// Trust & Security Report

    Scribe AI Corporation (scribehow.com) logo

    Scribe AI Corporation (scribehow.com)

    Scribe - automatic workflow/process documentation (step-by-step how-to guides) and workflow context for teams and AI agents

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Alongside vulnerability scanning, penetration testing, access control, encryption and data privacy measures, Scribe successfully went through a SOC 2 Type II audit. ... We're excited to share that Scribe has successfully completed our 2025 SOC 2 Type II audit with zero exceptions.

    Verify on trust.scribehow.com
    GDPR
    HELD

    Compliance: SOC 2, CCPA COMPLIANT, GDPR. (Trust Center) / 'Scribe complies with data protection and data subject rights for EU residents.'

    Verify on trust.scribehow.com
    CCPA
    HELD

    CCPA COMPLIANT

    Verify on trust.scribehow.com
    HIPAA
    HELD

    Scribe offers features to support HIPAA compliance. (Note: feature/control support, not a certification - HIPAA is not a certifiable standard.)

    Verify on scribe.com
    FERPA
    HELD

    Scribe offers features to support FERPA compliance. (Note: feature support, not a certification.)

    Verify on scribe.com
    > Show 1 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Scribe's infrastructure is hosted in SOC 2 Type II and ISO 27001 compliant data centers. (This describes the hosting provider/data centers, NOT Scribe itself holding ISO 27001. No Scribe-issued ISO 27001 certificate found.)

    source: scribe.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (AWS, US). 'Information collected through the Service will be stored and processed in the United States.' All listed subprocessors (AWS, AssemblyAI, Cloudflare, Anthropic) operate in the United States.

    Scribe explicitly states customer data is NOT used to train AI. 'No, Scribe's customer data is not retained, processed, or in any other manner used to train, fine-tune, or develop 3rd party AI algorithms. We have explicitly opted out of the use of any data for training purposes with our AI service providers.' Core capture (screenshots + steps) is NOT AI-powered; AI is used only for supporting features (title/description generation, AI Page generation, speech-to-text, text-to-speech) via third parties (Anthropic, AssemblyAI). Subprocessor note: data processed by Anthropic 'is not used to train any algorithm.' Data sent to AI providers is purged within 30 days (audio within 72 hours); screenshots are never sent to AI providers. Enterprise customers can opt out of AI features entirely.

    // Security controls

    Penetration testing

    Yes - regular third-party pen testing. 'Penetration testing performed' (Trust Center product security control); 'We conduct regular penetration testing to identify and address potential security vulnerabilities.'

    trust.scribehow.com

    Bug bounty program

    None found. No mention of HackerOne, Bugcrowd, or any public bug bounty program on the trust center or security page. Vulnerability scanning is performed.

    trust.scribehow.com

    Encryption at rest

    AES-256. 'We encrypt all data at rest using AES-256 encryption.'

    scribe.com

    Encryption in transit

    TLS 1.2+. 'All data sent to or from our infrastructure is encrypted in transit using industry-standard Transport Layer Security (TLS) 1.2+.'

    scribe.com

    SSO

    Single Sign-On supported (listed as available feature; SSO referenced in Trust Center FAQ).

    scribe.com

    Sensitive data redaction

    Automatic redaction of sensitive data during capture. 'Capture workflows confidently, knowing that sensitive data is automatically redacted.'

    scribe.com

    Supply chain monitoring

    Active. Public notices confirming Scribe was not impacted by the Shai-Hulud 2.0 npm attack (Nov 2025) and the Axios npm supply chain attack (Mar 2026).

    trust.scribehow.com

    Insurance

    Cybersecurity insurance maintained; General Liability and Management Practices COIs published.

    trust.scribehow.com

    // Products & data scope

    Scribe Browser Extension (Chrome / Edge)Process capture / documentation

    data: Captures browser-based workflow steps and screenshots; sensitive data auto-redacted. URLs/IP/browser+OS info processed via Cloudflare.

    Most common entry point; captures only what the user initiates.

    Scribe for Desktop (Windows / Mac)Process capture / documentation

    data: Captures desktop application workflows including screenshots and optional voiceover (speech-to-text via AssemblyAI).

    Audio deleted within 72 hours by provider; transcript deleted immediately after retrieval.

    Scribe AI / PagesAI-assisted document generation

    data: Step text (never screenshots) sent to third-party AI (Anthropic) for titles, descriptions, and AI Page generation. Data purged within 30 days; not used for training.

    Enterprise customers can opt out of all AI features.

    Scribe Pro Team / EnterpriseTeam / enterprise workspace

    data: Adds SSO, AI opt-out, admin controls, DPA, and full enterprise security controls. Subject to SOC 2 Type II scope.

    Enterprise tier is where compliance commitments (HIPAA/FERPA support, AI opt-out, DPA) apply.

    // What to watch

    • ISO 27001 applies to Scribe's data center/hosting provider, NOT to Scribe itself - do not list Scribe as ISO 27001 certified.
    • HIPAA and FERPA are described as 'features to support compliance,' not formal certifications (HIPAA/FERPA are not certifiable standards anyway).
    • No public bug bounty program (HackerOne/Bugcrowd); relies on internal vulnerability scanning + third-party pen testing.
    • US-only data residency may matter for EU/regulated customers despite GDPR posture.
    • Brand uses two domains: marketing site scribe.com, trust/legal entity scribehow.com / 'Scribe AI Corporation' - same vendor, not a conflict.

    // At a glance

    Pricing model

    Freemium / subscription tiers (Free, Pro, Pro Team, Enterprise)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Scribe AI Corporation (scribehow.com)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.scribehow.com

    > Browse all vendor trust reports