// Trust & Security Report

    TURBO STUDIO S.A.S. (Submagic) logo

    TURBO STUDIO S.A.S. (Submagic)

    Submagic — AI short-form video editor (captions, Magic clips, AI B-roll, AI avatars, scheduling/publishing, team workspace)

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (regulatory compliance posture, not a certification)
    HELD

    "TURBO STUDIO S.A.S. ... acts as the data controller for the Personal Data that is collected via the Website. As a data controller, TURBO STUDIO is responsible for ensuring that the processing of Personal Data complies with applicable data protection law, and specifically with the General Data Protection Regulation." Published sub-processor list, SCCs for EEA transfers, CNIL complaint route, and named DPO (tsifei@submagic.co).

    Verify on submagic.co
    > Show 3 unconfirmed / not-held certifications
    SOC 2 (Type I or II)
    NOT CONFIRMED

    No SOC 2 claim found on submagic.co. No trust center or security page exists (https://www.submagic.co/security returns HTTP 404, re-verified 2026-06-27). The privacy policy and terms make no reference to SOC 2.

    source: submagic.co
    ISO/IEC 27001
    NOT CONFIRMED

    No ISO 27001 claim found anywhere on the vendor's own domain (home, privacy, terms). No certification page or trust center exists.

    source: submagic.co
    HIPAA
    NOT CONFIRMED

    Not applicable / not claimed. Consumer and business video-editing SaaS with no health-data handling claims.

    source: submagic.co

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not stated

    Data region

    Servers in the United States; sub-processors operate in EU and US. "our servers are located in the United States, and our third-party service providers operate in the EU and the United States." EEA transfers governed by EU Standard Contractual Clauses.

    Neither the privacy policy nor the terms state that Submagic trains AI models on customer-uploaded content. Users retain content ownership: "You retain all rights to the Content you submit." The granted license is platform-scoped, not a training grant: "by using the Platform, you grant TURBO STUDIO a worldwide, non-exclusive license to use, modify, reproduce, and distribute such Content on and through the Platform." A separate promotional/marketing reuse of customer content is opt-out: "To opt out of TURBO STUDIO using your Content for promotional purposes, send an email to support@submagic.co." No explicit model-training clause was found either affirming or denying training, so default behavior cannot be confirmed.

    // Security controls

    Dedicated security / trust page

    None. https://www.submagic.co/security returns HTTP 404. No trust center, no responsible-disclosure page found.

    submagic.co

    Bug bounty (HackerOne / Bugcrowd)

    None found. No public program on the vendor domain or bounty-platform directories.

    submagic.co

    Penetration testing

    Not disclosed. No mention in privacy policy or terms.

    submagic.co

    Technical & organizational measures (encryption)

    Generic TOM language only; no specific at-rest/in-transit encryption commitment. "We use appropriate technical and organizational measures to protect the Personal Data ... designed to provide a level of security appropriate to the risk."

    submagic.co

    Hosting / infrastructure

    AWS (Amazon Web Services EMEA SARL named as hosting provider in Terms; AWS US/EU as sub-processor), Vercel (edge/app hosting, US), Supabase (auth/database, US/EU). Payments via Stripe.

    submagic.co

    Sub-processor transparency

    Full categorized sub-processor list published in privacy policy (AWS, Vercel, Supabase, Stripe, PostHog, Google, TikTok, Customer.io, Crisp, FirstPromoter, Canny, Churnkey) with locations and SCC notes.

    submagic.co

    Data subject access / deletion

    Self-serve via in-app "Privacy & data" page (app.submagic.co) for access, export, and EEA/UK account deletion; or by email to david@submagic.co. Named DPO: tsifei@submagic.co.

    submagic.co

    Data retention

    Customer data retained no longer than 2 years after contract end (terms cite up to 3 years for account data); accounting data up to 10 years; connection logs 12 months.

    submagic.co

    // Products & data scope

    Submagic web app (SaaS)AI video editing / short-form content

    data: User-uploaded video, podcasts, YouTube links; account email and auth (Google/Outlook sign-in); usage analytics. Stored on US servers.

    Core product. SaaS only, browser-based at app.submagic.co. Free trial available. Account sharing prohibited; 18+ only.

    Team / workspace (business & agencies)Collaboration tier

    data: Same content scope plus multi-user collaboration, brand assets, review/publish workflows.

    Marketed to media companies, marketing teams, agencies, advertisers. No separate enterprise security/compliance documentation or DPA terms surfaced for this tier.

    Scheduling & multi-channel publishing + YouTube integrationSocial publishing

    data: OAuth access to connected social accounts incl. YouTube channel, video, upload/publishing/scheduling data via YouTube API Services (subject to Google Privacy Policy and YouTube ToS).

    Users can revoke YouTube/Google access via Google third-party app settings; stored YouTube data deletable on request.

    AI avatars / AI B-roll / AI sound effects / translationGenerative AI features

    data: User content processed through AI generation features.

    Disclaimer that AI-generated results may not be unique; customer assumes responsibility for AI output. No statement on whether inputs feed model training.

    Free creator tools (and mobile editing)Companion / lead-gen tools

    data: Free tools (hashtags, captions, video ideas, thumbnails, hooks, scripts) and phone-footage upload; lighter data footprint.

    Free creator tools are listed in the site footer and governed by the same privacy policy. A standalone mobile app store listing was not confirmed in the collected evidence; the web app accepts phone footage uploads.

    // What to watch

    • No trust center and no security page (vendor /security URL returns 404).
    • No enterprise certifications (SOC 2 / ISO 27001) and none claimed.
    • No bug bounty program and no disclosed penetration testing.
    • AI training on customer content is neither affirmed nor denied; cannot confirm default behavior.
    • Encryption only described as generic 'technical and organizational measures' with no specific at-rest/in-transit commitment.
    • Strong, well-documented GDPR posture (named controller, DPO, full sub-processor list, SCCs, self-serve data rights) partially offsets the absence of formal certs.
    • Minor doc inconsistency: privacy policy says customer data retained no longer than 2 years post-contract; terms cite up to 3 years for account data.

    // At a glance

    Pricing model

    Subscription SaaS (monthly or annual, auto-renewing; free trial). EUR for EU customers, USD for non-EU. Non-refundable except statutory 14-day consumer withdrawal.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on TURBO STUDIO S.A.S. (Submagic)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    submagic.co

    > Browse all vendor trust reports