// Trust & Security Report
Scribe AI Corporation (scribehow.com)
Scribe - automatic workflow/process documentation (step-by-step how-to guides) and workflow context for teams and AI agents
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.scribehow.com“Alongside vulnerability scanning, penetration testing, access control, encryption and data privacy measures, Scribe successfully went through a SOC 2 Type II audit. ... We're excited to share that Scribe has successfully completed our 2025 SOC 2 Type II audit with zero exceptions.”
Verify on trust.scribehow.com“Compliance: SOC 2, CCPA COMPLIANT, GDPR. (Trust Center) / 'Scribe complies with data protection and data subject rights for EU residents.'”
Verify on scribe.com“Scribe offers features to support HIPAA compliance. (Note: feature/control support, not a certification - HIPAA is not a certifiable standard.)”
Verify on scribe.com“Scribe offers features to support FERPA compliance. (Note: feature support, not a certification.)”
> Show 1 unconfirmed / not-held certifications
source: scribe.comScribe's infrastructure is hosted in SOC 2 Type II and ISO 27001 compliant data centers. (This describes the hosting provider/data centers, NOT Scribe itself holding ISO 27001. No Scribe-issued ISO 27001 certificate found.)
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (AWS, US). 'Information collected through the Service will be stored and processed in the United States.' All listed subprocessors (AWS, AssemblyAI, Cloudflare, Anthropic) operate in the United States.
Scribe explicitly states customer data is NOT used to train AI. 'No, Scribe's customer data is not retained, processed, or in any other manner used to train, fine-tune, or develop 3rd party AI algorithms. We have explicitly opted out of the use of any data for training purposes with our AI service providers.' Core capture (screenshots + steps) is NOT AI-powered; AI is used only for supporting features (title/description generation, AI Page generation, speech-to-text, text-to-speech) via third parties (Anthropic, AssemblyAI). Subprocessor note: data processed by Anthropic 'is not used to train any algorithm.' Data sent to AI providers is purged within 30 days (audio within 72 hours); screenshots are never sent to AI providers. Enterprise customers can opt out of AI features entirely.
// Security controls
Penetration testing
Yes - regular third-party pen testing. 'Penetration testing performed' (Trust Center product security control); 'We conduct regular penetration testing to identify and address potential security vulnerabilities.'
trust.scribehow.comBug bounty program
None found. No mention of HackerOne, Bugcrowd, or any public bug bounty program on the trust center or security page. Vulnerability scanning is performed.
trust.scribehow.comEncryption in transit
TLS 1.2+. 'All data sent to or from our infrastructure is encrypted in transit using industry-standard Transport Layer Security (TLS) 1.2+.'
scribe.comSSO
Single Sign-On supported (listed as available feature; SSO referenced in Trust Center FAQ).
scribe.comSensitive data redaction
Automatic redaction of sensitive data during capture. 'Capture workflows confidently, knowing that sensitive data is automatically redacted.'
scribe.comSupply chain monitoring
Active. Public notices confirming Scribe was not impacted by the Shai-Hulud 2.0 npm attack (Nov 2025) and the Axios npm supply chain attack (Mar 2026).
trust.scribehow.comInsurance
Cybersecurity insurance maintained; General Liability and Management Practices COIs published.
trust.scribehow.com// Products & data scope
data: Captures browser-based workflow steps and screenshots; sensitive data auto-redacted. URLs/IP/browser+OS info processed via Cloudflare.
Most common entry point; captures only what the user initiates.
data: Captures desktop application workflows including screenshots and optional voiceover (speech-to-text via AssemblyAI).
Audio deleted within 72 hours by provider; transcript deleted immediately after retrieval.
data: Step text (never screenshots) sent to third-party AI (Anthropic) for titles, descriptions, and AI Page generation. Data purged within 30 days; not used for training.
Enterprise customers can opt out of all AI features.
data: Adds SSO, AI opt-out, admin controls, DPA, and full enterprise security controls. Subject to SOC 2 Type II scope.
Enterprise tier is where compliance commitments (HIPAA/FERPA support, AI opt-out, DPA) apply.
// What to watch
- ISO 27001 applies to Scribe's data center/hosting provider, NOT to Scribe itself - do not list Scribe as ISO 27001 certified.
- HIPAA and FERPA are described as 'features to support compliance,' not formal certifications (HIPAA/FERPA are not certifiable standards anyway).
- No public bug bounty program (HackerOne/Bugcrowd); relies on internal vulnerability scanning + third-party pen testing.
- US-only data residency may matter for EU/regulated customers despite GDPR posture.
- Brand uses two domains: marketing site scribe.com, trust/legal entity scribehow.com / 'Scribe AI Corporation' - same vendor, not a conflict.
// At a glance
Pricing model
Freemium / subscription tiers (Free, Pro, Pro Team, Enterprise)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Scribe AI Corporation (scribehow.com)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.scribehow.com