AI Vendor Security & Compliance Brief

Blackbox AI logo Blackbox AI

Independent due-diligence summary · every fact links to the vendor's official source
7 source-cited facts
0 independently verified certs
3 legal documents tracked
Generated 2026-07-03
50/100
AI Governance Readiness

Conditional

This vendor has a Conditional readiness band with a score of 50 out of 100. Strongest evidence includes enterprise terms stating it does not train on customer data and no known breaches in Have I Been Pwned. However, the vendor's governance readiness was recently downgraded from Conditional to High Risk, meaning its overall governance posture dropped a tier. Buyers should re-check whether this vendor still meets their bar before renewal or expansion and request a Data Processing Agreement during procurement.

Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.

Readiness Breakdown deterministic · evidence-only

  • Independent Certification No third-party audit report on file — only vendor-stated claims.
  • Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), HIPAA.
  • Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
  • Data Processing Agreement No public DPA located — request one during procurement.
  • Breach History No known breaches in Have I Been Pwned.
  • Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
  • Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
  • Vulnerability Disclosure Policy No security.txt vulnerability disclosure policy found.
  • Web TLS Certificate Valid TLS certificate in place.
  • Legal Transparency 3 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items are shown but never silently counted against the vendor.

Ask This in Your Security Review 4 open items

  • Independent CertificationRequest the current third-party audit report (SOC 2 Type II / ISO 27001 certificate).
  • Data Processing AgreementRequest the Data Processing Agreement (DPA) and current sub-processor list.
  • Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).
  • Vulnerability Disclosure PolicyConfirm a coordinated vulnerability disclosure / security.txt contact.

Compliance Posture vendor-stated · cited

FrameworkStatusSource
HIPAA Not publicly verified
BAA Available (HIPAA) Not publicly verified
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.

Data & Contract Facts deterministic · cited

AttributeValueSource
Base Price (USD) 10
“Pro Full AI power for $10/month.”vendor's exact wording
https://www.blackbox.ai/pricing
Data Residency ['United States']
“We process your Personal Data on our systems in the United States.”vendor's exact wording
https://www.blackbox.ai/privacy-policy
Data Retention key clause duration of your continued access to the Service
“Blackbox AI Technologies will retain your Personal Data for the duration of your continued access to the Service and for the purposes set out in this Privacy Policy.”vendor's exact wording
https://www.blackbox.ai/privacy-policy
IP / Content Ownership key clause True
“Blackbox does not claim any rights in Results, and you retain ownership of your Code, subject to the provisions set forth in Section 4.3.”vendor's exact wording
https://www.blackbox.ai/terms-of-service
Trains on Customer Data key clause
Free / Pro: trains on data Free tier: data is used for training, no explicit opt-out. Pro/Pro+: manual opt-out required. cited →
Enterprise: does not train Enterprise: automatic opt-out (ZDR). BAA available on request. cited →
see per-tier citations

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) Not applicable
No CVE/CPE software identity is mapped to this hosted service; known-vulnerability tracking does not apply to the service identity assessed here.
Vulnerability Disclosure Policy (security.txt) None found
Queried the authoritative source; no records.
Email Spoofing Protection (DMARC) Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate Valid
Data Breach History None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard) Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05) Not applicable
Privately held — not a US-listed public company, so no SEC 8-K cyber-incident reporting obligation applies.

Common compliance questions

Each answer is grounded in the cited evidence above — with an honest "no evidence on file" where nothing is published.

Tracked Legal & Policy Documents

DocumentURL
Pricing https://www.blackbox.ai/pricing
Privacy https://www.blackbox.ai/privacy-policy
Tos https://www.blackbox.ai/terms-of-service

How to Obtain Non-Public Documents

These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.

DocumentAvailabilityHow to obtain
Data Processing Addendum (DPA) On request / trust portal No public DPA link was found. Most vendors provide a DPA on request or let you accept one through their trust/legal portal. Start at the trust center, or email the vendor's privacy team (commonly privacy@<vendor-domain>).
Sub-processor List Trust portal / on request A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team.
Business Associate Agreement (BAA) On request (HIPAA only) A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA.
Master Services Agreement (MSA) Negotiated per contract The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement.
Service Level Agreement (SLA) Enterprise tier A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments.

Continuous Monitoring change-tracking active

2 legal & policy documents under change-monitoring since 2026-06-11. 1 tracked change detected since baseline.

PrivacyTos
DetectedChangeDetail
2026-06-08 Governance Readiness Change Governance readiness downgraded: Conditional → High Risk.
What this means: This vendor's overall governance posture dropped a tier — re-check whether it still meets your bar before renewal or expansion. See the vendor brief for the contributing factors.

View full Blackbox AI change history →

Search the Legal Documents verbatim · cited

Search Blackbox AI's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.

Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.

Monitor Blackbox AI — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Blackbox AI changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.