// Trust & Security Report

    Animaker, Inc. (dba Steve AI / Steve.ai) logo

    Animaker, Inc. (dba Steve AI / Steve.ai)

    Steve AI is an AI-powered video creation platform (text/audio/prompt/script/image-to-video, ClipMaker, multi-voice storytelling, animated avatars) sold as a self-serve subscription (Starter, Pro, Generative AI tiers) plus a separate Enterprise/Teams tier with account management and 'advanced security features.' Built and operated by Animaker Inc., the same company behind the Animaker animation tool.

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001
    HELD

    Steve AI is an ISO 27001 certified organisation and built to cater to the privacy and security requirements of Companies and Individual Customers.

    Verify on steve.ai
    GDPR (posture)
    HELD

    Steve AI... makes sure its processes and procedures are compliant with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

    Verify on steve.ai
    EU-U.S. / Swiss-U.S. Data Privacy Framework
    HELD

    In compliance with the EU-US Data Privacy Framework Principles, Steve AI commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles.

    Verify on steve.ai
    Third-party risk assessment (CyberGRX)
    HELD

    CyberGRX - third-party risk management for enterprises and healthcare providers (listed alongside GDPR Compliant and ISO 27001 as a distinct security/compliance badge on the healthcare landing page).

    Verify on steve.ai
    > Show 6 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. No trust center, security FAQ, terms, or privacy policy on steve.ai mentions SOC 2 in any form; web search for a SOC 2 report turned up nothing vendor-specific.

    source: steve.ai
    HIPAA
    NOT CONFIRMED

    Page markets to healthcare buyers with the phrase 'HIPAA & Compliance-Friendly' but there is no formal HIPAA compliance statement, no mention of a Business Associate Agreement (BAA), and no HIPAA claim anywhere in the privacy policy or terms. Treat as no public evidence of actual HIPAA compliance, only marketing language.

    source: steve.ai
    PCI DSS
    NOT CONFIRMED

    Steve AI uses Braintree to process payments, which is fully compliant with PCI-DSS requirements. This is the payment processor's (Braintree/PayPal) PCI DSS status, not an independent certification held by Steve AI/Animaker itself; no evidence Animaker itself holds a PCI DSS attestation.

    source: steve.ai
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence. Only ISO 27001 is referenced anywhere on the vendor's own domain.

    source: steve.ai
    ISO/IEC 42001 (AI management) / CSA STAR for AI
    NOT CONFIRMED

    No public evidence. No AI-governance-specific certification is referenced on any steve.ai page found.

    source: steve.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence; not a plausible fit for this consumer/SMB-oriented video tool and not mentioned anywhere on the vendor's domain.

    source: steve.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    United States (and any other country where Animaker, Inc. or its subsidiaries/affiliates/service providers maintain facilities)

    The Terms of Service explicitly reserve a broad license and an internal-improvement right: 'Steve AI may use the anonymous encrypted information for internal research and development and/or to improve the Service,' and this 'feature shall survive the termination of this Agreement.' The Terms also grant Steve AI rights to 'use, copy, store, transmit, modify, create derivative works' of customer content. No opt-out mechanism or tier-based (Starter/Pro/Enterprise) distinction for AI-training use is described anywhere on the site; no explicit Data Processing Agreement (DPA) page or DPA download was found, only general GDPR/CCPA rights language in the privacy policy.

    // Security controls

    Encryption in transit

    256-bit encryption; API and application endpoints are TLS/SSL only, scoring an A+ rating on SSL Labs tests; HSTS and Perfect Forward Secrecy enabled

    steve.ai

    Encryption at rest

    Industry-standard AES-256 encryption algorithm

    steve.ai

    Authentication

    2-Factor Authentication and Single Sign-On offered

    steve.ai

    Payment security

    Payments processed via Braintree (PCI-DSS compliant), 128-bit SSL encrypted

    steve.ai

    Third-party risk assessment

    Independent cyber risk assessment via CyberGRX (claimed on healthcare landing page)

    steve.ai

    Data center / hosting disclosure

    No public evidence. No hosting provider, data center location, or infrastructure detail is disclosed on the security FAQ or elsewhere on the vendor's domain.

    steve.ai

    // Products & data scope

    Steve AI (Starter / Pro / Generative AI self-serve plans)Consumer / SMB AI video creation

    data: User-uploaded scripts, text, images, audio, and account/billing PII; content processed to generate videos

    No archival/version-history guarantee on free tier per Terms: 'Steve AI does not provide an archival service.'

    Steve for Enterprise / Learning & Development teamsTeam/Enterprise AI video creation

    data: Same content types as self-serve, plus team/org account data

    Marketed with 'tailored solutions, account managers, dedicated support, and advanced security features,' but no distinct enterprise security page, no separate enterprise DPA, and no enterprise-specific cert beyond what applies site-wide was found.

    Healthcare training vertical (healthcare-training-video-maker landing page)Vertical marketing page (not a distinct product/SKU)

    data: Same platform, marketed for SOPs/training content aimed at hospitals, pharma, clinics, device manufacturers

    Uses 'HIPAA & Compliance-Friendly' language without a substantiated HIPAA compliance claim or BAA offer; flagged as a potential over-claim risk for healthcare buyers.

    // What to watch

    • No formal trust center (SafeBase/Vanta-style) exists; all security claims are scattered across a support FAQ, terms-of-service, and marketing landing pages rather than a single verifiable source.
    • SOC 2 is not claimed anywhere on the vendor's domain; if AIFOXX or a buyer assumes SOC 2 from general 'enterprise-grade security' marketing language, that would be an over-claim not supported by evidence.
    • 'HIPAA & Compliance-Friendly' language on the healthcare landing page is vague marketing, not a substantiated HIPAA compliance claim (no BAA, no explicit HIPAA statement) -> potential over-claim risk for healthcare buyers relying on this page.
    • Terms of Service grant Steve AI broad rights to use, copy, and create derivative works of customer content, and explicitly permit using 'anonymous encrypted information' for internal R&D/service improvement, with this right surviving contract termination; no opt-out or enterprise-tier carve-out was found.
    • PCI DSS compliance found on the site refers to the payment processor (Braintree), not an independent Animaker/Steve AI PCI DSS attestation -> host/processor-vs-vendor cert distinction.
    • CyberGRX and ISO 27001 claims only surfaced via a niche vertical landing page (healthcare) and the Terms of Service; they were not visible on the general security FAQ, so cross-verification is thinner than ideal for a 'held=true' grade -> supports medium rather than high confidence.
    • No dedicated DPA (Data Processing Agreement) document or download link was located; GDPR posture rests on general privacy-policy language plus DPF certification rather than a downloadable DPA.

    // At a glance

    Pricing model

    Tiered monthly/annual subscriptions (Starter $19/mo, Pro $39/mo, Generative AI $99/mo) plus a separate Enterprise/Teams tier; add-ons for extra generative credits

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Animaker, Inc. (dba Steve AI / Steve.ai)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    steve.ai

    > Browse all vendor trust reports