// Trust & Security Report
Deepgram, Inc.
Voice AI APIs and infrastructure for speech-to-text (Nova, Flux transcription models), text-to-speech (Speak), voice agents (Flux unified API), and audio intelligence. Supports real-time and batch processing, cloud and self-hosted deployment.
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on developers.deepgram.com“Deepgram has achieved SOC 2 Type 1 and Type 2 certification”
Verify on deepgram.com“Their six-month audit of Deepgram's security, availability, and confidentiality found no exceptions to the SOC 2 Type II industry standards as defined by the American Institute of Certified Public Accountants (AICPA).”
Verify on developers.deepgram.com“Deepgram qualifies as a Business Associate as defined by US HIPAA legislation and can provide Business Associate Agreements to customers who qualify as Covered Entities and provide electronic Protected Health Information (ePHI).”
Verify on deepgram.com“Deepgram is GDPR ready and provides information to customers to help them understand how features and functionality of the platform may affect their GDPR compliance obligations. We enter into data processing agreements with our customers which set out our obligations under the GDPR.”
Verify on deepgram.com“For California customers, Deepgram operates as a 'service provider' under the CCPA, processing personal information strictly for business purposes as defined by that law.”
Verify on developers.deepgram.com“Deepgram maintains PCI compliance with yearly reviews and independent audits for verification.”
Verify on developers.deepgram.com“Deepgram supports APP 8 requirements with an AU-specific endpoint (api.au.deepgram.com) running exclusively on Australian infrastructure.”
> Show 6 unconfirmed / not-held certifications
source: deepgram.comISO 27001 is mentioned in compliance context (e.g., credential rotation guidance) but no explicit certification claim found. Status unclear; appears to be alignment/readiness rather than held certification.
source: developers.deepgram.comNo public evidence of ISO 27017 certification on vendor domain.
source: developers.deepgram.comNo public evidence of ISO 27018 certification on vendor domain.
source: developers.deepgram.comNo public evidence of ISO 42001 certification on vendor domain.
source: developers.deepgram.comNo public evidence of CSA STAR certification on vendor domain.
source: developers.deepgram.comNo public evidence of FedRAMP certification on vendor domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multiple regions available: US (default), EU (api.eu.deepgram.com), Australia (api.au.deepgram.com)
Deepgram does NOT train on customer data by default. Default configuration is zero-retention after processing. Training only occurs through voluntary opt-in Model Improvement Partnership Program. Customers can opt out with mip_opt_out=true query parameter. Deepgram states: 'The only data we will store and use in future model training is the data that is contractually included through participation in the Deepgram Model Improvement Partnership Program.' Data is never redistributed to third parties without customer permission.
// Security controls
Encryption at rest
AES-256 encryption for sensitive data including PHI and PCI data
developers.deepgram.comAccess control
Role-based access control (RBAC) with two-factor authentication; least-privilege principle enforced during onboarding/offboarding
developers.deepgram.comApplication security
Hardened systems behind industry-standard firewalls with restricted ports; password hashing; vulnerability scanning before each production deployment
developers.deepgram.comIncident response
Detailed protocols including immediate password resets, customer notification, forensic investigation, and implementation of system improvements to prevent recurrence
developers.deepgram.comBusiness continuity
Daily backups; regular testing of business continuity plans
developers.deepgram.comTraining and compliance
Annual security training; HIPAA and PCI compliance maintained with independent audits
developers.deepgram.com// Products & data scope
data: Audio input; transcripts are output; supports real-time and batch processing; zero-retention by default unless customer opts in to Model Improvement Partnership Program
Includes Nova (general transcription) and Flux (multilingual conversational STT in 10 languages: English, Spanish, German, French, Hindi, Russian, Portuguese, Japanese, Italian, Dutch)
data: Text input; voice output; supports multiple voices and languages; no training on customer data
Product: 'Speak' - voice synthesis and generation
data: Audio input; text processing; voice output; supports real-time bi-directional conversations; unified orchestration of STT + LLM + TTS; zero-retention by default
Product: 'Flux Voice Agent' - unifies speech-to-text, LLM orchestration, and text-to-speech into a single API; reduces complexity, latency, and cost
data: Audio input; metadata and extracted insights as output; supports features like entity detection, topic extraction, summarization
Advanced audio processing and intelligence extraction
// What to watch
- ISO 27001 status unclear: mentioned in compliance documentation but no explicit certification claim found; may be alignment/readiness rather than held certification
- Deepgram offers self-hosted deployment which is significant for data sovereignty but requires customer infrastructure management and NVIDIA GPU resources
// At a glance
Pricing model
Pay-as-you-go metered usage with tiered enterprise plans available; discounted pricing available for Model Improvement Partnership Program participants
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Deepgram, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
developers.deepgram.com