// Trust & Security Report

    Viz.ai, Inc. logo

    Viz.ai, Inc.

    Viz.ai One, an AI-powered care coordination platform delivering over 50 FDA-cleared algorithms across therapeutic suites (Neuro/stroke, Cardio, Vascular, Pulmonary, Trauma, Radiology) for hospital and health-system providers, plus a separate Viz Life Sciences line built with pharma and medical device partners for clinical trial enrollment and patient access programs.

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Viz.ai Announces Successful Completion of SOC 2 Type II + HIPAA Audits for Viz.ai One Platform... The assessment was conducted by an independent Big Four audit firm and evaluated Viz.ai's controls across the five trust service principles: security, availability, processing integrity, confidentiality, and privacy. Fourth consecutive year of SOC 2 Type II compliance (Feb 26, 2024 announcement).

    Verify on viz.ai
    ISO/IEC 27001
    HELD

    We have received internationally recognised security certifications to meet the ISO 27001 (information security management system) standard.

    Verify on viz.ai
    ISO/IEC 27701 (Privacy Information Management)
    HELD

    ISO27701 Security techniques, extension to ISO27001 for Privacy Information Management

    Verify on viz.ai
    ISO/IEC 42001 (AI Management System)
    HELD

    Viz.ai has successfully achieved ISO/IEC 42001 certification, the international standard for Artificial Intelligence Management Systems (AIMS)... one of the first companies globally to achieve this accredited ISO/IEC 42001 certification.

    Verify on viz.ai
    ISO 27017 / ISO 27018 (Cloud security & data protection)
    HELD

    ISO 27017 / 27018: Cloud security and data protection standards governing our cloud-hosted infrastructure.

    Verify on viz.ai
    ISO 27799 (Health informatics security)
    HELD

    ISO 27799: Healthcare-specific security controls tailored for clinical environments and PHI.

    Verify on viz.ai
    ISO 22301 (Business Continuity)
    HELD

    ISO 22301: Business continuity and resilience to ensure uninterrupted clinical workflows.

    Verify on viz.ai
    HIPAA
    HELD

    Viz.ai operates a comprehensive HIPAA compliance program, including administrative, technical, and physical safeguards for the protection of PHI. Protected Health Information is governed by the HIPAA Business Associate Agreement between the Customer and Viz.ai.

    Verify on viz.ai
    > Show 4 unconfirmed / not-held certifications
    GDPR
    NOT CONFIRMED

    No independent GDPR certification exists as a formal third-party seal, and Viz.ai claims none. The vendor describes GDPR only as a self-managed compliance posture: 'In the United States Viz.ai is a regulated entity under the Health Insurance Portability and Accountability Act and has implemented several key security and privacy standards, controls, and measures to adhere to this act and to meet the requirements of others such as the GDPR... GDPR compliance via policies, processes, and audits.' The trust center additionally frames ISO 27701 as 'supporting GDPR and global privacy obligations.' Treat as a compliance posture, not a certification.

    source: viz.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence. Viz.ai is a B2B/B2H healthcare software provider contracted directly with hospital systems; no cardholder-data-handling payment flow is described on the trust center, privacy policy, or press releases.

    source: viz.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not listed on the trust center page or in any press release found; Viz.ai's public materials do not reference a federal government authorization.

    source: viz.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence. Not mentioned on the trust center page, privacy policy, or press releases.

    source: viz.ai

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    US (Viz.ai Inc., San Francisco, CA) with distinct regional entities and privacy policies for EU (Viz.ai Netherlands B.V., Heerenveen) and UK (Viz.ai Ltd., St. Albans); cross-border transfers use adequacy decisions or EU Model Clauses per the Trust Center Privacy Notice.

    Viz.ai's core products are FDA-cleared clinical decision-support algorithms (not a generative/LLM chat product), and the company publicly states it uses separated training/validation/test datasets during algorithm development, but no vendor-domain page explicitly documents whether a given hospital customer's imaging/EHR data is used to retrain production algorithms, or whether an opt-out exists. Protected Health Information use is instead governed by a separate HIPAA Business Associate Agreement not published publicly. Treat as unresolved pending direct request of the BAA/DPA text.

    // Security controls

    Independent security audits

    Annual SOC 2 Type II audit (4 consecutive years as of Feb 2024) performed by an independent Big Four audit firm, covering security, availability, processing integrity, confidentiality, and privacy trust service principles.

    viz.ai

    AI governance program

    ISO/IEC 42001 (AI Management System) certification covering governance structure, risk/impact assessments, data governance, algorithm performance monitoring, and AI oversight integrated into engineering and quality processes across the full AI lifecycle.

    viz.ai

    PHI safeguards

    Comprehensive HIPAA compliance program with administrative, technical, and physical safeguards; PHI use governed by a HIPAA Business Associate Agreement between the customer and Viz.ai.

    viz.ai

    ISMS oversight

    Information security management system and associated certifications are owned by Viz.ai's management team, with day-to-day responsibility resting with a dedicated Chief Information Security Officer (CISO).

    viz.ai

    Trust portal / evidence sharing

    A dedicated, gated trust center portal (powered by Drata) at trustcenter.viz.ai lets prospective customers request the SOC 2 Type II report, HIPAA documentation, and subprocessor list under NDA.

    trustcenter.viz.ai

    // Products & data scope

    Viz.ai One (Provider platform)Healthcare AI / clinical care coordination

    data: Protected Health Information (PHI): medical imaging (CT, EKG, echocardiograms), EHR data, real-time clinical communications

    Core hospital/health-system product; 50+ FDA-cleared algorithms across Neuro, Cardio, Vascular, Pulmonary, Trauma and Radiology suites. This is the platform explicitly named in the SOC 2 Type II + HIPAA audit.

    Viz Life SciencesClinical research / pharma partnership tools

    data: Aggregated and/or de-identified clinical data used to support patient recruitment, adherence, and clinical trial enrollment for pharmaceutical and medical device partners

    Separate go-to-market and data-use pattern from the direct-to-provider platform; no separate certification scope was found distinguishing this product line from Viz.ai One.

    // What to watch

    • trustcenter.viz.ai (Drata-powered gated portal) could not be rendered by the automated fetch (JS-rendered, request-access flow); certification claims were instead verified via the public /trust-center marketing page plus two independent Viz.ai press releases (SOC 2/HIPAA, ISO 42001) and the privacy policy, all on the vendor's own domain, so this is not treated as evidence of absence.
    • No vendor-domain statement explicitly addresses whether hospital/customer clinical data is used to retrain production AI algorithms or whether an opt-out exists; PHI handling is deferred to a non-public HIPAA BAA. Recommend the listing note this as 'ask vendor for BAA/DPA terms' rather than asserting a position either way.
    • GDPR is a compliance posture (internal policies, audits, EU Model Clauses, ISO 27701 'supporting GDPR'), not an independent third-party certification/seal; there is no formal GDPR certification to hold, so it is recorded as held=false with the posture documented in the proof_quote rather than presented as a certifying body's stamp.
    • Three separate regional privacy policies (US, EU platform users, EU non-platform users) plus a distinct Trust Center Privacy Notice exist; a buyer should confirm which policy governs their specific relationship.

    // At a glance

    Pricing model

    Enterprise/health-system contract, no public self-serve pricing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Viz.ai, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    viz.ai

    > Browse all vendor trust reports