// Trust & Security Report

    Buildscale, Inc. d/b/a Vidyard logo

    Buildscale, Inc. d/b/a Vidyard

    AI-powered video platform for revenue teams: async video messaging, video hosting/analytics, generative AI Avatars, and the agentic 'Video Agent' automated outreach product, integrated with Salesforce, HubSpot, Marketo, and Gong.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Vidyard is SOC Type II-compliant... SOC 2 Type 2 external audit covering Security, Availability, and Confidentiality.' Trust Center displays a 'SOC 2 Type 2' badge with report conducted by Coalfire Controls.

    Verify on trust.vidyard.com
    GDPR (compliance posture / DPA)
    HELD

    'transfers of Customer Personal Data that is protected by the GDPR, the Standard Contractual Clauses shall apply' (DPA, Annex C, Section 1). Trust Center also displays a 'GDPR' badge.

    Verify on vidyard.com
    Microsoft SSPA
    HELD

    Trust Center lists 'Microsoft SSPA' (Supplier Security & Privacy Assurance) as a completed compliance/attestation item alongside GDPR and SOC 2 Type 2.

    Verify on trust.vidyard.com
    > Show 6 unconfirmed / not-held certifications
    ISO/IEC 27001
    NOT CONFIRMED

    Security page and security addendum only claim alignment, not certification: 'We adhere to industry standard frameworks like NIST and ISO27001' / information security program is 'aligned with ISO/IEC 27001 and NIST 800 guidance.' The Trust Center's Compliance and Attestations section (which does display SOC 2 Type 2, GDPR, and Microsoft SSPA badges) shows no ISO 27001 certificate or badge. Framework alignment is not the same as a certified ISO 27001 ISMS.

    source: vidyard.com
    HIPAA
    NOT CONFIRMED

    Vidyard's own Enterprise Terms explicitly forbid this data class rather than certifying support for it: prohibited content 'includes or transmits any highly sensitive or regulated information such as Protected Health Information pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or equivalent laws' (Section 2.4(b)).

    source: vidyard.com
    PCI DSS
    NOT CONFIRMED

    Same Enterprise Terms clause prohibits 'financial or payment card data subject to the Payment Card Industry Data Security Standard (PCI DSS)' from being uploaded to the service, i.e. cardholder data is out of scope rather than a certified capability.

    source: vidyard.com
    FedRAMP
    NOT CONFIRMED

    No public evidence on Vidyard's own domain. FedRAMP is only claimed by an unaffiliated third-party rating aggregator, not by Vidyard's Trust Center or security pages.

    source: trust.vidyard.com
    CSA STAR
    NOT CONFIRMED

    Trust Center offers a completed CAIQ (Cloud Security Alliance Consensus Assessments Initiative Questionnaire) for download, which is a self-assessment input to the CSA STAR Registry, but no CSA STAR certification/attestation badge is displayed.

    source: trust.vidyard.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence on Vidyard's Trust Center, security page, or security addendum of an ISO/IEC 42001 or other dedicated AI-governance certification, despite Vidyard actively marketing generative AI Avatars and an agentic Video Agent product.

    source: trust.vidyard.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Primary hosting in the United States ('Services are hosted in the United States'); data may also be processed in Canada and other countries where Vidyard, its affiliates, or authorized subprocessors maintain facilities, per the Privacy Policy and DPA.

    Privacy Policy states: 'We may use content and personal information to test, train and improve AI technologies' and that Vidyard may license customer videos/content to third parties for this purpose. An explicit opt-out is described only for Free Plan customers ('Free plan users can opt out through account settings'); no explicit AI-training opt-out mechanism for paid/Enterprise tiers is published on the vendor's site, so Enterprise buyers should confirm training/opt-out terms contractually before use.

    // Security controls

    Encryption in transit

    TLS 1.2+ used for data in transit

    vidyard.com

    Encryption at rest

    AES-256 encryption for data at rest, with frequent encrypted backups

    vidyard.com

    Infrastructure

    Hosted on Amazon Web Services (AWS)

    vidyard.com

    Access control

    Role-based access control (RBAC) and least-privilege enforcement

    vidyard.com

    Application security testing

    CI/CD code analysis, peer-reviewed SDLC, and quarterly penetration tests with published pentest report on the Trust Center

    vidyard.com

    Vulnerability management

    At least quarterly vulnerability scans and annual penetration tests

    vidyard.com

    Third-party risk

    Annual risk assessments for third parties and critical vendors; subprocessor list published with 30 days' advance notice before changes

    vidyard.com

    Staff training

    All staff receive comprehensive security training annually

    vidyard.com

    // Products & data scope

    Vidyard Video MessagesAsync personal video recording/messaging

    data: Rep-recorded video, viewer engagement/analytics data

    Core personal-video outreach product; lowest data sensitivity of the product line.

    Vidyard HostingVideo hosting / content library

    data: Hosted business video library, folder permissions, viewer analytics

    Central video CMS for onboarding, QBRs, renewals, and training content.

    Vidyard Video AgentAgentic AI automated video outreach

    data: CRM/MAP intent signals, buyer contact data, AI-generated video/message content

    New agentic product that auto-sends personalized video based on signals; broader data ingestion (CRM signals) than core Video Messages, worth extra scrutiny for a compliance-sensitive buyer.

    Vidyard AI AvatarsGenerative AI video avatars

    data: Rep likeness/voice used to generate synthetic video at scale

    No dedicated public disclosure found beyond the general Privacy Policy on how likeness/voice (biometric-adjacent) data is captured, stored, or used for training; recommend confirming via DPA/security addendum before rollout.

    // What to watch

    • Over-claim risk: unaffiliated third-party rating sites (e.g. a HIPAA-compliance blog, a generic compliance-rating aggregator) list Vidyard as HIPAA, PCI DSS, FedRAMP, and CSA STAR 'compliant.' This is NOT corroborated by Vidyard's own Trust Center or security pages, and directly contradicted by Vidyard's Enterprise Terms, which explicitly PROHIBIT customers from uploading PHI or payment card data. Do not list HIPAA/PCI DSS/FedRAMP/CSA STAR badges for Vidyard without a vendor-issued certificate.
    • ISO 27001 language mismatch: marketing/security pages say Vidyard 'adheres to' or is 'aligned with' ISO/IEC 27001, but the Trust Center's own certification badges (SOC 2 Type 2, GDPR, Microsoft SSPA) do not include an ISO 27001 certificate. Treat as framework alignment, not certification, unless Vidyard sales provides a certificate.
    • AI training opt-out is explicitly documented only for Free Plan users; Enterprise/paid-tier opt-out terms for AI training on customer content are not published and should be confirmed contractually.
    • AI Avatars product uses rep likeness/voice for generative video at scale; no dedicated public disclosure of likeness/biometric-data handling was found beyond the general Privacy Policy.
    • Legal entity on record is 'Buildscale, Inc. d/b/a Vidyard' per the site footer copyright line; ensure any contract/BAA references reflect the correct legal name.

    // At a glance

    Pricing model

    Freemium with paid subscription tiers (Free, paid plans, Enterprise); per-seat SaaS pricing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Buildscale, Inc. d/b/a Vidyard's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.vidyard.com

    > Browse all vendor trust reports