// Trust & Security Report

    Sigmoid Creativity SRL (d/b/a Cleanvoice AI), Bucharest, Romania logo

    Sigmoid Creativity SRL (d/b/a Cleanvoice AI), Bucharest, Romania

    AI podcast/audio + video editor (filler-word, noise, silence, mouth-sound removal, transcription, summaries) offered as a web app and as an editing API; on-premise deployment available on request

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001
    HELD

    Marketing self-attestation only, no verifiable certificate. Home page: 'Compliance with GDPR. Data stored in EU. ISO 27001 Certified.' Developers page shows badges 'ISO 27001 / GDPR / AUDITED / ON-PREMISE ON REQUEST' alongside 'DPA, SLA and on request even on premise deployment.' No certificate number, accredited certification body, scope/Statement of Applicability, or third-party trust-center listing was located, so the claim cannot be confirmed.

    Verify on cleanvoice.ai
    GDPR (compliance posture, not a certification)
    HELD

    Compliance with GDPR. Data stored in EU. A full Data Processing Agreement (Sigmoid Creativity SRL) is published referencing Regulation (EU) 2016/679 (GDPR), 72-hour breach notice, subprocessor list, and Article 32 security measures.

    Verify on cleanvoice.ai
    > Show 2 unconfirmed / not-held certifications
    SOC 2
    NOT CONFIRMED

    No SOC 2 Type I/II report, attestation, or mention found on the vendor's site or trust materials.

    source: cleanvoice.ai
    HIPAA
    NOT CONFIRMED

    The Site is not tailored to comply with industry-specific regulations (Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), etc.), so if your interactions would be subjected to such laws, you may not use this Site.

    source: cleanvoice.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    EU. Files auto-delete after 7 days by default (or when the job finishes). DPA subprocessors: DigitalOcean (data location Germany), Hetzner (Germany), Cloudflare (US-headquartered CDN/edge). DPA Clause 11 permits transfer outside EU/EEA 'as necessary to provide the Services' under valid transfer mechanisms.

    Vendor states it does not train on customer content: 'We record our own dataset in professional studios' and 'No training on your data.' (developers page). This concerns uploaded audio/video processed under the DPA. Separately, the Terms grant a broad license over user 'Contributions' posted to community/review areas of the Site (reviews, forum posts) - that license is unrelated to processing of uploaded media files governed by the DPA, but procurement should note the distinction.

    // Security controls

    Data residency

    Servers and GPU located in the EU; primary storage/compute on DigitalOcean and Hetzner in Germany

    cleanvoice.ai

    Encryption

    DPA Annex 2 commits to pseudonymization and encryption of personal data, protection in transit and at rest. No specific cipher/key-management detail published.

    cleanvoice.ai

    Data retention / deletion

    Files auto-delete after 7 days by default, or immediately when the job finishes; API allows earlier manual deletion. DPA: deletion within 14 business days of contract cessation.

    cleanvoice.ai

    Breach notification

    Notify client without undue delay, no later than 72 hours after becoming aware of a personal data breach.

    cleanvoice.ai

    Audit rights

    DPA grants client audit/inspection rights (with reasonable notice) to verify compliance.

    cleanvoice.ai

    Penetration testing

    unknown - no published pentest report or summary found

    cleanvoice.ai

    Bug bounty / VDP

    none found - no HackerOne, Bugcrowd, or self-hosted security.txt / responsible-disclosure program located

    cleanvoice.ai

    SLA

    Published Service Level Agreement with uptime SLA for API/enterprise customers

    cleanvoice.ai

    // Products & data scope

    Cleanvoice Web AppConsumer/prosumer podcast + video editor

    data: User uploads audio/video; processed in EU; files auto-delete after 7 days or on job completion. Free tier (30 min, no signup/credit card). Not for HIPAA/FISMA/GLBA-regulated content per ToC; 18+ only.

    Loved by 15,000+ podcasters. Try-without-signup option.

    Cleanvoice APIDeveloper / business editing API

    data: Batch and at-scale editing for companies; DPA positions Cleanvoice as Processor or Subprocessor depending on client capacity; same EU hosting and 7-day retention; programmatic deletion available.

    30+ brands use the API. SLA available.

    On-premise / enterprise deploymentSelf-hosted enterprise option

    data: On-request on-premise deployment keeps data within the customer's own environment; strongest data-control posture.

    Advertised on developers page as available on request; terms/scope negotiated individually.

    // What to watch

    • ISO 27001 is self-attested on marketing and developer pages and is recorded here as 'unknown' (held status unverified). No certificate number, accredited certification body, scope/Statement of Applicability, or third-party trust-center listing was found. Treat as a vendor claim pending evidence.
    • Wording discrepancy: the home page says 'ISO 27001 Certified' while the developers page renders badges reading 'ISO 27001 / GDPR / AUDITED'. 'Certified' and 'Audited' are both unverified marketing labels and are materially different claims - request the actual certificate and the audit attestation during procurement.
    • No SOC 2 report, no published penetration test, and no bug-bounty / responsible-disclosure program found. A third-party app-aggregator profile (Nudge Security) lists Cleanvoice as 'SOC 2 / ISO 27001 / FedRAMP / CSA STAR' compliant, but those entries appear auto-generated and are contradicted by the vendor's own materials (which claim only ISO 27001 + GDPR and whose Terms exclude FISMA-regulated use); do not rely on the aggregator listing.
    • Privacy policy is hosted on a third-party portal (app.privasee.io), not on cleanvoice.ai's own domain; only Terms and the DPA live on the vendor domain.
    • ToC explicitly excludes HIPAA/FISMA/GLBA use cases - not suitable for regulated health/financial audio.
    • DPA Clause 11 allows transfers outside the EU/EEA 'as necessary'; Cloudflare (US) is a listed subprocessor, so 'EU-only' marketing should be verified against actual data flows for strict-residency buyers.
    • Broad perpetual content license over user 'Contributions' (reviews/community posts) in the ToC - separate from uploaded-media processing, but worth noting.

    // At a glance

    Pricing model

    Freemium subscription (credit-based; free 30 min tier, paid plans, usage-based API; billed in EUR)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Sigmoid Creativity SRL (d/b/a Cleanvoice AI), Bucharest, Romania's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    app.privasee.io

    > Browse all vendor trust reports