rev never stores credit card information. Rev maintains a PCI certification for payment processing. Rev works with PayPal to ensure that all payments are secure and encrypted. (Scoped to payment processing only, not the core transcription/ASR data pipeline.)

    Verify on cf-public.rev.com
    CJIS
    HELD

    Third-party assessed to meet FBI security standards, with annual testing. Enterprise accounts only.

    Verify on rev.ai
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    All Rev & customer data is hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities in the United States. (This describes the AWS hosting facilities Rev uses, not an ISO 27001 certificate issued to Rev itself; no Rev-held ISO 27001 certificate is published anywhere on rev.com or rev.ai.)

    source: cf-public.rev.com
    FedRAMP
    NOT CONFIRMED

    No public evidence on any rev.com or rev.ai domain page. A third-party site (Nudge Security) lists FedRAMP for 'Rev AI' but this is not corroborated by Rev's own security page, security PDF, or blog, so it is not graded as held.

    source: rev.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence on any rev.com or rev.ai domain page. A third-party site (Nudge Security) lists CSA STAR Level 1 for 'Rev AI' but this could not be verified on a vendor-owned page.

    source: rev.ai
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of ISO 42001 or any AI-governance-specific certification on rev.com or rev.ai.

    source: rev.ai
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence on any vendor-owned page.

    source: rev.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United States (Rev is a US company; hosting is on AWS US data centers). Privacy Policy: 'Rev is located in the United States, and our related companies and other third parties authorized to receive data under this Privacy Policy are located throughout the world.'

    There is a real tension between Rev's marketing copy and its current Terms of Service. rev.ai/security states 'We never use your content to train external AI models, ensuring your data remains truly yours.' The current Terms of Service (last updated May 15, 2026, fetched from rev.com/legal/terms) state: 'Customer Content will not be used for any generative AI model training,' but also that 'your Customer Content will be analyzed by our ASR models and other Rev artificial intelligence models and may be used for continuous training of those models.' So Rev does continuously train its own proprietary ASR/AI models on customer content (this is not disclosed as clearly as the 'we never train on your content' marketing line implies), while it does not use that content for third-party/foundation ('external' or 'generative') model training. A Rev.com Help Center article titled 'AI Training Opt-Out' (support.rev.com) indicates customers can opt out by emailing support@rev.com, but this page returned a 403 on direct fetch and could only be corroborated via search snippet, not read verbatim, so the opt-out mechanism is noted with medium confidence.

    // Security controls

    Encryption in transit

    TLS 1.2 (docs.rev.ai/api/security cites TLS 1.2; the security PDF and rev.ai/security marketing page reference TLS 1.2/1.3 plus AES-256).

    docs.rev.ai

    Encryption at rest

    Amazon S3 server-side encryption (S3 SSE) using AES; all customer files encrypted at rest per the security overview PDF.

    cf-public.rev.com

    Data retention

    Rev AI API jobs are retained for a maximum of 30 days by default, after which data is deleted and irretrievable; customers can configure earlier deletion or delete manually via the API.

    docs.rev.ai

    Hosting infrastructure

    AWS, spanning multiple availability zones, with S3 storage and AWS DDoS protection; data centers described as Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities (host/facility-level compliance, not a Rev-held certificate).

    cf-public.rev.com

    Access control

    Role Based Access Controls (RBAC) and least-privilege principle for production access; access limited to the Rev.com operations team; all access logged.

    cf-public.rev.com

    Monitoring / incident response

    Network intrusion detection systems (IDS), continuous availability monitoring, centralized log aggregation, regular external vulnerability scanning, and a 24/7 on-call security team with an incident response process.

    cf-public.rev.com

    // Products & data scope

    Rev AI Speech-to-Text API (async + streaming)Developer API / ASR

    data: Customer audio/video files and streamed audio submitted via API; transcripts generated and retained up to 30 days by default.

    Self-serve and business tiers; 57+ languages; default retention 30 days unless customer configures otherwise.

    Rev AI Insights (sentiment, topics, summarization, translation, language ID)AI analysis add-on

    data: Operates on transcripts already generated from customer audio/video.

    Bundled as an add-on to the core ASR API; same data handling as the core API.

    Rev AI Enterprise (HIPAA tier)Enterprise API / healthcare

    data: Audio, custom vocabulary, and transcripts that may contain Protected Health Information (PHI).

    Requires signed Business Associate Agreement (BAA) and updated MSA; customers are warned not to place PHI in filenames/URLs since Rev is not liable for PHI exposed that way.

    Rev AI Enterprise / Unlimited (CJIS tier)Enterprise API / criminal justice

    data: Audio/transcripts involving criminal justice information.

    CJIS compliance limited to enterprise/unlimited accounts, third-party assessed annually per rev.ai/security.

    Rev.com (human transcription, captioning, subtitles marketplace)Human-in-the-loop services (adjacent product, same parent company)

    data: Customer audio/video routed to vetted freelance transcriptionists/captioners ('Revvers') via a locked-down web portal.

    Not the subject of this assessment (slug is rev-ai) but shares the same legal entity, privacy policy, terms, and security program as Rev AI; included here for identity clarity since Rev AI redirects to rev.com legal pages.

    // What to watch

    • AI-training contradiction: rev.ai/security markets 'We never use your content to train external AI models,' but the current rev.com Terms of Service state customer content 'will be analyzed by our ASR models and other Rev artificial intelligence models and may be used for continuous training of those models.' The two statements can be reconciled (no third-party/generative model training vs. ongoing training of Rev's own proprietary ASR), but a customer skimming the marketing page could reasonably conclude no training happens at all on their content, which is not accurate.
    • Host-vs-vendor cert ambiguity: Rev's own security overview PDF lists 'ISO 27001 compliant facilities' in the context of AWS data center hosting, not a certificate issued to Rev.com, Inc. itself. Third-party listing sites conflate this into 'Rev AI is ISO 27001 compliant,' which is not supported by any vendor-owned page and is graded held=false here.
    • Unverifiable third-party claims: at least one third-party vendor-review site (Nudge Security) lists FedRAMP and CSA STAR Level 1 for 'Rev AI' with no corroboration found on any rev.com/rev.ai-owned page; graded held=false pending direct vendor confirmation.
    • No dedicated trust center (e.g., SafeBase/Vanta/Drata portal) was found; compliance evidence is scattered across a marketing security page, a docs security page, and a downloadable PDF, some of which (SOC 2 mention) appears only in a 2022 blog post rather than on the current security page.
    • The Rev.com Help Center 'AI Training Opt-Out' article could not be fetched directly (403 response); its existence and the emailed opt-out mechanism are corroborated only via search-engine snippet, not a verbatim read.
    • GDPR is listed among certifications for completeness per the requested schema, but it is a regulatory compliance posture, not a third-party-audited certification like SOC 2/ISO; treat it as posture, not a badge.

    // At a glance

    Pricing model

    Usage-based / pay-as-you-go API pricing for self-serve and business tiers; custom contract pricing for enterprise (HIPAA/CJIS) tiers.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Rev.com, Inc. (dba Rev)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    rev.com

    > Browse all vendor trust reports