// Trust & Security Report
Sigmoid Creativity SRL (d/b/a Cleanvoice AI), Bucharest, Romania
AI podcast/audio + video editor (filler-word, noise, silence, mouth-sound removal, transcription, summaries) offered as a web app and as an editing API; on-premise deployment available on request
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on cleanvoice.ai“Marketing self-attestation only, no verifiable certificate. Home page: 'Compliance with GDPR. Data stored in EU. ISO 27001 Certified.' Developers page shows badges 'ISO 27001 / GDPR / AUDITED / ON-PREMISE ON REQUEST' alongside 'DPA, SLA and on request even on premise deployment.' No certificate number, accredited certification body, scope/Statement of Applicability, or third-party trust-center listing was located, so the claim cannot be confirmed.”
Verify on cleanvoice.ai“Compliance with GDPR. Data stored in EU. A full Data Processing Agreement (Sigmoid Creativity SRL) is published referencing Regulation (EU) 2016/679 (GDPR), 72-hour breach notice, subprocessor list, and Article 32 security measures.”
> Show 2 unconfirmed / not-held certifications
source: cleanvoice.aiNo SOC 2 Type I/II report, attestation, or mention found on the vendor's site or trust materials.
source: cleanvoice.aiThe Site is not tailored to comply with industry-specific regulations (Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), etc.), so if your interactions would be subjected to such laws, you may not use this Site.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
EU. Files auto-delete after 7 days by default (or when the job finishes). DPA subprocessors: DigitalOcean (data location Germany), Hetzner (Germany), Cloudflare (US-headquartered CDN/edge). DPA Clause 11 permits transfer outside EU/EEA 'as necessary to provide the Services' under valid transfer mechanisms.
Vendor states it does not train on customer content: 'We record our own dataset in professional studios' and 'No training on your data.' (developers page). This concerns uploaded audio/video processed under the DPA. Separately, the Terms grant a broad license over user 'Contributions' posted to community/review areas of the Site (reviews, forum posts) - that license is unrelated to processing of uploaded media files governed by the DPA, but procurement should note the distinction.
// Security controls
Data residency
Servers and GPU located in the EU; primary storage/compute on DigitalOcean and Hetzner in Germany
cleanvoice.aiEncryption
DPA Annex 2 commits to pseudonymization and encryption of personal data, protection in transit and at rest. No specific cipher/key-management detail published.
cleanvoice.aiData retention / deletion
Files auto-delete after 7 days by default, or immediately when the job finishes; API allows earlier manual deletion. DPA: deletion within 14 business days of contract cessation.
cleanvoice.aiBreach notification
Notify client without undue delay, no later than 72 hours after becoming aware of a personal data breach.
cleanvoice.aiAudit rights
DPA grants client audit/inspection rights (with reasonable notice) to verify compliance.
cleanvoice.aiBug bounty / VDP
none found - no HackerOne, Bugcrowd, or self-hosted security.txt / responsible-disclosure program located
cleanvoice.ai// Products & data scope
data: User uploads audio/video; processed in EU; files auto-delete after 7 days or on job completion. Free tier (30 min, no signup/credit card). Not for HIPAA/FISMA/GLBA-regulated content per ToC; 18+ only.
Loved by 15,000+ podcasters. Try-without-signup option.
data: Batch and at-scale editing for companies; DPA positions Cleanvoice as Processor or Subprocessor depending on client capacity; same EU hosting and 7-day retention; programmatic deletion available.
30+ brands use the API. SLA available.
data: On-request on-premise deployment keeps data within the customer's own environment; strongest data-control posture.
Advertised on developers page as available on request; terms/scope negotiated individually.
// What to watch
- ISO 27001 is self-attested on marketing and developer pages and is recorded here as 'unknown' (held status unverified). No certificate number, accredited certification body, scope/Statement of Applicability, or third-party trust-center listing was found. Treat as a vendor claim pending evidence.
- Wording discrepancy: the home page says 'ISO 27001 Certified' while the developers page renders badges reading 'ISO 27001 / GDPR / AUDITED'. 'Certified' and 'Audited' are both unverified marketing labels and are materially different claims - request the actual certificate and the audit attestation during procurement.
- No SOC 2 report, no published penetration test, and no bug-bounty / responsible-disclosure program found. A third-party app-aggregator profile (Nudge Security) lists Cleanvoice as 'SOC 2 / ISO 27001 / FedRAMP / CSA STAR' compliant, but those entries appear auto-generated and are contradicted by the vendor's own materials (which claim only ISO 27001 + GDPR and whose Terms exclude FISMA-regulated use); do not rely on the aggregator listing.
- Privacy policy is hosted on a third-party portal (app.privasee.io), not on cleanvoice.ai's own domain; only Terms and the DPA live on the vendor domain.
- ToC explicitly excludes HIPAA/FISMA/GLBA use cases - not suitable for regulated health/financial audio.
- DPA Clause 11 allows transfers outside the EU/EEA 'as necessary'; Cloudflare (US) is a listed subprocessor, so 'EU-only' marketing should be verified against actual data flows for strict-residency buyers.
- Broad perpetual content license over user 'Contributions' (reviews/community posts) in the ToC - separate from uploaded-media processing, but worth noting.
// At a glance
Pricing model
Freemium subscription (credit-based; free 30 min tier, paid plans, usage-based API; billed in EUR)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Sigmoid Creativity SRL (d/b/a Cleanvoice AI), Bucharest, Romania's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
app.privasee.io