// Trust & Security Report

    Sapling Intelligence, Inc. logo

    Sapling Intelligence, Inc.

    Sapling — language model API toolkit and AI writing assistant (consumer grammar/AI-detection tools + enterprise customer-service autocomplete/suggestions + developer API/SDK)

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Sapling undergoes annual external vulnerability assessment and penetration testing (VAPT), and is also GDPR compliant and SOC 2 Type II certified.

    Verify on sapling.ai
    SOC 2 Type II (trust center report listing)
    HELD

    Resources ... Penetration Test ... Penetration Test Remediation ... SOC 2 Type II ... AI Governance Policy

    Verify on trust.sapling.ai
    GDPR (compliance posture, not a certification)
    HELD

    is also GDPR compliant and SOC 2 Type II certified.

    Verify on sapling.ai
    PCI DSS (SAQ AoC available; supports PCI-scoped customers)
    HELD

    Sapling additionally supports customers who require HIPAA and/or PCI compliance. ... [Trust Center Resources:] PCI SAQ AoC

    Verify on sapling.ai
    HIPAA (supports HIPAA-scoped customers; not a certification)
    HELD

    Sapling additionally supports customers who require HIPAA and/or PCI compliance.

    Verify on sapling.ai
    Penetration testing (annual VAPT, report + remediation in trust center)
    HELD

    Sapling undergoes annual external vulnerability assessment and penetration testing (VAPT) ... [Trust Center:] Penetration Test ... Penetration Test Remediation

    Verify on sapling.ai
    AI Governance Policy
    HELD

    [Trust Center Resources:] AI Governance Policy

    Verify on trust.sapling.ai
    > Show 1 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No ISO 27001 claim found on the security page or in the trust center resource list (which lists SOC 2 Type II, PCI SAQ AoC, Penetration Test, DPA, Subprocessors, AI Governance Policy).

    source: trust.sapling.ai

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    United States (AWS). Privacy policy: 'Our Services are hosted in the United States.' EU/other-region users have data transferred to the US for storage and processing.

    Consumer privacy policy states content 'is stored by us and used only to improve the Service' — wording is broad and does not explicitly confirm or deny use of customer content for AI/model training, and does not state a default opt-out for consumer tier. Enterprise tier mitigates this: Sapling offers 'customized storage and data retention options,' PII redaction, self-hosted/on-prem deployment, and maintains a published AI Governance Policy in its trust center. No explicit 'we do not train on your data by default' statement was found, so this is left unknown pending a direct enterprise DPA/AI-policy review. Sapling does state 'We do not sell or rent customer data.'

    // Security controls

    Encryption in transit / at rest

    TLS in transit; AES-256 at rest. 'Sapling uses TLS encryption for data in transit and AES-256 encryption for data at rest.'

    sapling.ai

    Penetration testing / VAPT

    Annual external vulnerability assessment and penetration testing; report and remediation evidence in trust center.

    trust.sapling.ai

    Bug bounty

    No public HackerOne/Bugcrowd bug-bounty program found on the security page or trust center.

    sapling.ai

    Identity & access

    SSO, SCIM, and MFA available; enterprise accounts include audit logs and RBAC. 'Single Sign-On (SSO), SCIM, and Multi-Factor Authentication (MFA) are available.'

    sapling.ai

    PII redaction

    Offers redaction of personally identifiable information (PII). 'We offer redaction of personally identifiable information (PII).'

    sapling.ai

    Deployment / hosting

    Runs production on AWS; private-cloud/private-network processing; self-hosted/on-premises deployment offered. 'Sapling runs its production systems on Amazon Web Services (AWS).'

    sapling.ai

    Trust center documents

    Self-serve (request access) trust center exposing SOC 2 Type II, PCI SAQ AoC, DPA, Subprocessors list, Penetration Test + remediation, and AI Governance Policy, plus 50+ enumerated controls across infrastructure, organizational, product, internal procedures, and data/privacy.

    trust.sapling.ai

    // Products & data scope

    Sapling for Enterprise / Customer Service (autocomplete, suggestions, CRM integrations)AI customer-communication assistant

    data: Integrates with ServiceNow, Salesforce, Zendesk, Amazon Connect, Twilio Flex; processes business/customer messaging data. Enterprise tier offers SSO/SCIM/MFA, RBAC, audit logs, PII redaction, custom data retention, and self-hosted/on-prem deployment.

    Highest assurance tier; covered by SOC 2 Type II, DPA, and AI Governance Policy. Self-hosting available for data-sensitive customers.

    Sapling API / SDKDeveloper LLM API toolkit

    data: Developers send text to Sapling endpoints for grammar/rewrite/detection/autocomplete. US-hosted (AWS). Subprocessors disclosed in trust center.

    Turnkey API; free tier available without a card. Data-use governed by terms + DPA.

    Sapling consumer tools (Grammar Check, Punctuation Check, Sentence Rewriter, AI Detector, browser extension)Consumer AI writing/detection tools

    data: User-submitted text processed and stored in the US; consumer privacy policy states content is 'used only to improve the Service.' Marketing opt-out only; no explicit AI-training opt-out documented for this tier.

    Lowest assurance tier; broad 'improve the Service' language is the main residual flag. No card required for free use.

    // What to watch

    • Consumer privacy policy language 'content is stored by us and used only to improve the Service' is broad and does not explicitly state whether customer content is used for AI/model training or provide a consumer-tier training opt-out — clarify before listing as 'does not train on your data.'
    • No public bug-bounty program (HackerOne/Bugcrowd) found; pen testing is handled via annual third-party VAPT instead.
    • HIPAA and PCI are described as 'supported' for in-scope customers rather than blanket certifications; PCI evidence is a SAQ AoC. No ISO 27001.
    • Trust center documents (SOC 2, DPA, pen test) are gated behind 'Request access,' so full report contents were not directly read — claims verified via the public security page and trust center resource index.

    // At a glance

    Pricing model

    Freemium + subscription (free tier, no card required) with paid Pro and Enterprise plans; usage-based API/SDK access.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Sapling Intelligence, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.sapling.ai

    > Browse all vendor trust reports