// Trust & Security Report
TURBO STUDIO S.A.S. (Submagic)
Submagic — AI short-form video editor (captions, Magic clips, AI B-roll, AI avatars, scheduling/publishing, team workspace)
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on submagic.co“"TURBO STUDIO S.A.S. ... acts as the data controller for the Personal Data that is collected via the Website. As a data controller, TURBO STUDIO is responsible for ensuring that the processing of Personal Data complies with applicable data protection law, and specifically with the General Data Protection Regulation." Published sub-processor list, SCCs for EEA transfers, CNIL complaint route, and named DPO (tsifei@submagic.co).”
> Show 3 unconfirmed / not-held certifications
source: submagic.coNo SOC 2 claim found on submagic.co. No trust center or security page exists (https://www.submagic.co/security returns HTTP 404, re-verified 2026-06-27). The privacy policy and terms make no reference to SOC 2.
source: submagic.coNo ISO 27001 claim found anywhere on the vendor's own domain (home, privacy, terms). No certification page or trust center exists.
source: submagic.coNot applicable / not claimed. Consumer and business video-editing SaaS with no health-data handling claims.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not stated
Data region
Servers in the United States; sub-processors operate in EU and US. "our servers are located in the United States, and our third-party service providers operate in the EU and the United States." EEA transfers governed by EU Standard Contractual Clauses.
Neither the privacy policy nor the terms state that Submagic trains AI models on customer-uploaded content. Users retain content ownership: "You retain all rights to the Content you submit." The granted license is platform-scoped, not a training grant: "by using the Platform, you grant TURBO STUDIO a worldwide, non-exclusive license to use, modify, reproduce, and distribute such Content on and through the Platform." A separate promotional/marketing reuse of customer content is opt-out: "To opt out of TURBO STUDIO using your Content for promotional purposes, send an email to support@submagic.co." No explicit model-training clause was found either affirming or denying training, so default behavior cannot be confirmed.
// Security controls
Dedicated security / trust page
None. https://www.submagic.co/security returns HTTP 404. No trust center, no responsible-disclosure page found.
submagic.coBug bounty (HackerOne / Bugcrowd)
None found. No public program on the vendor domain or bounty-platform directories.
submagic.coTechnical & organizational measures (encryption)
Generic TOM language only; no specific at-rest/in-transit encryption commitment. "We use appropriate technical and organizational measures to protect the Personal Data ... designed to provide a level of security appropriate to the risk."
submagic.coHosting / infrastructure
AWS (Amazon Web Services EMEA SARL named as hosting provider in Terms; AWS US/EU as sub-processor), Vercel (edge/app hosting, US), Supabase (auth/database, US/EU). Payments via Stripe.
submagic.coSub-processor transparency
Full categorized sub-processor list published in privacy policy (AWS, Vercel, Supabase, Stripe, PostHog, Google, TikTok, Customer.io, Crisp, FirstPromoter, Canny, Churnkey) with locations and SCC notes.
submagic.coData subject access / deletion
Self-serve via in-app "Privacy & data" page (app.submagic.co) for access, export, and EEA/UK account deletion; or by email to david@submagic.co. Named DPO: tsifei@submagic.co.
submagic.coData retention
Customer data retained no longer than 2 years after contract end (terms cite up to 3 years for account data); accounting data up to 10 years; connection logs 12 months.
submagic.co// Products & data scope
data: User-uploaded video, podcasts, YouTube links; account email and auth (Google/Outlook sign-in); usage analytics. Stored on US servers.
Core product. SaaS only, browser-based at app.submagic.co. Free trial available. Account sharing prohibited; 18+ only.
data: Same content scope plus multi-user collaboration, brand assets, review/publish workflows.
Marketed to media companies, marketing teams, agencies, advertisers. No separate enterprise security/compliance documentation or DPA terms surfaced for this tier.
data: OAuth access to connected social accounts incl. YouTube channel, video, upload/publishing/scheduling data via YouTube API Services (subject to Google Privacy Policy and YouTube ToS).
Users can revoke YouTube/Google access via Google third-party app settings; stored YouTube data deletable on request.
data: User content processed through AI generation features.
Disclaimer that AI-generated results may not be unique; customer assumes responsibility for AI output. No statement on whether inputs feed model training.
data: Free tools (hashtags, captions, video ideas, thumbnails, hooks, scripts) and phone-footage upload; lighter data footprint.
Free creator tools are listed in the site footer and governed by the same privacy policy. A standalone mobile app store listing was not confirmed in the collected evidence; the web app accepts phone footage uploads.
// What to watch
- No trust center and no security page (vendor /security URL returns 404).
- No enterprise certifications (SOC 2 / ISO 27001) and none claimed.
- No bug bounty program and no disclosed penetration testing.
- AI training on customer content is neither affirmed nor denied; cannot confirm default behavior.
- Encryption only described as generic 'technical and organizational measures' with no specific at-rest/in-transit commitment.
- Strong, well-documented GDPR posture (named controller, DPO, full sub-processor list, SCCs, self-serve data rights) partially offsets the absence of formal certs.
- Minor doc inconsistency: privacy policy says customer data retained no longer than 2 years post-contract; terms cite up to 3 years for account data.
// At a glance
Pricing model
Subscription SaaS (monthly or annual, auto-renewing; free trial). EUR for EU customers, USD for non-EU. Non-refundable except statutory 14-day consumer withdrawal.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on TURBO STUDIO S.A.S. (Submagic)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
submagic.co