// Trust & Security Report

    Deepgram, Inc. logo

    Deepgram, Inc.

    Voice AI APIs and infrastructure for speech-to-text (Nova, Flux transcription models), text-to-speech (Speak), voice agents (Flux unified API), and audio intelligence. Supports real-time and batch processing, cloud and self-hosted deployment.

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    Deepgram has achieved SOC 2 Type 1 and Type 2 certification

    Verify on developers.deepgram.com
    SOC 2 Type II
    HELD

    Their six-month audit of Deepgram's security, availability, and confidentiality found no exceptions to the SOC 2 Type II industry standards as defined by the American Institute of Certified Public Accountants (AICPA).

    Verify on deepgram.com
    HIPAA
    HELD

    Deepgram qualifies as a Business Associate as defined by US HIPAA legislation and can provide Business Associate Agreements to customers who qualify as Covered Entities and provide electronic Protected Health Information (ePHI).

    Verify on developers.deepgram.com
    GDPR
    HELD

    Deepgram is GDPR ready and provides information to customers to help them understand how features and functionality of the platform may affect their GDPR compliance obligations. We enter into data processing agreements with our customers which set out our obligations under the GDPR.

    Verify on deepgram.com
    CCPA
    HELD

    For California customers, Deepgram operates as a 'service provider' under the CCPA, processing personal information strictly for business purposes as defined by that law.

    Verify on deepgram.com
    PCI DSS
    HELD

    Deepgram maintains PCI compliance with yearly reviews and independent audits for verification.

    Verify on developers.deepgram.com
    APP 8 (Australian Privacy Principles)
    HELD

    Deepgram supports APP 8 requirements with an AU-specific endpoint (api.au.deepgram.com) running exclusively on Australian infrastructure.

    Verify on developers.deepgram.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    ISO 27001 is mentioned in compliance context (e.g., credential rotation guidance) but no explicit certification claim found. Status unclear; appears to be alignment/readiness rather than held certification.

    source: deepgram.com
    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 certification on vendor domain.

    source: developers.deepgram.com
    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 certification on vendor domain.

    source: developers.deepgram.com
    ISO 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification on vendor domain.

    source: developers.deepgram.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification on vendor domain.

    source: developers.deepgram.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP certification on vendor domain.

    source: developers.deepgram.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multiple regions available: US (default), EU (api.eu.deepgram.com), Australia (api.au.deepgram.com)

    Deepgram does NOT train on customer data by default. Default configuration is zero-retention after processing. Training only occurs through voluntary opt-in Model Improvement Partnership Program. Customers can opt out with mip_opt_out=true query parameter. Deepgram states: 'The only data we will store and use in future model training is the data that is contractually included through participation in the Deepgram Model Improvement Partnership Program.' Data is never redistributed to third parties without customer permission.

    // Security controls

    Encryption in transit

    TLS 1.3 and industry-standard encryption protocols

    developers.deepgram.com

    Encryption at rest

    AES-256 encryption for sensitive data including PHI and PCI data

    developers.deepgram.com

    Access control

    Role-based access control (RBAC) with two-factor authentication; least-privilege principle enforced during onboarding/offboarding

    developers.deepgram.com

    Application security

    Hardened systems behind industry-standard firewalls with restricted ports; password hashing; vulnerability scanning before each production deployment

    developers.deepgram.com

    Physical security

    Robust physical data security and environmental controls

    developers.deepgram.com

    Incident response

    Detailed protocols including immediate password resets, customer notification, forensic investigation, and implementation of system improvements to prevent recurrence

    developers.deepgram.com

    Business continuity

    Daily backups; regular testing of business continuity plans

    developers.deepgram.com

    Training and compliance

    Annual security training; HIPAA and PCI compliance maintained with independent audits

    developers.deepgram.com

    // Products & data scope

    Speech-to-Text (STT)Transcription

    data: Audio input; transcripts are output; supports real-time and batch processing; zero-retention by default unless customer opts in to Model Improvement Partnership Program

    Includes Nova (general transcription) and Flux (multilingual conversational STT in 10 languages: English, Spanish, German, French, Hindi, Russian, Portuguese, Japanese, Italian, Dutch)

    Text-to-Speech (TTS)Voice synthesis

    data: Text input; voice output; supports multiple voices and languages; no training on customer data

    Product: 'Speak' - voice synthesis and generation

    Voice Agent APIConversational AI

    data: Audio input; text processing; voice output; supports real-time bi-directional conversations; unified orchestration of STT + LLM + TTS; zero-retention by default

    Product: 'Flux Voice Agent' - unifies speech-to-text, LLM orchestration, and text-to-speech into a single API; reduces complexity, latency, and cost

    Audio IntelligenceAudio analysis

    data: Audio input; metadata and extracted insights as output; supports features like entity detection, topic extraction, summarization

    Advanced audio processing and intelligence extraction

    // What to watch

    • ISO 27001 status unclear: mentioned in compliance documentation but no explicit certification claim found; may be alignment/readiness rather than held certification
    • Deepgram offers self-hosted deployment which is significant for data sovereignty but requires customer infrastructure management and NVIDIA GPU resources

    // At a glance

    Pricing model

    Pay-as-you-go metered usage with tiered enterprise plans available; discounted pricing available for Model Improvement Partnership Program participants

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Deepgram, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    developers.deepgram.com

    > Browse all vendor trust reports