// Trust & Security Report

    Shutterstock, Inc. logo

    Shutterstock, Inc.

    Amper Music is an AI-driven music generation platform acquired by Shutterstock in November 2020. It enables users to create original, royalty-free music using AI composition. The platform is now integrated into Shutterstock's broader content ecosystem and is available via web app, mobile app (iOS/Android), and API for 10,000+ integrations.

    Certifications held

    0

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 7 unconfirmed / not-held certifications
    SOC 2
    NOT CONFIRMED

    No public evidence of SOC 2 certification on Shutterstock's own domain; the only claim originates from a third-party aggregator (Nudge Security), which is not vendor-domain proof.

    source: shutterstock.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on Shutterstock's own domain; the only claim originates from a third-party aggregator (Nudge Security), which is not vendor-domain proof.

    source: shutterstock.com
    GDPR
    NOT CONFIRMED

    No public evidence of GDPR compliance on Shutterstock's own domain; the only claim originates from a third-party aggregator (Nudge Security), which is not vendor-domain proof.

    source: shutterstock.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or Business Associate Agreement support on the vendor domain. Shutterstock is a media licensing platform, not a healthcare covered entity or business associate; the third-party aggregator (Nudge Security) claim appears to be a false positive.

    source: shutterstock.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS compliance on Shutterstock's own domain; the only claim originates from a third-party aggregator (Nudge Security), which is not vendor-domain proof.

    source: shutterstock.com
    FedRamp
    NOT CONFIRMED

    No public evidence of FedRAMP authorization. Shutterstock does not appear in the FedRAMP Marketplace (the public federal authorization registry); the third-party aggregator (Nudge Security) claim appears to be a false positive.

    source: marketplace.fedramp.gov
    CSA STAR Level 1
    NOT CONFIRMED

    No public evidence of CSA STAR Level 1 registration on Shutterstock's own domain; the only claim originates from a third-party aggregator (Nudge Security), which is not vendor-domain proof.

    source: shutterstock.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Not publicly documented for Amper Music or Shutterstock. Specific customer-data residency regions are not stated on the vendor's own domain.

    Shutterstock explicitly does not train its own generative AI models on customer data. The platform distinguishes between contributor-licensed content (which users can opt out of for AI training; ~1% have opted out) and customer data. Amper Music is built on proprietary sample libraries and composition algorithms. The Shutterstock platform uses C2PA/IPTC industry standards to label AI-generated vs. human-created content.

    // Security controls

    Encryption in Transit

    HTTPS (TLS) required for all API endpoints; base URL: https://api.shutterstock.com

    api-reference.shutterstock.com

    API Authentication

    OAuth 2.0 and API Key (Consumer Key/Secret) authentication; credentials should not be shared

    api-reference.shutterstock.com

    Enterprise Security Features

    SAML/SSO via Okta, Google, Microsoft integrations; security partners include Palo Alto Networks and OneTrust

    security-profiles.nudgesecurity.com

    AI Content Provenance

    C2PA/IPTC standards used to label AI-generated vs. human-created content to safeguard against deepfakes and disinformation

    investor.shutterstock.com

    // Products & data scope

    Amper Music Web PlatformAI Music Generation

    data: User-created music compositions, prompt inputs, account metadata; does NOT include customer data in AI training

    Browser-based AI music composition tool. Users input mood, genre, tempo, instrumentation; AI generates royalty-free original music. Integrated into Shutterstock ecosystem.

    Amper Music Mobile AppAI Music Generation

    data: Same as web platform; iOS and Android apps available. Published on Apple App Store and Google Play Store.

    Mobile version by Aliaksandr Tsvirko (per some sources as continuation of original Amper); enables offline composition.

    Amper Music APIAI Music Generation (API)

    data: API credentials, request logs, generated music metadata. No training on user-submitted compositions.

    Powers 10,000+ integrations. OAuth 2.0 / API Key auth. Subscription tiers: Free, Pro ($14.99/month), Enterprise (API + custom support).

    // What to watch

    • NO_VENDOR_DOMAIN_CERT_PROOF: Every certification claim originates solely from a third-party aggregator (Nudge Security), not from Shutterstock's own domain. Shutterstock's trust/security pages are not publicly accessible (403), so no certification could be verified on the vendor's own domain. All certs are recorded as held=false with 'no public evidence' wording pending direct vendor-domain proof (official SOC 2 / ISO 27001 attestation).
    • FEDRAMP_OVERCLAIM: FedRAMP was claimed but Shutterstock does not appear in the FedRAMP Marketplace (the public federal authorization registry). The aggregator claim is treated as a false positive.
    • HIPAA_OVERCLAIM: HIPAA was claimed but Shutterstock is a media licensing platform, not a healthcare covered entity or business associate. The aggregator claim is treated as a false positive; no BAA support is documented.
    • NO_PUBLIC_TRUST_CENTER: Shutterstock does not maintain a publicly accessible trust center or security page (has_trust_center=false). Certifications cannot be independently verified without requesting attestations directly from the vendor.
    • DATA_RESIDENCY_OPAQUE: Specific data storage regions for Amper Music customer data are not publicly documented. EU GDPR users should request a Data Processing Agreement with explicit residency terms.
    • AMPER_MUSIC_STATUS: The original standalone Amper Music platform is no longer offered as an independent service; capabilities were integrated into the Shutterstock ecosystem after the November 2020 acquisition. Any 'Amper Music' mobile app by a third-party developer is unrelated to Shutterstock and should not be attributed to this vendor.

    // At a glance

    Pricing model

    Freemium (limited free tier) + subscription tiers (Pro: $14.99/month) + Enterprise API licensing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Shutterstock, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    shutterstock.com

    > Browse all vendor trust reports