AI Vendor Security & Compliance Brief
Perplexity
Independent due-diligence summary · every fact links to the vendor's official source
81/100
AI Governance Readiness
Enterprise-Ready
This vendor is rated Enterprise-Ready with a score of 81 out of 100. Strong evidence includes confirmed SOC 2 Type 2 certification via their trust portal, with audit reports available under NDA. A key gap is the absence of a publicly available Data Processing Agreement. The buyer should request a Data Processing Agreement during procurement.
Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement No public DPA located — request one during procurement.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 1 legal/policy document(s) tracked.
Score is normalized over assessed components only — “unknown” items
are shown but never silently counted against the vendor.
Ask This in Your Security Review 2 open items
- Data Processing AgreementRequest the Data Processing Agreement (DPA) and current sub-processor list.
- Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| GDPR | Stated by vendor | https://trust.perplexity.ai/ |
| HIPAA | Stated by vendor | https://trust.perplexity.ai/ |
| SOC 2 | Stated by vendor | https://trust.perplexity.ai/ |
| BAA Available (HIPAA) | Not publicly verified | — |
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Trains on Customer Data key clause |
Free / Pro:
trains on data
Free/Pro: your search data is used to improve Perplexity's AI models by default — opt out under Settings. Synced email/calendar data is never used for training.
cited →
Enterprise:
does not train
Enterprise Pro & Sonar API: Perplexity never trains its LLMs on your data; contracts with OpenAI/Anthropic prohibit training. Enterprise files auto-delete after 7 days; API is zero-retention.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Known Vulnerabilities (CVE / CISA KEV)
Not applicable
No CVE/CPE software identity is mapped to this hosted service; known-vulnerability tracking does not apply to the service identity assessed here.
Vulnerability Disclosure Policy (security.txt)
Found
1
Email Spoofing Protection (DMARC)
Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate
Valid
Data Breach History
None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard)
Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening
None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05)
Not applicable
Privately held — not a US-listed public company, so no SEC 8-K cyber-incident reporting obligation applies.
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| SOC2 TYPE2 | Available via Trust Center | https://www.perplexity.ai/enterprise/security |
An independent audit report exists but is gated behind an NDA or trust-center registration. Request it directly via the vendor's trust center. These count as partial assurance — stronger than a vendor claim, but not an open third-party attestation.
Tracked Legal & Policy Documents
| Document | URL |
|---|---|
| Trust | https://trust.perplexity.ai/ |
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Data Processing Addendum (DPA) | On request / trust portal | No public DPA link was found. Most vendors provide a DPA on request or let you accept one through their trust/legal portal. Start at the trust center, or email the vendor's privacy team (commonly privacy@<vendor-domain>). Trust center → |
| Sub-processor List | Trust portal / on request | A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team. Trust center → |
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center → |
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Monitor Perplexity — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Perplexity changes something that affects your risk. Built for procurement & security teams.
Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal
pages and links to its source. This brief contains no scraped sentiment, forum chatter, or
AI-inferred opinion — only verifiable, deterministic facts. Verify each source before
procurement decisions.