Loading the catalogue…
Loading the catalogue…
Perplexity is a US-incorporated, San Francisco-based AI company operating a real-time web search and answer engine powered by its proprietary Sonar models (fine-tuned on Meta's Llama) and third-party frontier models. As a US entity, it is fully exposed to CLOUD Act and FISA Section 702 obligations, which is a material concern for EU regulated-sector customers processing confidential data. The company carries an escalating legal burden — active copyright lawsuits from CNN, The New York Times, Dow Jones, News Corp, Reddit, and others — alongside a 2026 class-action alleging that tracking pixels shared conversational data with Meta and Google even in Incognito mode; EU customers should treat these as unresolved reputational and data-governance risks pending judicial outcomes.
Perplexity AI, Inc. is a US-incorporated company, fully subject to CLOUD Act and FISA Section 702. US authorities can compel production of customer data — including EU users' data — without EU judicial oversight or notification to the data subject. The current Stav catalogue value ('false') is incorrect and must be urgently corrected.
A March 2026 proposed class-action alleges Perplexity used Meta Pixel, Google Ads, DoubleClick, and Meta's Conversions API to share users' conversational data with Meta and Google — including users in Incognito mode. If proven, this constitutes a serious GDPR breach for EU users. Case unresolved as of June 2026.
Active copyright litigation from CNN, The New York Times, Dow Jones/News Corp, Chicago Tribune, Reddit, Merriam-Webster, Encyclopedia Britannica, and Yomiuri Shimbun over alleged content scraping and redistribution without authorisation. No major cases have settled; this litigation stack represents both financial and reputational risk.
Consumer and free-tier products use tracking technologies (Google Analytics, Meta Pixel) without GDPR-compliant opt-in consent. EU legal analysts have flagged the 'legitimate interest' legal basis used for analytics as problematic under GDPR. Only enterprise tier provides meaningful contractual data-protection guarantees.
No public EU AI Act compliance statement, GPAI transparency documentation, or Code of Practice participation has been published as of June 2026 — despite GPAI obligations having been applicable since 2 August 2025. EU deployers using Perplexity in regulated contexts bear this compliance gap.
No EU legal entity or confirmed EU data residency option. Data transfers to the US rely on EU SCCs and claimed Data Privacy Framework certification. The DPF mechanism has faced legal challenges. Absence of EU data localisation is material for EU financial, health, and government sector customers.
Investor 1789 Capital, associated with Donald Trump Jr., has taken a stake in Perplexity. While there is no evidence of operational influence, this association may create perception risk for some EU public-sector or regulated-sector customers who prioritise political neutrality in their vendor supply chains.
SOC 2 Type II certification applies only to the Enterprise tier. Consumer and standard Pro tiers lack SOC 2 compliance, ISO 27001, and enterprise-grade security controls. Regulated-sector customers using free or Pro-individual tiers would have insufficient security assurance.
Stav AI Act assessment
Editorial assessment, not legal advice. Stav's risk ratings, scores, and verdicts are our own analysis of publicly available information and may be incomplete or out of date. Verify independently before making compliance or procurement decisions.
SOC 2 Type II compliance confirmed for Enterprise tier. Annual third-party penetration tests, Bugcrowd private bug bounty programme, and public VDP all documented on official security page.
Publicly available Data Processing Addendum (DPA) covering EU SCCs (Commission Decision 2021/914, Module 2) and UK GDPR International Data Transfer Addendum. DPA explicitly governs model providers as sub-processors with customer notification obligations.
Zero Data Retention policy for the Sonar API is documented in API developer docs: no prompts or responses retained, only billing metadata collected. Enterprise data contractually excluded from model training with annual sub-processor agreement reviews.
2026: Perplexity founded the Secure Intelligence Institute for AI security research in collaboration with academic and industry partners — a positive signal of long-term security investment.
Open-weight embedding models (pplx-embed-v1 family) released on HuggingFace with arXiv technical papers (e.g., arXiv:2602.11151). BrowseSafe agentic security model also open-released. Demonstrates selective but genuine research transparency.
Well-funded and rapidly scaling: multiple product launches in H1 2026 (Agent API, Comet browser, Perplexity Health, Model Council), Azure GPU capacity commitment, and Manhattan office expansion. No operational disruption signals.
Publisher licensing deals struck with European outlets Le Monde and Der Spiegel, demonstrating willingness to negotiate content agreements with European publishers rather than relying solely on fair-use arguments.
Privacy policy review
Creator profile
Perplexity is a United States entity. Training data and weights produced under United States-jurisdiction are covered by the CLOUD Act.
Exposed on training. Inference is unaffected when hosted on Stav infrastructure inside the EEA.
Stav compliance has not yet scored Perplexity. Scores are published once the policy review and infrastructure assessment complete.
Findings
Citations gathered when the Compliance Curator last reviewed this creator’s public-facing documents. Grouped by source so the picture stays auditable.
““Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the tra...”
“With Perplexity Enterprise Pro being compliant with SOC2 Type II, organizations mitigate the threat of data leaks, black-box risks, and security compr...”
“In addition to conducting annual third-party penetration tests, we actively collaborate with researchers through our private Bug Bounty program on Bug...”
Perplexity’s primary offering is an online information retrieval system (search engine) that uses large language models to generate responses to user ...
Its development company, Perplexity AI, Inc., was founded in August 2022 and is headquartered in San Francisco, California.
Perplexity is privately held, incorporated in the United States and headquartered in San Francisco.
For EU users, Perplexity claims GDPR compliance through Data Privacy Framework certification and standard contractual clauses. Legal analysts note, ho...
“Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the tra...
The EU AI Act entered into force in July 2024 and introduces staged requirements for different AI systems. Starting August 2, 2025, the first binding ...
Perplexity also explicitly states that enterprise data is never used to train or fine-tune its AI models. For developers using the Perplexity Sonar AP...
Free/standard versions allow data to be used for model updates, but users can opt out of training in their Account Settings.
Perplexity’s primary offering is an online information retrieval system (search engine) that uses large language models to generate responses to user ...
Its development company, Perplexity AI, Inc., was founded in August 2022 and is headquartered in San Francisco, California.
Perplexity is privately held, incorporated in the United States and headquartered in San Francisco.
For EU users, Perplexity claims GDPR compliance through Data Privacy Framework certification and standard contractual clauses. Legal analysts note, ho...
“Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the tra...
The EU AI Act entered into force in July 2024 and introduces staged requirements for different AI systems. Starting August 2, 2025, the first binding ...
Perplexity also explicitly states that enterprise data is never used to train or fine-tune its AI models. For developers using the Perplexity Sonar AP...
Free/standard versions allow data to be used for model updates, but users can opt out of training in their Account Settings.
Active enterprise customer base (7,000+ Enterprise Pro customers including NVIDIA, Databricks, Stripe) and developer ecosystem (Discord, GitHub wrappers, HuggingFace model releases). Perplexity Health integrations signal expansion into regulated verticals.
Published safeguards & certifications
“Free/standard versions allow data to be used for model updates, but users can opt out of training in their Account Settings. ”
“However, they lack SOC 2 compliance, ISO 27001 certifications, and enterprise-grade security protocols. Without granular administrative controls or da...”
“For EU users, Perplexity claims GDPR compliance through Data Privacy Framework certification and standard contractual clauses. Legal analysts note, ho...”
“Its development company, Perplexity AI, Inc., was founded in August 2022 and is headquartered in San Francisco, California. ”
“Perplexity also explicitly states that enterprise data is never used to train or fine-tune its AI models. For developers using the Perplexity Sonar AP...”
“... CNN has filed a lawsuit against the AI company Perplexity, accusing it of unlawfully copying and distributing its content. ”
“Perplexity’s primary offering is an online information retrieval system (search engine) that uses large language models to generate responses to user ...”
“The EU AI Act entered into force in July 2024 and introduces staged requirements for different AI systems. Starting August 2, 2025, the first binding ...”
“All models are built on diffusion continued pre-trained Qwen3 at Perplexity AI. ”
“Perplexity is not aiming to be the most open AI company overall. Instead, it is focusing on strategically useful, specialized releases in areas adjace...”
“The New York Times, Dow Jones (parent of the Wall Street Journal), the New York Post, the Chicago Tribune, Encyclopedia Britannica, Merriam‑Webster, a...”
“A proposed class action filed on March 31, 2026, against Perplexity made that gap impossible to ignore. The complaint alleges that Perplexity used tra...”
“Perplexity is privately held, incorporated in the United States and headquartered in San Francisco. ”
“Perplexity has also acquired 6 companies including Visual Electric and Invisible. ”
“Perplexity relies on an in-house language model named Sonar. This model is based on open base models from Meta (Llama 3.x) and has been fine-tuned for...”
A proposed class action filed on March 31, 2026, against Perplexity made that gap impossible to ignore. The complaint alleges that Perplexity used tra...
With Perplexity Enterprise Pro being compliant with SOC2 Type II, organizations mitigate the threat of data leaks, black-box risks, and security compr...
In addition to conducting annual third-party penetration tests, we actively collaborate with researchers through our private Bug Bounty program on Bug...
However, they lack SOC 2 compliance, ISO 27001 certifications, and enterprise-grade security protocols. Without granular administrative controls or da...
Perplexity is not aiming to be the most open AI company overall. Instead, it is focusing on strategically useful, specialized releases in areas adjace...
Perplexity relies on an in-house language model named Sonar. This model is based on open base models from Meta (Llama 3.x) and has been fine-tuned for...
All models are built on diffusion continued pre-trained Qwen3 at Perplexity AI.
The New York Times, Dow Jones (parent of the Wall Street Journal), the New York Post, the Chicago Tribune, Encyclopedia Britannica, Merriam‑Webster, a...
... CNN has filed a lawsuit against the AI company Perplexity, accusing it of unlawfully copying and distributing its content.
Perplexity has also acquired 6 companies including Visual Electric and Invisible.
A proposed class action filed on March 31, 2026, against Perplexity made that gap impossible to ignore. The complaint alleges that Perplexity used tra...
With Perplexity Enterprise Pro being compliant with SOC2 Type II, organizations mitigate the threat of data leaks, black-box risks, and security compr...
In addition to conducting annual third-party penetration tests, we actively collaborate with researchers through our private Bug Bounty program on Bug...
However, they lack SOC 2 compliance, ISO 27001 certifications, and enterprise-grade security protocols. Without granular administrative controls or da...
Perplexity is not aiming to be the most open AI company overall. Instead, it is focusing on strategically useful, specialized releases in areas adjace...
Perplexity relies on an in-house language model named Sonar. This model is based on open base models from Meta (Llama 3.x) and has been fine-tuned for...
All models are built on diffusion continued pre-trained Qwen3 at Perplexity AI.
The New York Times, Dow Jones (parent of the Wall Street Journal), the New York Post, the Chicago Tribune, Encyclopedia Britannica, Merriam‑Webster, a...
... CNN has filed a lawsuit against the AI company Perplexity, accusing it of unlawfully copying and distributing its content.
Perplexity has also acquired 6 companies including Visual Electric and Invisible.