// Trust & Security Report
You.com (Su-Sea, Inc.)
AI web search and research APIs (Search API, Contents API, Research API, Finance Research API) plus consumer/Team/Enterprise AI assistant at you.com
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.you.com“Compliance: SOC 2 ... Su-Sea SOC 2 TYPE 2 Report ... 2025 You.com - SOC2 Type 2 Audit Confirmation Letter.pdf”
Verify on trust.you.com“Compliance: SOC 2, GDPR ... Su-Sea, Inc. (dba you.com) complies with the EU-U.S. Data Privacy Framework.”
Verify on trust.you.com“No ISO 27001 listing found on the trust center or compliance pages.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primarily US (AWS and Google Cloud Platform subprocessors hosted in the United States). Data may be transferred out of the user's country of residence; EU-U.S. Data Privacy Framework participant.
Privacy policy states customer data 'will not be used for developing, improving, or training third party AI and/or ML models'; they reserve the right to use only de-identified, aggregated, non-personal data. A 'No Model Training' feature ensures team data is not used to train/improve models, and Zero Data Retention (ZDR) can be enabled on Team/Enterprise plans and for API use so inputs/outputs are not retained (metadata with anonymous identifiers and trust-and-safety data may still be kept). Google Cloud Platform is listed as an LLM subprocessor 'with Zero Data Retention and Zero Data Training'.
// Security controls
Penetration testing
Third-party penetration tests / assessments performed and published in trust center (e.g. 'Su-Sea Sep 2025 Mobile Assessment', 'Su-Sea Sep 2025 API Assessment Report'). 'Penetration testing performed' listed as a product security control.
trust.you.comBug bounty / VDP
No public HackerOne or Bugcrowd bug bounty program found. Security contact published as security@you.com. Relies on third-party pentests rather than a public crowdsourced program.
trust.you.comEncryption
TLS in transit ('All our communications and websites are encrypted using transport layer security'); 'Data encryption utilized' and 'Encryption key access restricted' listed as controls. Portable media encrypted.
you.comZero Data Retention
Optional ZDR: 'All queries and data can be automatically purged' giving customers control over what is stored and for how long; ZDR available on Team/Enterprise plans and API.
you.comAccess control & infrastructure
Unique production database authentication enforced, unique account authentication enforced, asset disposal procedures, production inventory maintained; documented Access Control, Asset Management, and Business Continuity / Disaster Recovery policies.
trust.you.comIncident response
Documented Incident Response Plan with a GDPR addendum and breach notification procedures published in the trust center.
trust.you.comSubprocessors
Disclosed subprocessors include AWS (US hosting), Google Cloud Platform (US, LLM provider with ZDR/Zero Data Training), Cloudflare (CDN/DNS/abuse prevention), Osano (privacy ops), Baseten (added Apr 2026).
trust.you.com// Products & data scope
data: Real-time web search results; queries can be purged via ZDR; not used to train third-party models.
Marketed as enterprise-grade with custom QPS limits and DPA-ready.
data: Fetches/cleans page content from supplied URLs; same ZDR and no-training posture as Search API.
Returns full page content in chosen formats (HTML, etc.).
data: Generates cited, grounded answers; inputs/outputs subject to ZDR option.
Configurable research effort levels.
data: Domain-specific financial research over web data; same data-handling controls.
Newer product, ranked #1 on FinSearchComp per vendor.
data: Consumer free tier collects usage data and may fund services via ads; Team/Enterprise plans add 'No Model Training' and optional Zero Data Retention with DPA and tighter controls.
Data/compliance scope is stronger on Team/Enterprise than on the consumer free tier.
// What to watch
- ZDR and No Model Training are opt-in / plan-dependent (Team/Enterprise/API), not the default for the consumer free tier, which also uses data for ads and product analytics.
- Legal entity is Su-Sea, Inc. (dba you.com); trust-center documents are named under 'Su-Sea'.
- No public bug bounty program (HackerOne/Bugcrowd); security relies on third-party pentests and a security@you.com contact.
- No ISO 27001 or HIPAA evidence found - marked unknown, not absent-claimed.
// At a glance
Pricing model
Free API trial plus usage-based paid API tiers; consumer free tier and paid Team/Enterprise plans (MSA + DPA for enterprise).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on You.com (Su-Sea, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.you.com