// Trust & Security Report
Together AI, Inc.
Together AI Cloud: full-stack AI infrastructure spanning Serverless Inference, Batch Inference, Dedicated Model/Container Inference, GPU Clusters (Compute, incl. H100/H200/B200/GB200), fine-tuning and model shaping (post-training), and research tooling.
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.together.ai“Compliance: SOC 2 ... Resources: SOC 2 Type 2 / SOC 2 Type 2 Report ... Updated SOC 2 Type Report - Published June 17, 2026 - The latest SOC 2 Type 2 report is now available.”
Verify on trust.together.ai“Compliance: ISO 27001:2022 ... Resources: ISO 27001:2022 / ISO 27001:2022 Certificate ... Announcing ISO 27001:2022 Certification - Published May 29, 2026 - I am very pleased to announce that Together AI is officially ISO 27001:2022 certified!!!”
Verify on trust.together.ai“Trust Center resources list: 'DPA / Data Processing Addendum'. Privacy Policy: 'If you are located in the European Economic Area (the "EEA"), Switzerland, or the United Kingdom (the "UK"), our legal basis for collecting and using the Personal Data described in this Policy will depend on the personal data concerned and the specific context in which we collect it.'”
> Show 5 unconfirmed / not-held certifications
source: together.aiDISPUTED: A vendor blog post claims 'Together AI adheres to the stringent requirements of HIPAA, including data encryption in transit and at rest, audit logging, and strict business associate agreements (BAAs) with our partners' (together.ai/blog/soc-2-compliance), but the authoritative Trust Center's 'Compliance' section lists only SOC 2 and ISO 27001:2022 (no HIPAA badge/report), and the current Terms of Service explicitly prohibit customers from submitting such data: 'You will not use the Services to transmit or provide to the Company any financial or medical information of any nature or any sensitive personal data...' No BAA template, HIPAA attestation, or BAA program page was found on the vendor's own domain.
source: trust.together.aiNo public evidence. Payment processing is handled by subprocessor Stripe (listed in Trust Center subprocessors); no PCI DSS attestation for Together AI itself found on vendor domain.
source: trust.together.aiNo public evidence. Not listed in Trust Center compliance section or resources, and no mention found elsewhere on the vendor's own domain.
source: trust.together.aiNo public evidence on vendor's own domain. (A third-party aggregator page made an unsupported claim of 'CSA Star Level 1' but this could not be corroborated on together.ai or trust.together.ai and is disregarded per source rules.)
source: trust.together.aiNo public evidence on vendor's own domain. Not listed in Trust Center or on together.ai.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Trust Center subprocessor list shows Amazon Web Services (hosting/cloud infrastructure, USA) as the primary infrastructure subprocessor; Google Workspace (global), Okta (USA), Stripe (USA) also listed. Dedicated GPU cluster deployments are separately marketed across multiple global data-center locations for enterprise compute contracts, but no formal per-region data-residency guarantee for the inference/API product was found on the vendor's trust materials; enterprise customers should confirm residency terms contractually.
Privacy Policy states: 'We do not use any data collected from you to train our models without your explicit opt-in and consent... Data that we collect, including your Personal Data, will not be used to train the Company's models without your explicit opt-in and consent.' A Zero Data Retention (ZDR) setting is also offered: under ZDR, submitted content and outputs 'are not stored, retained, or used for model training, product improvements, or any secondary purposes except as needed to provide the Services.' Net posture: training requires opt-in consent; ZDR is an additional stricter mode for customers who want no retention at all.
// Security controls
Encryption in transit
Product security control listed: 'Data transmission encrypted'.
trust.together.aiBackground checks / org security
Organizational security controls: employee background checks performed, code of conduct acknowledged and enforced, anti-malware technology utilized.
trust.together.aiPenetration testing
Product security control listed: 'Penetration testing performed' and 'Control self-assessments conducted'.
trust.together.aiInfrastructure security
Controls listed include unique production database authentication enforced, unique account authentication enforced, key management, plus 34 additional infrastructure security controls (not individually itemized on the summary page).
trust.together.aiData retention / deletion
Controls listed: data retention procedures established, customer data deleted upon leaving, data classification policy established.
trust.together.aiBusiness continuity
Controls listed: continuity and disaster recovery plans established, cybersecurity insurance maintained, configuration management system established.
trust.together.ai// Products & data scope
data: Prompts/outputs processed via Together's hosted API; covered by opt-in training policy and optional ZDR.
The fastest way to run open-source models on demand, no infrastructure to manage.
data: Same data-handling posture as serverless inference (opt-in training, optional ZDR).
For large-volume, non-real-time workloads.
data: Dedicated compute instance for the customer; isolated from shared multi-tenant serving.
Aimed at enterprise customers needing predictable performance and isolation.
data: Customer-managed workloads on leased GPU clusters; broader data scope determined by customer's own use, not Together's model-serving stack.
Marketed for training, fine-tuning, and large-scale AI workloads; separate compliance posture from the inference API since customers control the workload.
data: Customer-provided training data processed under the same privacy policy (opt-in consent required for use beyond providing the service).
Positioned for teams building custom or domain-tuned models.
// What to watch
- OVER-CLAIM / CONTRADICTION: A Together AI blog post (together.ai/blog/soc-2-compliance) claims HIPAA adherence and BAAs with partners, but the vendor's own Trust Center compliance list omits HIPAA entirely, and the current Terms of Service explicitly forbid customers from submitting medical or financial information. Graded HIPAA held=false and flagged for advisor review; AIFOXX should not display a HIPAA badge for this vendor without direct vendor confirmation of an active BAA program.
- Third-party aggregator content (a security-profile SEO site) claimed Together AI is also 'FedRAMP compliant' and 'CSA Star Level 1 compliant' with no vendor-domain corroboration found; these claims were rejected per the vendor-domain-only evidence rule and are not reflected as held certifications.
- SOC 2 report, ISO 27001 certificate, and DPA are gated behind a 'Request access' flow on the Trust Center; only the summary/attestation text (not full report contents) was directly verifiable.
- No explicit per-region data-residency commitment was found for the shared inference API product (only for dedicated GPU cluster contracts); enterprise buyers with residency requirements should confirm contractually.
// At a glance
Pricing model
Usage-based API/compute pricing plus reserved/dedicated and enterprise contracts via sales ("Contact Sales").
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Together AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.together.ai