// Trust & Security Report

    Tavus, Inc. logo

    Tavus, Inc.

    Human computing / conversational video AI: Tavus CVI (Conversational Video Interface) developer API built on the Phoenix (rendering), Raven (perception), and Sparrow (turn-taking) models, an Enterprise tier with custom replicas and SLAs, and PALs, a consumer-facing always-on AI companion app.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Certifications: SOC 2 Type 2 ... PDF Tavus SOC 2 Type II - 2025 / PDF Tavus SOC 2 Type II (April 2025 - August 2025)

    Verify on trust.tavus.io
    HIPAA
    HELD

    Certifications: ... HIPAA ... PDF Tavus HIPAA Compliance Policy / PDF Tavus HIPAA Breach Notification For Protected Health Information / PDF Tavus HIPAA Workstation Security Policy. Note: 'HIPAA compliance is available on Tavus Enterprise plans' (blog post) - this is a tier-gated offering, not available to all customers.

    Verify on trust.tavus.io
    GDPR
    HELD

    Certifications: ... GDPR (trust center badge); Privacy Policy contains a dedicated EU/UK GDPR section describing legal bases and data-subject rights.

    Verify on trust.tavus.io
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence: ISO 27001 does not appear on Tavus's own trust center (trust.tavus.io), which explicitly lists only SOC 2 Type 2, HIPAA, and GDPR as certifications, nor in the SOC 2 blog announcement. Third-party listicle/SEO sites (e.g. a security-scoring aggregator and a generic 'ISO 27001 for AI companies' blog) claim Tavus is ISO 27001/PCI/FedRAMP/CSA-STAR compliant, but these are not Tavus-domain sources and are not corroborated by the vendor's own trust center, so they are treated as an unverified third-party claim, not vendor-confirmed fact.

    source: trust.tavus.io
    PCI DSS
    NOT CONFIRMED

    No public evidence on any Tavus-owned page. Payment processing is delegated to Stripe/Orb per the subprocessor list, which reduces direct PCI scope for Tavus itself.

    source: tavus.io
    ISO 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 or CSA STAR for AI on the trust center or elsewhere on tavus.io.

    source: trust.tavus.io
    FedRAMP
    NOT CONFIRMED

    No public evidence on any Tavus-owned page; not referenced on trust.tavus.io. A third-party aggregator claims FedRAMP compliance but provides no vendor-domain proof.

    source: trust.tavus.io
    CSA STAR
    NOT CONFIRMED

    No public evidence on any Tavus-owned page or the trust center registry listing.

    source: trust.tavus.io

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United States (company headquartered in San Francisco, CA; all listed subprocessors including AWS, GCP, Cerebrium, Replicate, OpenAI, ElevenLabs, Cartesia, Daily, Mux and Deepgram operate in the US)

    Terms of Service Section 6.5 grants Tavus a 'non-exclusive, worldwide, perpetual, royalty-free and fully paid license to use' Customer Content and Media Files to 'maintain and improve' the platform, plus explicit use of 'aggregated and/or de-identified usage data' for improvement. The Privacy Policy separately states 'Tavus will create anonymized data to train AI models.' No dedicated opt-out exists for AI training itself (the only documented opt-out is for the arbitration clause). Terms apply uniformly across PALs (consumer), API/developer, and Enterprise customers with no stated tier-based training exception, so enterprise buyers who need a no-training guarantee should confirm this in a signed order form or DPA rather than relying on the public ToS.

    // Security controls

    SOC 2 report cadence

    Two SOC 2 Type II reports on file: 2025 annual report and an April-August 2025 period report, available via the trust center on request.

    trust.tavus.io

    Documented security policies

    Trust center lists specific policies available on request: Access Control, Cryptography, Asset Management, Business Continuity & DR, Data Management, Human Resource Security, Secure Development, Third-Party Management, Operations Security, Information Security, Physical Security, Incident Response, Risk Management, plus HIPAA-specific policies and a 2025 web application penetration test report.

    trust.tavus.io

    Biometric data retention

    Biometric data (face/voice) retained until the purpose is fulfilled or one year after the user's last interaction, whichever comes first.

    tavus.io

    Subprocessor transparency

    Public, dated (effective April 27, 2026) subprocessor list broken out by function (cloud/inference hosting, voice, LLM hosting, video/transcription, business operations), all US-based.

    tavus.io

    Encryption in transit/at rest

    Not documented on any publicly readable page; encryption details are gated behind the trust center's 'Cryptography Policy' document, available on request only.

    trust.tavus.io

    // Products & data scope

    Tavus CVI (Conversational Video Interface) / Developer APIDeveloper platform for real-time conversational video agents

    data: Processes real-time audio/video from end users of the customer's application (perception, speech, rendering); Customer Content is licensed back to Tavus to improve the platform.

    Underlying models: Phoenix (rendering), Raven (perception/multimodal understanding), Sparrow (conversational turn-taking).

    Tavus EnterpriseEnterprise deployment tier

    data: Same underlying data flows as CVI, with custom replicas, emotion control, and enterprise SLAs; this is the tier where HIPAA availability is offered.

    HIPAA compliance is described by Tavus as available on Enterprise plans specifically, not as a blanket guarantee for all customers; buyers should confirm BAA coverage in writing.

    PALsConsumer AI companion app

    data: Captures and retains face/voice/biometric interaction data and conversational memory of an individual consumer user over time.

    Consumer-facing product with its own Supplemental Terms of Service; retention default is tied to biometric data rules in the main privacy policy.

    // What to watch

    • Third-party sites (a security-scoring aggregator and a generic AI/ISO blog) publicly claim Tavus holds ISO 27001, PCI DSS, FedRAMP, and CSA STAR certifications; none of these appear on Tavus's own trust center (which lists only SOC 2 Type 2, HIPAA, GDPR), so these third-party claims should not be repeated as fact and are graded held=false pending direct vendor confirmation.
    • HIPAA is described by Tavus's own blog content as available on Enterprise plans specifically; the trust center badge does not state this tier restriction, so a buyer on a non-Enterprise plan could be misled into assuming HIPAA coverage applies to their tier.
    • Terms of Service grant Tavus a perpetual, royalty-free license to use Customer Content to improve its models, with no explicit customer opt-out from AI training beyond the arbitration clause; this is a meaningful consideration for any customer (especially in healthcare or consumer-companion use cases) sending biometric video/audio data.
    • No standalone public DPA document was located on tavus.io; DPA terms appear to be handled via a separate Enterprise Master Services Agreement negotiated per customer, so listing 'dpa: true' reflects availability on request/negotiation rather than a self-serve published DPA.

    // At a glance

    Pricing model

    Usage-based API pricing plus a separate Enterprise (custom/SLA) tier and a consumer PALs offering; exact public price list not captured in this evidence set.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Tavus, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.tavus.io

    > Browse all vendor trust reports