// Trust & Security Report

    Scenario, Inc. logo

    Scenario, Inc.

    Creative AI infrastructure for image, video, audio and 3D generation, with self-serve tiers (Starter/Pro/Max), a workflow/agent builder, an API/MCP server, and a separately-governed Enterprise tier with contractual no-training guarantees.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Compliance Documents SOC2 type 2 report View all

    Verify on trust.scenario.com
    GDPR (posture)
    HELD

    Individuals in the EU have rights including: "Access your personal data," "Rectify inaccurate personal data," "Erase your personal data," and "Lodge a complaint with a supervisory authority." The company commits to responding "within one month, as required by Article 12(3)."

    Verify on scenario.com
    > Show 7 unconfirmed / not-held certifications
    SOC 2 Type I
    NOT CONFIRMED

    Only a 'SOC2 type 2 report' is listed under Compliance Documents on the trust center; no Type I report is referenced (Type II supersedes Type I coverage).

    source: trust.scenario.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. The trust center's single Compliance Document is the SOC 2 Type II report; independent search found only that Scenario's cloud host (AWS) holds ISO 27001, which is the host's certification, not Scenario's own.

    source: trust.scenario.com
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA compliance appears in the privacy policy, and no HIPAA reference appears on the trust center or homepage. One customer story references a 'Healthcare' industry client (Alan), but this does not indicate HIPAA compliance or a BAA offering.

    source: scenario.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. No PCI DSS reference on trust center, privacy policy, or homepage; payment processing is most likely outsourced to a third-party processor rather than handled directly.

    source: trust.scenario.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence. Not listed among the trust center's Compliance Documents or anywhere on the marketing site.

    source: trust.scenario.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. Not listed among the trust center's Compliance Documents.

    source: trust.scenario.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. No FedRAMP reference anywhere on the vendor's site; product is not marketed to US federal government customers.

    source: trust.scenario.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Servers located in the United States, hosted on AWS in US regions.

    Tier-dependent and this is a notable contradiction with homepage marketing. The homepage footer badge reads 'SOC 2 TYPE II · SSO/SAML · NO DATA REUSE' and an on-page claim states 'We never use your training data or images to improve other models.' However, the privacy policy states for self-serve users: 'we may use your content and anonymized insights to improve our Services and AI - never sold, never shared with other customers.' Only Enterprise customers get a contractual no-training guarantee: 'we will not use your content, prompts, Generated Assets, or custom models to train, fine-tune, evaluate, benchmark, or improve any Scenario or third-party model without your prior written consent,' backed by a signed MSA and DPA. Self-serve (Starter/Pro/Max) users do not have this contractual guarantee despite the blanket 'NO DATA REUSE' badge shown site-wide.

    // Security controls

    Encryption

    Trust center controls list 'File systems encryption,' 'Data in transit encryption,' and 'File store encryption' under the Data control category.

    trust.scenario.com

    SSO/SAML

    SSO/SAML support advertised as an Enterprise-tier feature on the homepage and Enterprise page.

    scenario.com

    Cloud infrastructure hardening

    Trust center lists 'Host hardening,' 'Infrastructure as code,' and 'Firewalls' under the Cloud Security control category (80 controls total tracked on the Bastion-powered trust portal).

    trust.scenario.com

    Subprocessors

    21 subprocessors disclosed on the trust center; the privacy policy points to the same page for the current subprocessor and model-provider list.

    trust.scenario.com

    Access controls / audit logging

    Enterprise tier advertises 'audit logging,' advanced permissions, and role-based access control; trust center lists 'Production Deployment Access,' 'Control selection,' and 'Change Management Workflow' under Business Operations.

    scenario.com

    Data retention

    Account data retained for the duration of the account plus 90 days after closure; usage data retained in identifiable form up to 24 months; generated assets deleted within 60 days of account termination.

    scenario.com

    // Products & data scope

    Starter / Pro / Max (self-serve)Individual / small-team creative AI generation

    data: Content and anonymized insights may be used by Scenario to improve its Services and AI; not sold or shared with other customers, but no contractual no-training guarantee.

    Credit-based monthly plans ($10-$50/mo at published rates); no SSO/SAML or dedicated DPA called out for this tier.

    EnterpriseEnterprise creative AI infrastructure with governance controls

    data: Contractual no-training guarantee for content, prompts, generated assets, and custom models, backed by a signed MSA and DPA; SSO/SAML, audit logging, advanced permissions, and access to SOC 2 report.

    Positioned as 'Creative IP Governance' with 'No cross-customer data sharing'; sold via direct sales ('Talk to Sales'), custom pricing.

    API / MCP ServerDeveloper / agent integration

    data: Same underlying platform and data-handling rules as the calling account's tier (self-serve vs Enterprise).

    API-first architecture with SDKs, webhooks, Unity plugin, and an MCP server for agent integrations.

    // What to watch

    • Homepage-wide badge 'NO DATA REUSE' and the claim 'We never use your training data or images to improve other models' overstate the actual policy: the privacy policy explicitly permits Scenario to use self-serve (non-Enterprise) customer content and anonymized insights to improve its Services and AI. Only Enterprise customers get a contractual no-training guarantee. This is a tier-scoped marketing overclaim that AIFOXX should caveat rather than repeat verbatim.
    • The only independently-confirmed certification is SOC 2 Type II, shown consistently on both the marketing homepage and the trust.scenario.com portal (1 compliance document on file). No ISO 27001, HIPAA, PCI DSS, ISO 42001, CSA STAR, or FedRAMP evidence exists on vendor-owned pages.
    • Search results surfaced that Scenario's cloud host (AWS) holds ISO 27001/SOC 1/SOC 3 - this is the host's certification, not Scenario's own, and must not be attributed to Scenario in the listing.
    • GDPR is listed here as a compliance posture (data subject rights, response timelines) based on the privacy policy, not as a third-party-audited certification; it should be displayed as 'GDPR-aligned' rather than a hard certification badge.

    // At a glance

    Pricing model

    Freemium credit-based self-serve tiers (Starter/Pro/Max, monthly or annual) plus custom-quoted Enterprise plans.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Scenario, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-05. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.scenario.com

    > Browse all vendor trust reports