// Trust & Security Report
Scenario, Inc.
Creative AI infrastructure for image, video, audio and 3D generation, with self-serve tiers (Starter/Pro/Max), a workflow/agent builder, an API/MCP server, and a separately-governed Enterprise tier with contractual no-training guarantees.
Certifications held
2
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on scenario.com“Individuals in the EU have rights including: "Access your personal data," "Rectify inaccurate personal data," "Erase your personal data," and "Lodge a complaint with a supervisory authority." The company commits to responding "within one month, as required by Article 12(3)."”
> Show 7 unconfirmed / not-held certifications
source: trust.scenario.comOnly a 'SOC2 type 2 report' is listed under Compliance Documents on the trust center; no Type I report is referenced (Type II supersedes Type I coverage).
source: trust.scenario.comNo public evidence. The trust center's single Compliance Document is the SOC 2 Type II report; independent search found only that Scenario's cloud host (AWS) holds ISO 27001, which is the host's certification, not Scenario's own.
source: scenario.comNo mention of HIPAA compliance appears in the privacy policy, and no HIPAA reference appears on the trust center or homepage. One customer story references a 'Healthcare' industry client (Alan), but this does not indicate HIPAA compliance or a BAA offering.
source: trust.scenario.comNo public evidence. No PCI DSS reference on trust center, privacy policy, or homepage; payment processing is most likely outsourced to a third-party processor rather than handled directly.
source: trust.scenario.comNo public evidence. Not listed among the trust center's Compliance Documents or anywhere on the marketing site.
source: trust.scenario.comNo public evidence. Not listed among the trust center's Compliance Documents.
source: trust.scenario.comNo public evidence. No FedRAMP reference anywhere on the vendor's site; product is not marketed to US federal government customers.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Servers located in the United States, hosted on AWS in US regions.
Tier-dependent and this is a notable contradiction with homepage marketing. The homepage footer badge reads 'SOC 2 TYPE II · SSO/SAML · NO DATA REUSE' and an on-page claim states 'We never use your training data or images to improve other models.' However, the privacy policy states for self-serve users: 'we may use your content and anonymized insights to improve our Services and AI - never sold, never shared with other customers.' Only Enterprise customers get a contractual no-training guarantee: 'we will not use your content, prompts, Generated Assets, or custom models to train, fine-tune, evaluate, benchmark, or improve any Scenario or third-party model without your prior written consent,' backed by a signed MSA and DPA. Self-serve (Starter/Pro/Max) users do not have this contractual guarantee despite the blanket 'NO DATA REUSE' badge shown site-wide.
// Security controls
Encryption
Trust center controls list 'File systems encryption,' 'Data in transit encryption,' and 'File store encryption' under the Data control category.
trust.scenario.comSSO/SAML
SSO/SAML support advertised as an Enterprise-tier feature on the homepage and Enterprise page.
scenario.comCloud infrastructure hardening
Trust center lists 'Host hardening,' 'Infrastructure as code,' and 'Firewalls' under the Cloud Security control category (80 controls total tracked on the Bastion-powered trust portal).
trust.scenario.comSubprocessors
21 subprocessors disclosed on the trust center; the privacy policy points to the same page for the current subprocessor and model-provider list.
trust.scenario.comAccess controls / audit logging
Enterprise tier advertises 'audit logging,' advanced permissions, and role-based access control; trust center lists 'Production Deployment Access,' 'Control selection,' and 'Change Management Workflow' under Business Operations.
scenario.comData retention
Account data retained for the duration of the account plus 90 days after closure; usage data retained in identifiable form up to 24 months; generated assets deleted within 60 days of account termination.
scenario.com// Products & data scope
data: Content and anonymized insights may be used by Scenario to improve its Services and AI; not sold or shared with other customers, but no contractual no-training guarantee.
Credit-based monthly plans ($10-$50/mo at published rates); no SSO/SAML or dedicated DPA called out for this tier.
data: Contractual no-training guarantee for content, prompts, generated assets, and custom models, backed by a signed MSA and DPA; SSO/SAML, audit logging, advanced permissions, and access to SOC 2 report.
Positioned as 'Creative IP Governance' with 'No cross-customer data sharing'; sold via direct sales ('Talk to Sales'), custom pricing.
data: Same underlying platform and data-handling rules as the calling account's tier (self-serve vs Enterprise).
API-first architecture with SDKs, webhooks, Unity plugin, and an MCP server for agent integrations.
// What to watch
- Homepage-wide badge 'NO DATA REUSE' and the claim 'We never use your training data or images to improve other models' overstate the actual policy: the privacy policy explicitly permits Scenario to use self-serve (non-Enterprise) customer content and anonymized insights to improve its Services and AI. Only Enterprise customers get a contractual no-training guarantee. This is a tier-scoped marketing overclaim that AIFOXX should caveat rather than repeat verbatim.
- The only independently-confirmed certification is SOC 2 Type II, shown consistently on both the marketing homepage and the trust.scenario.com portal (1 compliance document on file). No ISO 27001, HIPAA, PCI DSS, ISO 42001, CSA STAR, or FedRAMP evidence exists on vendor-owned pages.
- Search results surfaced that Scenario's cloud host (AWS) holds ISO 27001/SOC 1/SOC 3 - this is the host's certification, not Scenario's own, and must not be attributed to Scenario in the listing.
- GDPR is listed here as a compliance posture (data subject rights, response timelines) based on the privacy policy, not as a third-party-audited certification; it should be displayed as 'GDPR-aligned' rather than a hard certification badge.
// At a glance
Pricing model
Freemium credit-based self-serve tiers (Starter/Pro/Max, monthly or annual) plus custom-quoted Enterprise plans.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Scenario, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-05. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.scenario.com