// Trust & Security Report
Buildscale, Inc. d/b/a Vidyard
AI-powered video platform for revenue teams: async video messaging, video hosting/analytics, generative AI Avatars, and the agentic 'Video Agent' automated outreach product, integrated with Salesforce, HubSpot, Marketo, and Gong.
Certifications held
3
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.vidyard.com“Vidyard is SOC Type II-compliant... SOC 2 Type 2 external audit covering Security, Availability, and Confidentiality.' Trust Center displays a 'SOC 2 Type 2' badge with report conducted by Coalfire Controls.”
Verify on vidyard.com“'transfers of Customer Personal Data that is protected by the GDPR, the Standard Contractual Clauses shall apply' (DPA, Annex C, Section 1). Trust Center also displays a 'GDPR' badge.”
Verify on trust.vidyard.com“Trust Center lists 'Microsoft SSPA' (Supplier Security & Privacy Assurance) as a completed compliance/attestation item alongside GDPR and SOC 2 Type 2.”
> Show 6 unconfirmed / not-held certifications
source: vidyard.comSecurity page and security addendum only claim alignment, not certification: 'We adhere to industry standard frameworks like NIST and ISO27001' / information security program is 'aligned with ISO/IEC 27001 and NIST 800 guidance.' The Trust Center's Compliance and Attestations section (which does display SOC 2 Type 2, GDPR, and Microsoft SSPA badges) shows no ISO 27001 certificate or badge. Framework alignment is not the same as a certified ISO 27001 ISMS.
source: vidyard.comVidyard's own Enterprise Terms explicitly forbid this data class rather than certifying support for it: prohibited content 'includes or transmits any highly sensitive or regulated information such as Protected Health Information pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or equivalent laws' (Section 2.4(b)).
source: vidyard.comSame Enterprise Terms clause prohibits 'financial or payment card data subject to the Payment Card Industry Data Security Standard (PCI DSS)' from being uploaded to the service, i.e. cardholder data is out of scope rather than a certified capability.
source: trust.vidyard.comNo public evidence on Vidyard's own domain. FedRAMP is only claimed by an unaffiliated third-party rating aggregator, not by Vidyard's Trust Center or security pages.
source: trust.vidyard.comTrust Center offers a completed CAIQ (Cloud Security Alliance Consensus Assessments Initiative Questionnaire) for download, which is a self-assessment input to the CSA STAR Registry, but no CSA STAR certification/attestation badge is displayed.
source: trust.vidyard.comNo public evidence on Vidyard's Trust Center, security page, or security addendum of an ISO/IEC 42001 or other dedicated AI-governance certification, despite Vidyard actively marketing generative AI Avatars and an agentic Video Agent product.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Primary hosting in the United States ('Services are hosted in the United States'); data may also be processed in Canada and other countries where Vidyard, its affiliates, or authorized subprocessors maintain facilities, per the Privacy Policy and DPA.
Privacy Policy states: 'We may use content and personal information to test, train and improve AI technologies' and that Vidyard may license customer videos/content to third parties for this purpose. An explicit opt-out is described only for Free Plan customers ('Free plan users can opt out through account settings'); no explicit AI-training opt-out mechanism for paid/Enterprise tiers is published on the vendor's site, so Enterprise buyers should confirm training/opt-out terms contractually before use.
// Security controls
Application security testing
CI/CD code analysis, peer-reviewed SDLC, and quarterly penetration tests with published pentest report on the Trust Center
vidyard.comVulnerability management
At least quarterly vulnerability scans and annual penetration tests
vidyard.comThird-party risk
Annual risk assessments for third parties and critical vendors; subprocessor list published with 30 days' advance notice before changes
vidyard.com// Products & data scope
data: Rep-recorded video, viewer engagement/analytics data
Core personal-video outreach product; lowest data sensitivity of the product line.
data: Hosted business video library, folder permissions, viewer analytics
Central video CMS for onboarding, QBRs, renewals, and training content.
data: CRM/MAP intent signals, buyer contact data, AI-generated video/message content
New agentic product that auto-sends personalized video based on signals; broader data ingestion (CRM signals) than core Video Messages, worth extra scrutiny for a compliance-sensitive buyer.
data: Rep likeness/voice used to generate synthetic video at scale
No dedicated public disclosure found beyond the general Privacy Policy on how likeness/voice (biometric-adjacent) data is captured, stored, or used for training; recommend confirming via DPA/security addendum before rollout.
// What to watch
- Over-claim risk: unaffiliated third-party rating sites (e.g. a HIPAA-compliance blog, a generic compliance-rating aggregator) list Vidyard as HIPAA, PCI DSS, FedRAMP, and CSA STAR 'compliant.' This is NOT corroborated by Vidyard's own Trust Center or security pages, and directly contradicted by Vidyard's Enterprise Terms, which explicitly PROHIBIT customers from uploading PHI or payment card data. Do not list HIPAA/PCI DSS/FedRAMP/CSA STAR badges for Vidyard without a vendor-issued certificate.
- ISO 27001 language mismatch: marketing/security pages say Vidyard 'adheres to' or is 'aligned with' ISO/IEC 27001, but the Trust Center's own certification badges (SOC 2 Type 2, GDPR, Microsoft SSPA) do not include an ISO 27001 certificate. Treat as framework alignment, not certification, unless Vidyard sales provides a certificate.
- AI training opt-out is explicitly documented only for Free Plan users; Enterprise/paid-tier opt-out terms for AI training on customer content are not published and should be confirmed contractually.
- AI Avatars product uses rep likeness/voice for generative video at scale; no dedicated public disclosure of likeness/biometric-data handling was found beyond the general Privacy Policy.
- Legal entity on record is 'Buildscale, Inc. d/b/a Vidyard' per the site footer copyright line; ensure any contract/BAA references reflect the correct legal name.
// At a glance
Pricing model
Freemium with paid subscription tiers (Free, paid plans, Enterprise); per-seat SaaS pricing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Buildscale, Inc. d/b/a Vidyard's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.vidyard.com