// Trust & Security Report
Rev.com, Inc. (dba Rev)
Rev AI is the developer-facing speech-to-text API line (pre-recorded and streaming ASR, forced alignment/timestamps, and AI Insights such as sentiment, topic extraction, summarization, translation) built by Rev.com, Inc., the same company behind the human-powered Rev.com transcription/captioning marketplace. Rev AI has consumer/self-serve, business, and enterprise tiers, with HIPAA and CJIS features gated to enterprise accounts.
Certifications held
5
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on rev.com“That's why we're pleased to announce that we have successfully achieved our Service Organization Controls 2 (SOC 2) Type II certification... a copy of Rev's SOC 2 Type II report is available to both current and prospective customers upon request.”
Verify on rev.ai“Rev's enterprise tier provides HIPAA-compliant* transcription services to protect sensitive healthcare data.”
Verify on cf-public.rev.com“Rev follows best practices handling Personally Identifiable Information (PII) with guidance from the published General Data Protection Regulation (GDPR).”
Verify on cf-public.rev.com“Rev never stores credit card information. Rev maintains a PCI certification for payment processing. Rev works with PayPal to ensure that all payments are secure and encrypted. (Scoped to payment processing only, not the core transcription/ASR data pipeline.)”
Verify on rev.ai“Third-party assessed to meet FBI security standards, with annual testing. Enterprise accounts only.”
> Show 5 unconfirmed / not-held certifications
source: cf-public.rev.comAll Rev & customer data is hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities in the United States. (This describes the AWS hosting facilities Rev uses, not an ISO 27001 certificate issued to Rev itself; no Rev-held ISO 27001 certificate is published anywhere on rev.com or rev.ai.)
source: rev.aiNo public evidence on any rev.com or rev.ai domain page. A third-party site (Nudge Security) lists FedRAMP for 'Rev AI' but this is not corroborated by Rev's own security page, security PDF, or blog, so it is not graded as held.
source: rev.aiNo public evidence on any rev.com or rev.ai domain page. A third-party site (Nudge Security) lists CSA STAR Level 1 for 'Rev AI' but this could not be verified on a vendor-owned page.
source: rev.aiNo public evidence of ISO 42001 or any AI-governance-specific certification on rev.com or rev.ai.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
United States (Rev is a US company; hosting is on AWS US data centers). Privacy Policy: 'Rev is located in the United States, and our related companies and other third parties authorized to receive data under this Privacy Policy are located throughout the world.'
There is a real tension between Rev's marketing copy and its current Terms of Service. rev.ai/security states 'We never use your content to train external AI models, ensuring your data remains truly yours.' The current Terms of Service (last updated May 15, 2026, fetched from rev.com/legal/terms) state: 'Customer Content will not be used for any generative AI model training,' but also that 'your Customer Content will be analyzed by our ASR models and other Rev artificial intelligence models and may be used for continuous training of those models.' So Rev does continuously train its own proprietary ASR/AI models on customer content (this is not disclosed as clearly as the 'we never train on your content' marketing line implies), while it does not use that content for third-party/foundation ('external' or 'generative') model training. A Rev.com Help Center article titled 'AI Training Opt-Out' (support.rev.com) indicates customers can opt out by emailing support@rev.com, but this page returned a 403 on direct fetch and could only be corroborated via search snippet, not read verbatim, so the opt-out mechanism is noted with medium confidence.
// Security controls
Encryption in transit
TLS 1.2 (docs.rev.ai/api/security cites TLS 1.2; the security PDF and rev.ai/security marketing page reference TLS 1.2/1.3 plus AES-256).
docs.rev.aiEncryption at rest
Amazon S3 server-side encryption (S3 SSE) using AES; all customer files encrypted at rest per the security overview PDF.
cf-public.rev.comData retention
Rev AI API jobs are retained for a maximum of 30 days by default, after which data is deleted and irretrievable; customers can configure earlier deletion or delete manually via the API.
docs.rev.aiHosting infrastructure
AWS, spanning multiple availability zones, with S3 storage and AWS DDoS protection; data centers described as Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities (host/facility-level compliance, not a Rev-held certificate).
cf-public.rev.comAccess control
Role Based Access Controls (RBAC) and least-privilege principle for production access; access limited to the Rev.com operations team; all access logged.
cf-public.rev.comMonitoring / incident response
Network intrusion detection systems (IDS), continuous availability monitoring, centralized log aggregation, regular external vulnerability scanning, and a 24/7 on-call security team with an incident response process.
cf-public.rev.com// Products & data scope
data: Customer audio/video files and streamed audio submitted via API; transcripts generated and retained up to 30 days by default.
Self-serve and business tiers; 57+ languages; default retention 30 days unless customer configures otherwise.
data: Operates on transcripts already generated from customer audio/video.
Bundled as an add-on to the core ASR API; same data handling as the core API.
data: Audio, custom vocabulary, and transcripts that may contain Protected Health Information (PHI).
Requires signed Business Associate Agreement (BAA) and updated MSA; customers are warned not to place PHI in filenames/URLs since Rev is not liable for PHI exposed that way.
data: Audio/transcripts involving criminal justice information.
CJIS compliance limited to enterprise/unlimited accounts, third-party assessed annually per rev.ai/security.
data: Customer audio/video routed to vetted freelance transcriptionists/captioners ('Revvers') via a locked-down web portal.
Not the subject of this assessment (slug is rev-ai) but shares the same legal entity, privacy policy, terms, and security program as Rev AI; included here for identity clarity since Rev AI redirects to rev.com legal pages.
// What to watch
- AI-training contradiction: rev.ai/security markets 'We never use your content to train external AI models,' but the current rev.com Terms of Service state customer content 'will be analyzed by our ASR models and other Rev artificial intelligence models and may be used for continuous training of those models.' The two statements can be reconciled (no third-party/generative model training vs. ongoing training of Rev's own proprietary ASR), but a customer skimming the marketing page could reasonably conclude no training happens at all on their content, which is not accurate.
- Host-vs-vendor cert ambiguity: Rev's own security overview PDF lists 'ISO 27001 compliant facilities' in the context of AWS data center hosting, not a certificate issued to Rev.com, Inc. itself. Third-party listing sites conflate this into 'Rev AI is ISO 27001 compliant,' which is not supported by any vendor-owned page and is graded held=false here.
- Unverifiable third-party claims: at least one third-party vendor-review site (Nudge Security) lists FedRAMP and CSA STAR Level 1 for 'Rev AI' with no corroboration found on any rev.com/rev.ai-owned page; graded held=false pending direct vendor confirmation.
- No dedicated trust center (e.g., SafeBase/Vanta/Drata portal) was found; compliance evidence is scattered across a marketing security page, a docs security page, and a downloadable PDF, some of which (SOC 2 mention) appears only in a 2022 blog post rather than on the current security page.
- The Rev.com Help Center 'AI Training Opt-Out' article could not be fetched directly (403 response); its existence and the emailed opt-out mechanism are corroborated only via search-engine snippet, not a verbatim read.
- GDPR is listed among certifications for completeness per the requested schema, but it is a regulatory compliance posture, not a third-party-audited certification like SOC 2/ISO; treat it as posture, not a badge.
// At a glance
Pricing model
Usage-based / pay-as-you-go API pricing for self-serve and business tiers; custom contract pricing for enterprise (HIPAA/CJIS) tiers.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Rev.com, Inc. (dba Rev)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
rev.com