When you see a letter grade next to an AI tool on TrustGrade, it represents a composite assessment of that tool's security, privacy, and trustworthiness. But what does a Grade A actually mean? What separates a B from a C? And when should you care about the difference between a D and an F?
This guide breaks down TrustGrade's rating system in plain language. You will learn exactly what gets checked, how scores are calculated, what each grade means for your data, and how to use grades to make better decisions about which AI tools to trust.
TrustGrade Database — Live Data
How Trust Scores Are Calculated
Every AI tool in the TrustGrade database receives a numeric trust score from 0 to 100. This score is calculated from four weighted components, each evaluating a different dimension of the tool's security posture:
SSL and Transport Security (30% of score)
This component checks whether the tool encrypts data in transit between your browser and its servers. Our automated scanner verifies:
- Whether the site loads over HTTPS with a valid, non-expired SSL/TLS certificate
- Whether the certificate is issued by a recognized certificate authority
- Whether HTTP traffic is properly redirected to HTTPS
- The TLS protocol version (1.2 minimum, 1.3 preferred)
SSL carries the heaviest weight (tied with privacy) because it is the foundation of data protection. If the connection between you and the tool is not encrypted, nothing else matters. A tool that fails the SSL check receives a score of zero for this component, which typically results in a Grade D or F regardless of other factors.
Privacy Policy Quality (30% of score)
This component evaluates the tool's privacy policy for completeness, clarity, and how well it protects user data. Our assessment checks for:
- Existence: Does the tool have a publicly accessible privacy policy?
- Data collection disclosure: Does the policy clearly state what data is collected and why?
- Model training disclosure: Does the policy address whether user data is used to train AI models?
- Data retention: Does the policy specify how long data is kept?
- Third-party sharing: Does the policy disclose what data is shared with third parties and why?
- User rights: Does the policy explain how users can access, modify, or delete their data?
- Contact information: Is there a clear way to reach someone about privacy concerns?
A tool with no privacy policy receives zero for this component. A tool with a comprehensive, specific policy that addresses all of these points scores highly. Vague or template-like policies that do not address AI-specific concerns (like model training) score in the middle range.
Security Certifications (20% of score)
This component checks whether the tool holds recognized third-party security certifications. The certifications we check for include:
AI Tool Certification Counts — Live Data
Each certification contributes to the score, with SOC 2 Type II and ISO 27001 carrying the most weight as they require the most rigorous third-party auditing. A tool does not need every certification to score well on this component. One major certification (SOC 2 or ISO 27001) is usually sufficient to score above average. Multiple certifications push the score higher.
Certifications carry 20% of the total weight because they are one of the strongest objective signals of security investment. Unlike privacy policies (which a company writes itself) or security headers (which are technical configurations), certifications require an independent auditor to verify practices over an extended period.
Security Headers and Technical Cleanliness (20% of score)
This component evaluates the technical security of the tool's web presence by checking for the presence and configuration of HTTP security headers:
- Strict-Transport-Security (HSTS): Forces HTTPS and prevents downgrade attacks
- Content-Security-Policy (CSP): Mitigates cross-site scripting and injection attacks
- X-Content-Type-Options: Prevents MIME-type sniffing attacks
- X-Frame-Options / frame-ancestors: Prevents clickjacking
- Referrer-Policy: Controls referrer information leakage
- Permissions-Policy: Restricts browser API access
We also check for signals of “cleanliness”: the absence of excessive third-party trackers, advertising scripts, and other elements that increase the attack surface and reduce privacy. A tool with all recommended security headers and minimal third-party scripts scores highly. A tool missing most headers and loaded with trackers scores poorly.
The Grade Scale: A Through F
The numeric score (0-100) maps to a letter grade using the following thresholds. Here is what each grade means in practical terms, and what kind of data you should feel comfortable sharing with a tool at each level.
Trust Grade Distribution — Live Data
Across 822 assessed AI tools
Grade A: Excellent (Score 90-100)
A Grade A tool represents the highest level of trust in our system. These tools have demonstrated excellence across all four evaluation components.
What it means:
- Valid, properly configured SSL with modern TLS
- Comprehensive privacy policy that specifically addresses AI data handling, model training, retention, and user rights
- One or more major security certifications (SOC 2 Type II, ISO 27001)
- Strong security headers including CSP and HSTS
- Minimal third-party tracking and clean technical footprint
Appropriate for:
- Proprietary source code and architecture documents
- Customer personal data (with appropriate agreements)
- Confidential business strategies and financial data
- Regulated data (healthcare, legal, financial) when combined with appropriate certifications
- Enterprise-wide deployment
Grade A tools are the ones you should reach for when the data you are processing could cause real harm if exposed. These tools have invested significantly in earning trust, and they have the third-party verification to prove it.
Grade B: Good (Score 75-89)
A Grade B tool is solidly trustworthy, with strong performance on most evaluation criteria and only minor gaps.
What it means:
- Valid SSL with proper configuration
- Good privacy policy that addresses most key concerns, though may lack specificity in some areas
- May have one certification or be in the process of obtaining one
- Most security headers present, with minor gaps
Appropriate for:
- Internal business documents and presentations
- Draft content and creative work
- General business data that is sensitive but not regulated
- Team use with appropriate oversight
Grade B tools are strong choices for everyday business use. The gap between A and B often comes down to certification, a B-grade tool may have excellent security practices but has not yet undergone the formal audit process. If the tool is actively pursuing SOC 2 or ISO 27001, it may be worth monitoring for an upgrade.
Grade C: Fair (Score 55-74)
A Grade C tool meets basic security requirements but has notable gaps that limit the types of data you should share with it.
What it means:
- Valid SSL (basic transport security is in place)
- Privacy policy exists but may be vague, incomplete, or template-based
- No third-party security certifications
- Some security headers present but notable gaps
- May have significant third-party tracking
Appropriate for:
- Non-sensitive creative brainstorming
- General knowledge queries with no proprietary data
- Public-facing content editing
- Non-confidential tasks only
Grade C tools are functional and may have excellent AI capabilities, but their security posture has not matured enough for sensitive use. If you use a C-grade tool, be deliberate about what you share with it. Never paste customer data, proprietary code, or confidential business information into a tool at this level.
Grade D: Poor (Score 30-54)
A Grade D tool has significant security deficiencies that make it unsuitable for most business purposes.
What it means:
- SSL may be present but with issues (mixed content, weak configuration)
- Privacy policy is missing, severely inadequate, or raises concerns (e.g., claims broad rights to user content)
- No certifications
- Most security headers missing
- May have heavy third-party tracking
Appropriate for:
- Casual personal use with non-sensitive queries
- Evaluation and testing purposes only
- Never for business data of any kind
Grade D tools should be treated with caution. While some D-grade tools may be early-stage products from legitimate companies that simply have not invested in security yet, the current state of their security infrastructure means you are taking on meaningful risk by sharing data with them.
Grade F: Fail (Score 0-29)
A Grade F tool has fundamental security failures that make it unsafe for any use involving personal or business data.
What it means:
- SSL may be missing entirely, or has critical issues
- No privacy policy or a policy that explicitly permits unrestricted data use
- No certifications of any kind
- Minimal or no security headers
- May show signs of poor technical maintenance (expired certs, server errors)
Appropriate for:
- Nothing involving any form of sensitive data
- We recommend avoiding F-grade tools entirely when alternatives exist in the same category
An F grade is a serious red flag. It indicates either a complete disregard for security or a tool that is too early-stage to have basic infrastructure in place. In either case, your data is at risk.
How to Use Grades in Your Decision-Making
Trust grades are most useful as a first filter, not a final decision. Here is a practical framework for using them:
Step 1: Define your data sensitivity
Before evaluating any tool, classify the data you will share with it:
- Critical: Customer PII, financial data, healthcare records, proprietary source code, trade secrets. Requires Grade A.
- Sensitive: Internal documents, business strategies, unpublished content, employee data. Requires Grade A or B.
- General: Non-proprietary research, public information, general queries. Grade B or C is acceptable.
- Non-sensitive: Public-facing content, general brainstorming, educational queries. Any passing grade works.
Step 2: Filter by grade
Use the TrustGrade tools directory to filter by grade. You can view all Grade A tools, Grade B tools, or any other grade level. This immediately narrows your evaluation to tools that meet your minimum security requirements.
Step 3: Evaluate within the grade
Within a grade level, compare tools on their specific strengths. One Grade A tool might have SOC 2 but not HIPAA, while another has both. One might have a stronger CSP configuration while another has a more comprehensive privacy policy. The grade tells you the floor; the details help you find the best fit.
Step 4: Re-evaluate periodically
Trust scores change. Tools invest in security over time, certifications expire or are renewed, and privacy policies get updated. A tool that was a C six months ago might be a B today. TrustGrade's automated assessments continuously update, so check back periodically to see if tools you have previously evaluated have improved or declined.
Common Questions About Trust Grades
Can a tool have great AI capabilities and a poor trust grade?
Absolutely. Trust grades measure security and privacy, not AI quality. Some of the most capable AI tools in the market have mediocre trust scores because they have prioritized model performance over security infrastructure. Conversely, some tools with strong trust grades have less impressive AI features. The ideal is a tool that excels at both, and the market is increasingly rewarding tools that invest in both.
Is a Grade B tool actually unsafe?
No. Grade B tools are solidly trustworthy and appropriate for most business use cases. The difference between A and B is often the presence of third-party certifications, which is a meaningful indicator of security investment but does not mean a B-grade tool has weak security. Think of it like a restaurant health inspection: an A means they exceeded every standard, a B means they met standards with minor points for improvement.
Do grades account for the AI model provider?
Grades evaluate the tool you interact with, not its upstream providers. A tool built on OpenAI's API is evaluated on its own security practices (its SSL, its privacy policy, its certifications), not OpenAI's. This is important because the tool adds its own layer of data handling on top of whatever the underlying model provider does.
How often are grades updated?
TrustGrade runs automated assessments on a regular cycle, re-scanning tools to detect changes in SSL configuration, privacy policies, security headers, and certification status. Significant changes trigger grade updates. You can always see the most current grade on a tool's profile in the tools directory.
Start Evaluating
Now that you understand what the grades mean, put that knowledge to work. Browse the TrustGrade database to check the trust grade of AI tools you are currently using or considering. For a complete evaluation methodology, read our complete guide to evaluating AI tool trustworthiness. And for a quick, practical evaluation you can run yourself, grab our 10-point security checklist.
The right grade for your use case depends on what you are protecting. Understand the data, match it to the appropriate trust level, and make your choice with confidence.