// Trust & Security Report

    Suki AI, Inc. logo

    Suki AI, Inc.

    Ambient clinical AI for healthcare: Suki Assistant (clinician-facing ambient documentation, coding, clinical reasoning, Q&A app) and Suki Platform / Suki for Partners (developer API and SDK that embeds ambient notes, dictation, and form-filling into partner EHR and telehealth applications).

    Certifications held

    6

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Compliance ... SOC 2 Type II" listed under the Trust Center's compliance badges, with a downloadable report titled "SOC 2 Type II (5-26-24 to 5-25-25).pdf" under Compliance Reports.

    Verify on trust.suki.ai
    HIPAA
    HELD

    "HIPAA Compliant" listed as a compliance badge on the Trust Center; developer FAQ states Suki "sign[s] Business Associate Agreements (BAA) for patient data handling."

    Verify on trust.suki.ai
    42 CFR Part 2
    HELD

    "42 CFR Part 2" listed as a compliance badge on the Trust Center (US substance-use-disorder record confidentiality regulation).

    Verify on trust.suki.ai
    CCPA
    HELD

    "CCPA / COMPLIANT" listed as a compliance badge on the Trust Center. Self-attested posture, not a third-party-audited certification.

    Verify on trust.suki.ai
    TX-RAMP
    HELD

    "TX-RAMP Certified" listed as a compliance badge on the Trust Center. Texas state government cloud-risk authorization program, not equivalent to federal FedRAMP.

    Verify on trust.suki.ai
    NIST AI Risk Management Framework
    HELD

    "NIST AI Risk Management Framework" listed as a compliance badge on the Trust Center. This is a voluntary framework alignment, not a certifiable standard.

    Verify on trust.suki.ai
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence: ISO 27001 does not appear in the Trust Center's compliance badge list (HIPAA Compliant, 42 CFR Part 2, CCPA, SOC 2 Type II, TX-RAMP Certified, NIST AI Risk Management Framework), the developer security FAQ, or the privacy policy.

    source: trust.suki.ai
    GDPR (posture)
    NOT CONFIRMED

    No public evidence of a GDPR-specific program: the Privacy Policy discloses that personal data is transferred to and processed at "the offices and servers of the Company" in the United States, and neither the Trust Center nor the privacy policy mention GDPR, EU representatives, SCCs, or an EU data residency option. Suki's product is marketed to US clinicians/health systems only.

    source: suki.ai
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence: not listed on the Trust Center's compliance badges or resources.

    source: trust.suki.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence: not listed on the Trust Center's compliance badges or resources.

    source: trust.suki.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence: not applicable/listed; Suki does not process cardholder payment data as part of its clinical product.

    source: trust.suki.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence of federal FedRAMP authorization. The Trust Center lists the state-level "TX-RAMP Certified" badge only, which is a distinct Texas state program, not federal FedRAMP.

    source: trust.suki.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United States (Google Cloud Platform hosting); Privacy Policy states personal data is transferred to and processed at Company offices/servers in the United States. No stated EU/international data residency option.

    Suki uses de-identified and anonymized data for model training/product improvement. Per the developer security FAQ: audio is processed through a de-identification algorithm that chunks and isolates it so the original cannot be reconstructed, and text transcripts have PII/PHI removed before use in ML training. The consumer-facing privacy policy does not explicitly describe an opt-out mechanism for training use, and BAA/service-agreement terms (referenced as 'the Company is processing data upon instruction from such Customer, consistent with our service agreement and Business Associate Agreement') should be checked per-contract for any training opt-out clause, since the public privacy policy alone is not fully explicit on this point.

    // Security controls

    Encryption in transit

    TLS 1.2 for all data transmitted to and from the Suki platform.

    developer.suki.ai

    Encryption at rest

    AES-256, using Google Cloud services (Cloud SQL, Cloud Storage).

    developer.suki.ai

    Edge / network protection

    Web Application Firewall (WAF) from Akamai.

    developer.suki.ai

    Data retention

    Audio and raw transcripts deleted after 30 days; clinical notes retained for the duration of the service contract.

    developer.suki.ai

    Identity provider

    OKTA used internally as identity provider (per Trust Center subprocessor list).

    trust.suki.ai

    Cloud infrastructure monitoring

    Wiz used for cloud/code security monitoring (per Trust Center subprocessor list).

    trust.suki.ai

    Infrastructure hosting

    Google Cloud Platform is the primary cloud infrastructure subprocessor.

    trust.suki.ai

    // Products & data scope

    Suki AssistantAmbient clinical documentation (clinician-facing app)

    data: Patient-clinician conversation audio, generated clinical notes, orders, and patient instructions; syncs into EHR.

    First-party app for clinicians across 100+ specialties, iOS/Android/desktop, integrates with Epic, Oracle Health, athenahealth, MEDITECH. Covered by HIPAA BAA and SOC 2 Type II program.

    Suki Platform / Suki for PartnersDeveloper API/SDK for ambient AI and voice

    data: Ambient note generation, form-filling, and dictation APIs embedded into partner healthtech applications (telehealth, care management, EHR-adjacent tools).

    Same underlying compliance program (SOC 2 Type II, HIPAA) is described as covering the platform, but partners integrating the API should independently confirm their own data flows are within the audited scope via a signed BAA/DPA with Suki.

    // What to watch

    • Do not confuse this vendor (Suki AI, Inc., suki.ai, US ambient clinical AI) with the unrelated 'Suki Group' (sukigroup.eu), a different European company that surfaced in search results under a similar name.
    • The SOC 2 Type II report on file at the Trust Center is dated for the period 5-26-24 to 5-25-25; confirm a current/renewed report is available before citing an active SOC 2 status past that window.
    • GDPR posture is not addressed by the vendor: no DPA, SCCs, or EU data residency option is publicly stated, and the product/company appear US-healthcare-focused. Treat as not GDPR-postured rather than non-compliant, given the target market.
    • The public consumer privacy policy does not explicitly describe a customer opt-out for AI/ML model training; the de-identification-based training practice is documented only in the developer-facing security FAQ, so treat this as a partial/inferred answer rather than a confirmed contractual opt-out.
    • CCPA and NIST AI RMF badges on the Trust Center are self-attested postures, not independently certified/audited standards; do not present them to users as equivalent in rigor to SOC 2.
    • TX-RAMP is a Texas state government cloud-authorization program, not federal FedRAMP; avoid presenting it as FedRAMP-equivalent.

    // At a glance

    Pricing model

    Enterprise/contract sales ("Contact Us" / "Chat with our Sales team"); no public self-serve pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Suki AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.suki.ai

    > Browse all vendor trust reports