// Trust & Security Report
Sapling Intelligence, Inc.
Sapling — language model API toolkit and AI writing assistant (consumer grammar/AI-detection tools + enterprise customer-service autocomplete/suggestions + developer API/SDK)
Certifications held
7
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on sapling.ai“Sapling undergoes annual external vulnerability assessment and penetration testing (VAPT), and is also GDPR compliant and SOC 2 Type II certified.”
Verify on trust.sapling.ai“Resources ... Penetration Test ... Penetration Test Remediation ... SOC 2 Type II ... AI Governance Policy”
Verify on sapling.ai“is also GDPR compliant and SOC 2 Type II certified.”
Verify on sapling.ai“Sapling additionally supports customers who require HIPAA and/or PCI compliance. ... [Trust Center Resources:] PCI SAQ AoC”
Verify on sapling.ai“Sapling additionally supports customers who require HIPAA and/or PCI compliance.”
Verify on sapling.ai“Sapling undergoes annual external vulnerability assessment and penetration testing (VAPT) ... [Trust Center:] Penetration Test ... Penetration Test Remediation”
> Show 1 unconfirmed / not-held certifications
source: trust.sapling.aiNo ISO 27001 claim found on the security page or in the trust center resource list (which lists SOC 2 Type II, PCI SAQ AoC, Penetration Test, DPA, Subprocessors, AI Governance Policy).
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States (AWS). Privacy policy: 'Our Services are hosted in the United States.' EU/other-region users have data transferred to the US for storage and processing.
Consumer privacy policy states content 'is stored by us and used only to improve the Service' — wording is broad and does not explicitly confirm or deny use of customer content for AI/model training, and does not state a default opt-out for consumer tier. Enterprise tier mitigates this: Sapling offers 'customized storage and data retention options,' PII redaction, self-hosted/on-prem deployment, and maintains a published AI Governance Policy in its trust center. No explicit 'we do not train on your data by default' statement was found, so this is left unknown pending a direct enterprise DPA/AI-policy review. Sapling does state 'We do not sell or rent customer data.'
// Security controls
Encryption in transit / at rest
TLS in transit; AES-256 at rest. 'Sapling uses TLS encryption for data in transit and AES-256 encryption for data at rest.'
sapling.aiPenetration testing / VAPT
Annual external vulnerability assessment and penetration testing; report and remediation evidence in trust center.
trust.sapling.aiBug bounty
No public HackerOne/Bugcrowd bug-bounty program found on the security page or trust center.
sapling.aiIdentity & access
SSO, SCIM, and MFA available; enterprise accounts include audit logs and RBAC. 'Single Sign-On (SSO), SCIM, and Multi-Factor Authentication (MFA) are available.'
sapling.aiPII redaction
Offers redaction of personally identifiable information (PII). 'We offer redaction of personally identifiable information (PII).'
sapling.aiDeployment / hosting
Runs production on AWS; private-cloud/private-network processing; self-hosted/on-premises deployment offered. 'Sapling runs its production systems on Amazon Web Services (AWS).'
sapling.aiTrust center documents
Self-serve (request access) trust center exposing SOC 2 Type II, PCI SAQ AoC, DPA, Subprocessors list, Penetration Test + remediation, and AI Governance Policy, plus 50+ enumerated controls across infrastructure, organizational, product, internal procedures, and data/privacy.
trust.sapling.ai// Products & data scope
data: Integrates with ServiceNow, Salesforce, Zendesk, Amazon Connect, Twilio Flex; processes business/customer messaging data. Enterprise tier offers SSO/SCIM/MFA, RBAC, audit logs, PII redaction, custom data retention, and self-hosted/on-prem deployment.
Highest assurance tier; covered by SOC 2 Type II, DPA, and AI Governance Policy. Self-hosting available for data-sensitive customers.
data: Developers send text to Sapling endpoints for grammar/rewrite/detection/autocomplete. US-hosted (AWS). Subprocessors disclosed in trust center.
Turnkey API; free tier available without a card. Data-use governed by terms + DPA.
data: User-submitted text processed and stored in the US; consumer privacy policy states content is 'used only to improve the Service.' Marketing opt-out only; no explicit AI-training opt-out documented for this tier.
Lowest assurance tier; broad 'improve the Service' language is the main residual flag. No card required for free use.
// What to watch
- Consumer privacy policy language 'content is stored by us and used only to improve the Service' is broad and does not explicitly state whether customer content is used for AI/model training or provide a consumer-tier training opt-out — clarify before listing as 'does not train on your data.'
- No public bug-bounty program (HackerOne/Bugcrowd) found; pen testing is handled via annual third-party VAPT instead.
- HIPAA and PCI are described as 'supported' for in-scope customers rather than blanket certifications; PCI evidence is a SAQ AoC. No ISO 27001.
- Trust center documents (SOC 2, DPA, pen test) are gated behind 'Request access,' so full report contents were not directly read — claims verified via the public security page and trust center resource index.
// At a glance
Pricing model
Freemium + subscription (free tier, no card required) with paid Pro and Enterprise plans; usage-based API/SDK access.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Sapling Intelligence, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.sapling.ai