Blackbox AI
Conditional
This vendor has a Conditional readiness band with a score of 50 out of 100. Strongest evidence includes enterprise terms stating it does not train on customer data and no known breaches in Have I Been Pwned. However, the vendor's governance readiness was recently downgraded from Conditional to High Risk, meaning its overall governance posture dropped a tier. Buyers should re-check whether this vendor still meets their bar before renewal or expansion and request a Data Processing Agreement during procurement.
Readiness Breakdown deterministic · evidence-only
- Independent Certification No third-party audit report on file — only vendor-stated claims.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), HIPAA.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement No public DPA located — request one during procurement.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy No security.txt vulnerability disclosure policy found.
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 3 legal/policy documents publicly tracked.
Ask This in Your Security Review 4 open items
- Independent CertificationRequest the current third-party audit report (SOC 2 Type II / ISO 27001 certificate).
- Data Processing AgreementRequest the Data Processing Agreement (DPA) and current sub-processor list.
- Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).
- Vulnerability Disclosure PolicyConfirm a coordinated vulnerability disclosure / security.txt contact.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| HIPAA | Not publicly verified | — |
| BAA Available (HIPAA) | Not publicly verified | — |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Base Price (USD) |
10
“Pro Full AI power for $10/month.”vendor's exact wording |
https://www.blackbox.ai/pricing |
| Data Residency |
['United States']
“We process your Personal Data on our systems in the United States.”vendor's exact wording |
https://www.blackbox.ai/privacy-policy |
| Data Retention key clause |
duration of your continued access to the Service
“Blackbox AI Technologies will retain your Personal Data for the duration of your continued access to the Service and for the purposes set out in this Privacy Policy.”vendor's exact wording |
https://www.blackbox.ai/privacy-policy |
| IP / Content Ownership key clause |
True
“Blackbox does not claim any rights in Results, and you retain ownership of your Code, subject to the provisions set forth in Section 4.3.”vendor's exact wording |
https://www.blackbox.ai/terms-of-service |
| Trains on Customer Data key clause |
Free / Pro:
trains on data
Free tier: data is used for training, no explicit opt-out. Pro/Pro+: manual opt-out required.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Common compliance questions
Tracked Legal & Policy Documents
| Document | URL |
|---|---|
| Pricing | https://www.blackbox.ai/pricing |
| Privacy | https://www.blackbox.ai/privacy-policy |
| Tos | https://www.blackbox.ai/terms-of-service |
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Data Processing Addendum (DPA) | On request / trust portal | No public DPA link was found. Most vendors provide a DPA on request or let you accept one through their trust/legal portal. Start at the trust center, or email the vendor's privacy team (commonly privacy@<vendor-domain>). |
| Sub-processor List | Trust portal / on request | A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team. |
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. |
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. |
Continuous Monitoring change-tracking active
2 legal & policy documents under change-monitoring since 2026-06-11. 1 tracked change detected since baseline.
| Detected | Change | Detail |
|---|---|---|
| 2026-06-08 | Governance Readiness Change |
Governance readiness downgraded: Conditional → High Risk.
What this means: This vendor's overall governance posture dropped a tier — re-check whether it still meets your bar before renewal or expansion. See the vendor brief for the contributing factors.
|
Search the Legal Documents verbatim · cited
Search Blackbox AI's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Blackbox AI — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Blackbox AI changes something that affects your risk. Built for procurement & security teams.