// Trust & Security Report
Pubgenius, Inc. (d/b/a SciSpace)
AI research assistant platform (scispace.com): literature search/review, Chat with PDF, AI Writer, citation tools, data extraction, and biomedical/agentic workflows, offered as a free/consumer tier, paid individual/team plans, and a separately marketed SciSpace for Enterprise tier for R&D teams in pharma, biotech, and healthcare.
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.scispace.com“Compliance: SOC 2 Type II — Compliant. Resources: PubGenius Inc. (Scispace) SOC 2 Type 2 2025 Report”
Verify on scispace.com“SciSpace is SOC 2 Type 2 certified. All uploaded documents are stored in isolated, encrypted environments (AWS S3 + RDS). Enterprise deployments include RBAC and SSO for identity management.”
Verify on scispace.com“Privacy Policy table of contents includes a dedicated "European Union, United Kingdom, and Swiss Data Subject Rights" section, plus general Data Security and disclosure sections addressing personal-data handling.”
> Show 6 unconfirmed / not-held certifications
source: trust.scispace.comNo public evidence. The vendor's Delve-hosted trust center lists only one item under "Compliance" (SOC 2 Type II); ISO 27001 is not listed, and no separate ISO 27001 certificate or registrar record was found on any scispace.com or trust.scispace.com page.
source: trust.scispace.comNo public evidence of a HIPAA compliance program or BAA offering. Note: SciSpace markets a product feature called a "HIPAA Safe Harbor Checklist" AI agent (a document-analysis tool for researchers de-identifying data) - this is a customer-facing feature, not a vendor HIPAA certification, and should not be conflated with HIPAA compliance of SciSpace itself.
source: trust.scispace.comNo public evidence. Not listed on the trust center; no PCI DSS claim found on any vendor page (billing is a typical SaaS subscription, likely handled by a third-party payment processor, but this was not independently confirmed).
source: trust.scispace.comNo public evidence of an AI management system certification.
source: trust.scispace.comNo public evidence; product is marketed to academic and commercial R&D, not to US federal agencies.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Hosted on AWS (documents stored in "isolated, encrypted environments (AWS S3 + RDS)" per the Enterprise FAQ); specific AWS region(s) / data-residency options are not publicly disclosed on the pages reviewed.
Vendor states consistently across multiple own-domain pages that customer-uploaded content is not used to train its AI models. Help Center: "We want to assure you that your uploaded PDFs are private and are not used for training our AI models. This policy applies equally to both Free and Paid users... SciSpace AI models are not trained on any uploaded PDFs." Enterprise FAQ: "No. SciSpace does not use customer data for LLM training. Enterprise LLM providers (AWS Bedrock, Google Vertex AI, Azure AI Foundry) operate under data-processing agreements that exclude customer data from model training." No public standalone Data Processing Agreement (DPA) document was found; likely available on request through enterprise sales but not independently confirmed.
// Security controls
Encryption in transit
Listed as an implemented control ("Cryptographic protections: Encryption in transit") on the SOC 2-backed trust center.
trust.scispace.comEncryption at rest
Listed as an implemented control ("Encryption at rest"); Enterprise FAQ confirms documents are stored in "isolated, encrypted environments (AWS S3 + RDS)."
trust.scispace.comSSO / SAML
Available for Enterprise deployments: "Setup SSO 2FA logins with your existing Authentication stack."
scispace.comRole-based access control (RBAC)
"Enterprise deployments include RBAC and SSO for identity management."
scispace.comVulnerability / patch management
Listed as implemented controls ("Patch management", "Vulnerability scanning and remediation") on the trust center.
trust.scispace.comPenetration testing
Listed as an implemented control under third-party management on the trust center.
trust.scispace.comData deletion
Listed controls include "Data retention and deletion policy" and "Customer data deletion."
trust.scispace.com// Products & data scope
data: User-uploaded PDFs/papers, chat history; private to the user and not used for AI training per vendor Help Center statement.
Core tools: Chat with PDF, Literature Review, AI Writer, Find Topics, Paraphraser, Citation Generator, Extract Data, AI Detector.
data: Same data-handling posture as free tier per available evidence; no distinct compliance claims found beyond the platform-wide SOC 2 Type II.
Pricing page references individual/premium plans; no team-specific security terms were located.
data: Corporate/proprietary research documents; stored in isolated, encrypted AWS environments; processed via enterprise LLM providers (AWS Bedrock, Google Vertex AI, Azure AI Foundry) under agreements excluding customer data from model training.
Adds SSO/SAML, RBAC, and is marketed to Pharmaceutical, Academia, Medical Devices, Consumer Goods, Advanced Manufacturing, and CRO customers. Sales-assisted ("Talk to Sales"), no self-service enterprise signup.
data: Same account/data model as the web product; no separate compliance claims found.
Listed in site footer navigation; not independently reviewed for distinct data handling.
// What to watch
- Vendor markets a product feature named "HIPAA Safe Harbor Checklist" (an AI agent that helps researchers de-identify data) - this is a customer-facing tool, not evidence of SciSpace/PubGenius holding HIPAA compliance certification. Do not list HIPAA as held based on this feature name.
- The Delve-hosted trust center (trust.scispace.com) lists only SOC 2 Type II under "Compliance"; no ISO 27001, HIPAA, PCI DSS, or AI-governance certs are listed. This is typical for a growth-stage vendor and should not be over-stated on the AIFOXX listing.
- No standalone public Data Processing Agreement (DPA) document was found; presumably available through enterprise sales but unconfirmed.
- Specific data residency / region options are not publicly disclosed beyond generic "AWS" hosting.
- Legal entity name appears as "Pubgenius, Inc." in the Terms of Use and "PubGenius Inc." elsewhere (capitalization only); same entity, confirmed via matching Milpitas, CA address on both the homepage footer and Terms of Use.
// At a glance
Pricing model
Freemium consumer product with paid individual/premium plans, plus a separately sold, sales-assisted Enterprise tier for institutions and R&D teams.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Pubgenius, Inc. (d/b/a SciSpace)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.scispace.com