// Trust & Security Report
Animaker, Inc. (dba Steve AI / Steve.ai)
Steve AI is an AI-powered video creation platform (text/audio/prompt/script/image-to-video, ClipMaker, multi-voice storytelling, animated avatars) sold as a self-serve subscription (Starter, Pro, Generative AI tiers) plus a separate Enterprise/Teams tier with account management and 'advanced security features.' Built and operated by Animaker Inc., the same company behind the Animaker animation tool.
Certifications held
4
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on steve.ai“Steve AI is an ISO 27001 certified organisation and built to cater to the privacy and security requirements of Companies and Individual Customers.”
Verify on steve.ai“Steve AI... makes sure its processes and procedures are compliant with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).”
Verify on steve.ai“In compliance with the EU-US Data Privacy Framework Principles, Steve AI commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles.”
Verify on steve.ai“CyberGRX - third-party risk management for enterprises and healthcare providers (listed alongside GDPR Compliant and ISO 27001 as a distinct security/compliance badge on the healthcare landing page).”
> Show 6 unconfirmed / not-held certifications
source: steve.aiNo public evidence. No trust center, security FAQ, terms, or privacy policy on steve.ai mentions SOC 2 in any form; web search for a SOC 2 report turned up nothing vendor-specific.
source: steve.aiPage markets to healthcare buyers with the phrase 'HIPAA & Compliance-Friendly' but there is no formal HIPAA compliance statement, no mention of a Business Associate Agreement (BAA), and no HIPAA claim anywhere in the privacy policy or terms. Treat as no public evidence of actual HIPAA compliance, only marketing language.
source: steve.aiSteve AI uses Braintree to process payments, which is fully compliant with PCI-DSS requirements. This is the payment processor's (Braintree/PayPal) PCI DSS status, not an independent certification held by Steve AI/Animaker itself; no evidence Animaker itself holds a PCI DSS attestation.
source: steve.aiNo public evidence. Only ISO 27001 is referenced anywhere on the vendor's own domain.
source: steve.aiNo public evidence. No AI-governance-specific certification is referenced on any steve.ai page found.
source: steve.aiNo public evidence; not a plausible fit for this consumer/SMB-oriented video tool and not mentioned anywhere on the vendor's domain.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
United States (and any other country where Animaker, Inc. or its subsidiaries/affiliates/service providers maintain facilities)
The Terms of Service explicitly reserve a broad license and an internal-improvement right: 'Steve AI may use the anonymous encrypted information for internal research and development and/or to improve the Service,' and this 'feature shall survive the termination of this Agreement.' The Terms also grant Steve AI rights to 'use, copy, store, transmit, modify, create derivative works' of customer content. No opt-out mechanism or tier-based (Starter/Pro/Enterprise) distinction for AI-training use is described anywhere on the site; no explicit Data Processing Agreement (DPA) page or DPA download was found, only general GDPR/CCPA rights language in the privacy policy.
// Security controls
Encryption in transit
256-bit encryption; API and application endpoints are TLS/SSL only, scoring an A+ rating on SSL Labs tests; HSTS and Perfect Forward Secrecy enabled
steve.aiPayment security
Payments processed via Braintree (PCI-DSS compliant), 128-bit SSL encrypted
steve.aiThird-party risk assessment
Independent cyber risk assessment via CyberGRX (claimed on healthcare landing page)
steve.aiData center / hosting disclosure
No public evidence. No hosting provider, data center location, or infrastructure detail is disclosed on the security FAQ or elsewhere on the vendor's domain.
steve.ai// Products & data scope
data: User-uploaded scripts, text, images, audio, and account/billing PII; content processed to generate videos
No archival/version-history guarantee on free tier per Terms: 'Steve AI does not provide an archival service.'
data: Same content types as self-serve, plus team/org account data
Marketed with 'tailored solutions, account managers, dedicated support, and advanced security features,' but no distinct enterprise security page, no separate enterprise DPA, and no enterprise-specific cert beyond what applies site-wide was found.
data: Same platform, marketed for SOPs/training content aimed at hospitals, pharma, clinics, device manufacturers
Uses 'HIPAA & Compliance-Friendly' language without a substantiated HIPAA compliance claim or BAA offer; flagged as a potential over-claim risk for healthcare buyers.
// What to watch
- No formal trust center (SafeBase/Vanta-style) exists; all security claims are scattered across a support FAQ, terms-of-service, and marketing landing pages rather than a single verifiable source.
- SOC 2 is not claimed anywhere on the vendor's domain; if AIFOXX or a buyer assumes SOC 2 from general 'enterprise-grade security' marketing language, that would be an over-claim not supported by evidence.
- 'HIPAA & Compliance-Friendly' language on the healthcare landing page is vague marketing, not a substantiated HIPAA compliance claim (no BAA, no explicit HIPAA statement) -> potential over-claim risk for healthcare buyers relying on this page.
- Terms of Service grant Steve AI broad rights to use, copy, and create derivative works of customer content, and explicitly permit using 'anonymous encrypted information' for internal R&D/service improvement, with this right surviving contract termination; no opt-out or enterprise-tier carve-out was found.
- PCI DSS compliance found on the site refers to the payment processor (Braintree), not an independent Animaker/Steve AI PCI DSS attestation -> host/processor-vs-vendor cert distinction.
- CyberGRX and ISO 27001 claims only surfaced via a niche vertical landing page (healthcare) and the Terms of Service; they were not visible on the general security FAQ, so cross-verification is thinner than ideal for a 'held=true' grade -> supports medium rather than high confidence.
- No dedicated DPA (Data Processing Agreement) document or download link was located; GDPR posture rests on general privacy-policy language plus DPF certification rather than a downloadable DPA.
// At a glance
Pricing model
Tiered monthly/annual subscriptions (Starter $19/mo, Pro $39/mo, Generative AI $99/mo) plus a separate Enterprise/Teams tier; add-ons for extra generative credits
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Animaker, Inc. (dba Steve AI / Steve.ai)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
steve.ai