Character.ai

Week 2026-W17 · 26 Apr 2026 Vendor-Neutral

38 /100 Notable Concerns

★★★★★

2.0/5 (62)

↓ PDF Report

AUDITOR SUMMARY

Strength: Character.ai offers a highly engaging and customizable AI character interaction platform, demonstrating strong consumer appeal and innovative AI application.

Trust Score Trend

12-month rolling window

Week 1 of 2 — Trust score tracking has begun

Return next week for historical trend visualization.

View all reports → or See Scoring Methodology →

Trust Score 38/100 EVALUATE

Est. Annual Cost See TCO ↓ 100 users / yr

Top Risk HIGH Reliability Overall: High

Priority Action Review report ↓ ↓ PDF · TCO · Hardening

Compliance

0/35

Legal / IP

15/25

Security

18/25

Market

5/15

Sub-total

38/100

Raise this score: Request SOC2 Type II report from vendor +15 pts · Require vendor to provide GDPR DPA +10 pts · Verify ISO 27001 certification +10 pts

This report updates every week. Weekly AI vendor intelligence — trust scores, contract red flags, competitive shifts.

02Weekly Intelligence

This Week's Intelligence

Trust 38

Security 40

Legal 35

No new events — monitoring active.

KEY TAKEAWAY

Initial audit baseline — Character.ai exhibits significant enterprise risk due to transparency gaps in legal, security, and financial domains.

This Week's Actions

ACTInitiate direct vendor engagement to clarify data privacy and IP policies.
ACTRequest comprehensive security documentation and DPA for legal review.
ACTAssess the long-term viability of the vendor given undisclosed financial status.

Get alerts when Character.ai's score changes

Cumulative Intelligence

Patterns and signals detected over time — based on 28+ community data points from GitHub, X/Twitter, Reddit, Hacker News, Stack Overflow

Patterns Detected

Consistent pattern of undisclosed legal and security policies, indicating a consumer-first approach without enterprise-grade transparency.
Recurring community sentiment regarding product updates causing dissatisfaction, suggesting potential instability in development cycles.

Long-term Trends

Initial audit baseline: Character.ai demonstrates significant gaps in enterprise readiness, particularly in legal, security, and financial transparency.
The platform's consumer popularity contrasts sharply with its lack of enterprise-grade features and compliance documentation.

Strategic Insights

Category Benchmark

How Character.ai compares to 6 other tools in this category.

Your Score vs Category

Worst: 20 Avg: 66 You: 38 Best: 75

14th

Percentile in Category

-37

Gap to ChatGPT

↓ Below

Category Average (66)

03Verdict & Recommendation

Enterprise Verdict

× Extended Due Diligence Required

Risk: High 28 sources

Key Strength

Detailed community analysis available in report body

Required Before Approval

Request and review SOC2 Type II audit report
Execute signed Data Processing Agreement (DPA)

Before You Sign

Procurement checklist — complete these before committing budget.

🔴 HIGH General

Type II covers a time period of operation; Type I is a point-in-time snapshot that provides weaker assurance.

🔴 HIGH General

GDPR Article 28 requires a DPA with any processor. Without it, you carry the compliance liability.

🟡 MEDIUM General

If the tool produces content that infringes on third-party IP, you need contractual protection against infringement claims.

🟢 LOW General

Ensure you can retrieve your data within 30 days of cancellation in standard formats (CSV, JSON, API).

Enterprise Contract Requirements

7 clauses generated from audit findings — add these to your vendor agreement before signing.

Must-Add Clauses (Top 3 Priority)

AI Training Data Exclusion CRITICAL
Data Processing Agreement (GDPR Article 28) CRITICAL
IP Ownership & Indemnification HIGH

CRITICAL Data & AI Training AI Training Data Exclusion Expand

Vendor shall not use Customer Data, including code, prompts, or generated outputs, to train, fine-tune, or evaluate any AI or machine learning model. This prohibition extends to all sub-processors and affiliates. Violation constitutes a material breach.

CRITICAL GDPR / Data Processing Data Processing Agreement (GDPR Article 28) Expand

A Data Processing Agreement compliant with GDPR Article 28 must be executed prior to any data transfer. The DPA must identify all sub-processors, specify data retention periods, and provide for the right to audit.

HIGH Intellectual Property IP Ownership & Indemnification Expand

All code, suggestions, completions, and outputs generated for Customer constitute Customer's intellectual property. Vendor shall indemnify and defend Customer against any third-party IP infringement claims arising from use of the Service.

HIGH Liability Liability Cap Expand

Vendor's aggregate liability for any claim shall not exceed the greater of (a) fees paid in the 12 months preceding the claim or (b) $500,000. This cap shall not apply to breaches of confidentiality or indemnification obligations.

HIGH Exit & Portability Data Export & Exit Rights Expand

Upon termination, Vendor shall provide Customer with a complete export of all Customer Data in machine-readable format (JSON or CSV) within 30 days at no charge. Vendor shall retain Customer Data for 90 days post-termination solely for export purposes.

MEDIUM Contract Terms Auto-Renewal Opt-Out Expand

This Agreement shall not auto-renew unless Customer provides written confirmation no later than 60 days before the renewal date. Vendor shall provide written notice of upcoming renewal no later than 90 days before the renewal date.

MEDIUM Security Security Incident Notification Expand

Vendor shall notify Customer of any confirmed or suspected security incident affecting Customer Data within 48 hours of discovery. Notification shall include nature of the incident, data affected, and remediation steps taken.

04Risk Assessment

Risk Assessment

Seven-category enterprise risk analysis derived from community and vendor signals. Each card shows the evidence tier and the underlying finding.

High Reliability Community Data

Vendor viability score: 40/100. No community-reported outages or reliability incidents found in recent data.

Critical Cost Predictability Community Data

Vendor financial stability score: 40/100. Total funding raised: unknown. Enterprises should negotiate fixed-rate contracts and monitor pricing changes.

High Vendor Lock-in Community Data

Data export status unclear. Integration score: 0/100. Webhooks available, reducing lock-in risk.

Critical Data Privacy Community Data

Compliance score: 40/100. GDPR: unknown. Encryption at rest: unknown.

Medium Compliance Posture Community Data

SOC 2: none. ISO 27001: none. Overall compliance score: 40/100.

Medium AI Transparency Community Data

No training on user data detected. Code ownership terms unclear. Legal/ToS risk score: 65/100.

Verified — Confirmed by vendor documentation or disclosure Community — Derived from developer forums, GitHub, and community reports

05Security & Compliance

Security & Compliance

SOC 2 ✕ Not Certified

ISO 27001 ✕ Not Certified

GDPR ✕ Not Certified

HIPAA ✕ N/A

Data Security

Encryption (At Rest): Unknown

Encryption (In Transit): Unknown

Security Features

✓ SSO

⚠ MFA

Security Score:

40/100

Last verified: 26 Apr 2026

Compliance Framework Matrix

[EU]

EU AI Act

European AI Regulation (2024)

limited

[US]

NIST AI RMF

AI Risk Management Framework

[Cloud]

CSA CAIQ

Cloud Security Alliance

[Global]

ISO/IEC 42001

AI Management System

New risk signals detected weekly. Weekly AI vendor intelligence — trust scores, contract red flags, competitive shifts.

06Legal & Intellectual Property

Legal & IP Risk

IP Ownership

User Code: Unclear IP Ownership. The terms do not provide explicit legal protection for generated outputs. Enterprise legal review required before deployment in regulated industries.

Training Data: Undisclosed by Vendor (High Risk). The vendor's public documentation does not explicitly state whether customer data is excluded from model training. Per enterprise security policy, this must be treated as implicit consent unless a written opt-out DPA is provided.

Output Copyright: unknown

Liability & Indemnification

IP Indemnification: Not publicly disclosed — Vendor Liability Risk. The vendor's terms do not explicitly offer IP indemnification, leaving the enterprise exposed to potential infringement claims. Cap: unknown

Liability Cap: Undisclosed

Warranty: unknown

Exit Terms

Export Data Export: Undisclosed — Opaque Data Lifecycle. The policy does not specify data export capabilities or formats upon contract termination, posing a vendor lock-in risk.

Transition Transition: unknown

Deletion Deletion: Opaque Data Lifecycle. The policy buyers may want to verify availability of specific retention timeframes and automated deletion commitments, posing a compliance risk for GDPR/CCPA regulated entities. Request a written DPA before deployment.

ToS Red Flags

Critical

Exposes enterprise data to potential training sets, leading to IP leakage and compliance violations.

"We collect information from you. The types of information we collect depend on how you use our Services."

High

Ambiguity over who owns the output generated by the AI poses significant legal risks for proprietary content.

"Your content you submit, such as chat communications, posted images or videos, biography description, and shared Characters;"

High

Leaves the enterprise liable for potential intellectual property infringement claims arising from tool usage.

High

Non-compliance with data governance regulations (GDPR, CCPA) due to lack of clear data lifecycle management.

"If you do not provide us with such information, or if you ask us to delete that information, you may no longer be able to access or use certain Services."

Medium

Creates vendor lock-in and increases migration costs and complexity if the service needs to be discontinued.

Legal Risk Score:

65/100

Data & Migration Lock-in Risk

Risk Level high

Data Portability Undisclosed — Opaque Data Lifecycle. The policy does not specify data export capabilities or formats upon contract termination, posing a vendor lock-in risk.

Switching Cost Estimate: 4-8 weeks of engineering and legal time

Lock-in Factors:

Proprietary AI models and character definitions.
Undisclosed data export formats and processes.
Deep integration of conversational workflows into user habits.
Lack of API for programmatic data extraction.

The risk of vendor lock-in is high due to the proprietary nature of the AI models and the lack of documented data export capabilities. Migrating conversational data and character definitions to an alternative platform would likely involve significant manual effort and custom development, incurring substantial switching costs.

Last verified: 26 Apr 2026

Exit & Migration Risk

How hard is it to leave? Assess lock-in before you commit.

Lock-in Score

50/10

🟡 MODERATE LOCK-IN

Data Portability Unknown

API Available No

Auto-Renewal Clause Not Detected

Termination Notice 30 days

⚠ Contract Red Flags

Auto-renewal terms and data export rights not publicly documented — verify before signing.

Migration Notes: Full contract terms for Character.ai require direct vendor engagement. Ensure data portability on exit, notice period, and pricing lock clauses are negotiated before execution.

07Financial Analysis

Vendor Financial Health

📈 Viability Signals

Stability: 50/100

No public financial data available for Character.ai. Treat as elevated viability risk for long-term enterprise contracts; request audited financials or escrow agreement if vendor is critical infrastructure.

Character.ai

unknown Founded 2021

unknown Employees

Funding Status

        Total Raised
        unknown
      

Valuation unknown

Last Round unknown

Runway unknown

CONFIDENTIAL TCO & FUNDING ANALYSIS

Estimated Runway Total Raised: unknown

True Total Cost of Ownership (100 Users)

Base Monthly Cost 3000

Integration & Add-on Costs 1000

Total Annual Cost Estimate 40000

Financial Stability Score:

40/100

RISKY

TCO Calculator

Custom TCO Assessment Required

This vendor's enterprise pricing data is currently under review by our analyst network or requires custom scoping. Contact us for a free, independent TCO assessment tailored to your organization's deployment size.

Request TCO Assessment →

Last verified: 26 Apr 2026

08Contract & Procurement

Pricing Tier Risk Analysis

Per-tier compliance posture data is being collected for this vendor. Check back after the next weekly refresh, or contact the vendor directly to request enterprise tier documentation (SOC 2, DPA, audit logs).

09Community & Market Signals

Community Evidence

Sentiment analysis and recurring issues from developer & enterprise community signals this week. 🟢 Vendor Data 🟠 Community Signal

Recurring Issues

Community reports potential for addiction and negative mental health impacts from prolonged use. 🟠 Community 0 mentions medium → Stable

Users discuss 'worst update ever' indicating potential for disruptive changes to user experience. 🟠 Community 0 mentions medium → Stable

Lack of clear data privacy and IP ownership policies for user-generated content. 🟠 Community 0 mentions medium → Stable

Community Evidence This Week

Specific signals from GitHub, Hacker News, Reddit, Stack Overflow, and the web — what the community is actually saying

🌐 Web Findings

Youtube_Yt_Dlp How Character.ai slowly destroys your mental health | The C.ai addiction iceberg

Signal from youtube

Youtube_Yt_Dlp The Best Character ai Alternative With No Filters?

Signal from youtube

Youtube_Yt_Dlp The Massive Problem With Character.AI

Signal from youtube

Youtube_Yt_Dlp What is Character.ai and How to Use it?

Signal from youtube

Due Diligence Alerts

Priority reviews, recommended inquiries, and verified strengths — based on 28+ community data points

Recommended Inquiry Critical AI Training Data Policy Not Explicitly Disclosed in ToS

The vendor's public documentation does not explicitly state whether customer data is excluded from model training, which is a critical compliance risk.