// Trust & Security Report
Descript, Inc.
AI video and podcast editing platform with text-based editing, transcription, and generative AI features (Underlord agentic editor, Lyrebird voice cloning)
Certifications held
3
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on descript.com“We have achieved SOC 2 Type II compliance by going through a Certified Public Accounting firm and auditing our internal measures and controls against the SOC 2 standards.”
Verify on descript.com“We align with SOC 2 standards and guidelines, as well as GDPR, CCPA, and the Privacy by Design framework.”
Verify on descript.com“We align with SOC 2 standards and guidelines, as well as GDPR, CCPA, and the Privacy by Design framework.”
> Show 4 unconfirmed / not-held certifications
source: descript.comNo public evidence on Descript's official security page or trust center; claimed by third-party Nudge Security but unverified
source: descript.comNo mention on official Descript security page or trust center; claimed by third-party Nudge Security without vendor-domain proof
source: descript.comNo public evidence on Descript's official pages or FedRAMP marketplace
source: descript.comNo public evidence on Descript's official pages or CSA STAR registry
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
United States
Production AI models do NOT use customer data. R&D models only use data from opt-in users. Customer projects can be used to improve the service by default, but users can opt out via 'Share Data with Descript' setting. AI voice training audio may be used, but disassociated from accounts before research use. Third-party vendors prohibited from using Descript inputs/outputs for their own model training. Google Workspace data is explicitly NOT used for AI training.
// Security controls
Employee Access Control
Multi-factor authentication (MFA) required for access to sensitive systems and data
descript.comVulnerability Management
Continuous vulnerability scanning and formal remediation processes
descript.com// Products & data scope
data: 1 media hour/month; 100 AI credits/month; 720p export with watermark
Entry-level tier with limited AI features and media processing
data: 30 media hours/month (plus 5 bonus); 800 AI credits/month (plus 500 bonus); 4K export watermark-free; full Underlord access
Most popular tier for content creators with advanced AI tools
data: 10 media hours/month; 400 AI credits/month; 1080p export watermark-free
Mid-tier option with full Underlord and AI speech access
data: Custom media hours and AI credits; advanced admin controls; SSO/SCIM; security review
Customized for large organizations with compliance requirements; SOC 2 Type II included
data: Included with Creator and Enterprise tiers; limited access on Free tier
Agentic video editor that writes scripts, applies designs, generates video; available to paying tiers
data: Voice cloning with 3 minutes of training audio (Overdub 3.0); stock voices available
AI voice synthesis technology integrated into Descript; training audio disassociated before research use
// What to watch
- OVER-CLAIM DETECTED: Third-party vendor Nudge Security lists ISO 27001, HIPAA, FedRAMP, and CSA STAR as Descript certifications, but these are NOT found on Descript's official security page (https://www.descript.com/security) or trust center (https://descript.securitypal.com/). Likely unverified self-reported claims not backed by independent audit.
- AI TRAINING DEFAULT: By default, Descript uses customer projects to improve their service. Users must actively opt out via 'Share Data with Descript' setting. This is opt-out rather than opt-in, which some enterprises may find concerning.
- NO ISO 27001: Despite third-party claims, no evidence of ISO 27001 certification on vendor-controlled pages. SOC 2 Type II is the verified information security standard claim.
- NO HIPAA: Descript does not claim HIPAA compliance on official pages. Not suitable for PHI-regulated workflows without further vendor confirmation.
- DATA RESIDENCY LIMITED: All data stored in US (S3/Google Cloud); no EU data residency option mentioned despite GDPR alignment claim.
- VOICE TRAINING: Lyrebird voice training data may be used for improvement after disassociation from user accounts, but the exact retention and use policies could be clearer in privacy documentation.
// At a glance
Pricing model
Freemium with monthly subscription tiers (Free, Hobbyist $16-24/mo, Creator $24-35/mo, Enterprise custom)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Descript, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
descript.securitypal.com