// Trust & Security Report

    ElevenLabs (Eleven Labs, Inc. / Eleven Labs Ltd. UK) logo

    ElevenLabs (Eleven Labs, Inc. / Eleven Labs Ltd. UK)

    Audio AI platform: ElevenCreative (TTS, voice cloning, music, dubbing, SFX, STT), ElevenAgents (conversational voice/chat agents), ElevenAPI (developer APIs)

    Certifications held

    20

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2 Type 2 ... Audit Reports: 2025 SOC 2 Type 2 + HIPAA Report Final.pdf

    Verify on compliance.elevenlabs.io
    SOC 3
    HELD

    Audit Reports: 2025 SOC 3 Report Final.pdf

    Verify on compliance.elevenlabs.io
    ISO/IEC 27001:2022
    HELD

    ISO 27001:2022 ... Certificates: ISO 27001/17/18 - ISMS Certificate - ElevenLabs.pdf

    Verify on compliance.elevenlabs.io
    ISO/IEC 27017:2015
    HELD

    ISO 27017:2015 ... ISO 27001/17/18 - ISMS Certificate - ElevenLabs.pdf

    Verify on compliance.elevenlabs.io
    ISO/IEC 27018:2019
    HELD

    ISO 27018:2019 ... ISO 27001/17/18 - ISMS Certificate - ElevenLabs.pdf

    Verify on compliance.elevenlabs.io
    ISO/IEC 27701:2019 (Privacy Information Management)
    HELD

    ElevenLabs has officially achieved ISO 27701 (Privacy Information Management) and ISO 42001 (AI Management Systems) certifications ... ISO 27701 - PIMS Certificate - Eleven Labs.pdf

    Verify on compliance.elevenlabs.io
    ISO/IEC 42001:2023 (AI Management Systems)
    HELD

    ISO/IEC 42001:2023 ... ISO 42001 - AIMS Certificate - Eleven Labs.pdf

    Verify on compliance.elevenlabs.io
    PCI DSS 4.0.1 Level 1
    HELD

    PCI DSS 4.0.1 Level 1

    Verify on compliance.elevenlabs.io
    CSA STAR Level 1
    HELD

    CSA STAR L1 ... Questionnaires: CAIQv4.0.3_CSA_STAR_L1-Security-Questionnaire.xlsx

    Verify on compliance.elevenlabs.io
    HIPAA
    HELD

    HIPAA ... HIPAA Whitepaper - ElevenLabs v1.2.pdf; 2025 SOC 2 Type 2 + HIPAA Report Final.pdf

    Verify on compliance.elevenlabs.io
    HDS (Hebergeur de Donnees de Sante)
    HELD

    Our Agents and API platforms are now HDS certified - the French standard required for hosting and processing personal health data ... the HDS (Hebergeur de Donnees de Sante) certification by Schellman

    Verify on compliance.elevenlabs.io
    AIUC-1 (AI vendor assurance)
    HELD

    AIUC-1 ... AIUC-1 Audit Report for ElevenLabs Docs Agent.pdf

    Verify on compliance.elevenlabs.io
    UK Cyber Essentials Plus
    HELD

    UK Cyber Essentials Plus ... Cyber Essentials Plus Certificate 2025.pdf

    Verify on compliance.elevenlabs.io
    TX-RAMP Level 2
    HELD

    TX-RAMP Level 2

    Verify on compliance.elevenlabs.io
    NHS DSPT (Data Security and Protection Toolkit)
    HELD

    NHS DSPT

    Verify on compliance.elevenlabs.io
    GDPR
    HELD

    GDPR ... Legal: GDPR Compliance Report.pdf

    Verify on compliance.elevenlabs.io
    CCPA / CPRA
    HELD

    CCPA COMPLIANT ... CCPA CPRA

    Verify on compliance.elevenlabs.io
    LGPD (Brazil) alignment
    HELD

    ElevenLabs is pleased to announce the successful completion of an independent audit against the requirements of the Brazilian General Data Protection Law (LGPD) ... confirmed by Insight Assurance

    Verify on compliance.elevenlabs.io
    DORA / EU AI Act alignment
    HELD

    DORA ... EU AI ACT (listed under the compliance frameworks ElevenLabs aligns to)

    Verify on compliance.elevenlabs.io
    EcoVadis (sustainability)
    HELD

    EcoVadis Committed (listed as 'Committed' status, not a full medal rating; not a security/privacy certification)

    Verify on compliance.elevenlabs.io

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Non-Enterprise: US, EU, or Singapore (latency/performance). Enterprise: customer-selectable hosting location (subject to availability). India Data Residency available via Azure. Subprocessors: Google Cloud, AWS, Azure.

    Consumer/free/self-serve users: ElevenLabs DOES use Personal Data to train models by default and provides an opt-out. Privacy Policy: 'We may process your Personal Data to research, develop, train and/or otherwise improve our AI models' and 'You may opt out of our use of your Personal Data for training at any time by navigating to the Data use menu in the Terms and Privacy section of your ElevenLabs account' (opt-out applies prospectively only). Enterprise/business customers: the consumer Privacy Policy does NOT apply ('This Policy does not apply when we offer our Services and process Personal Data on behalf of enterprise/business customers'); processing is governed by the DPA, ElevenLabs does not train on enterprise customer content beyond providing the service, and third-party LLM subprocessors are contractually prohibited from training on customer content whether or not Zero Retention Mode is enabled. Zero Retention Mode (Enterprise, per-product/per-agent) deletes request/response data immediately and logs no PII, aimed at healthcare/banking. Voice data retained no longer than 3 years after last interaction.

    // Security controls

    Encryption in transit

    Yes - 'Data transmission encrypted' control listed under Product security

    compliance.elevenlabs.io

    Encryption / key management

    Yes - 'Encryption key access restricted' and 'Unique production database authentication enforced' under Infrastructure security

    compliance.elevenlabs.io

    Penetration testing

    Yes - external pentest reports available: WebApp & API Penetration Testing Report v3.0, Internal Network Penetration Testing Report v1.0, Mobile App Pentest (Apr 2026)

    compliance.elevenlabs.io

    Bug bounty / vulnerability disclosure

    Vulnerability Disclosure Program via security.txt (vulnerability_disclosure_program@elevenlabs.io). No public HackerOne/Bugcrowd program and no cash-based rewards offered at this time.

    elevenlabs.io

    Vulnerability monitoring

    Yes - 'Vulnerability and system monitoring procedures established' under Product security

    compliance.elevenlabs.io

    Background checks

    Yes - 'Employee background checks performed' under Organizational security

    compliance.elevenlabs.io

    BC/DR

    Yes - 'Continuity and Disaster Recovery plans established' and 'tested'

    compliance.elevenlabs.io

    Security contact

    security-assurance@elevenlabs.io (trust center) and a Security Whitepaper v1.6 are published

    compliance.elevenlabs.io

    // Products & data scope

    ElevenCreativeContent creation (Text to Speech, Voice Cloning, Music, Dubbing, Sound Effects, Speech to Text, Studio, image/video)

    data: User-supplied text, audio and voice samples; consumer/self-serve data may be used for model training by default (opt-out available). Voice/biometric data retained up to 3 years.

    Voice cloning processes biometric voice data. Consumer plans fall under the consumer Privacy Policy with training opt-out.

    ElevenAgentsConversational voice/chat agents (phone, chat, email, WhatsApp) with workflows, guardrails, analytics

    data: Call/chat transcripts and PII flow through agents and underlying LLMs (Gemini/Anthropic via Vertex AI; Azure for India residency). HDS-certified for health data when used with EU residency + Zero Retention. Zero Retention Mode deletes data and logs no PII.

    Most compliance-sensitive product. Enterprise can pin data region and enable per-agent Zero Retention Mode; LLM subprocessors barred from training on customer content.

    ElevenAPIDeveloper APIs (TTS, STT/Scribe, Dubbing, SFX, Music, Agents)

    data: Programmatic data per the API agreement and DPA. Enterprise Zero Retention Mode available; non-enterprise processed in US/EU/Singapore.

    Music model trained on licensed data and marketed as commercial-safe.

    ElevenLabs for GovernmentPublic sector deployment

    data: Government-grade deployment; TX-RAMP Level 2 and NHS DSPT alignment support public-sector use.

    Announced Feb 2026; targets compliance-restricted government workloads.

    // What to watch

    • Trains on consumer/self-serve user data by default; opt-out is prospective only (does not unwind prior training). Enterprise data is excluded from training under the DPA.
    • Voice cloning processes biometric data (retained up to 3 years) - relevant to BIPA/biometric privacy laws.
    • No public bug bounty (HackerOne/Bugcrowd) and no cash rewards; vulnerability disclosure is email-based via security.txt.
    • Not self-hostable; data flows through third-party LLM subprocessors (Google/Anthropic via Vertex AI, Azure) though they are contractually barred from training on customer content.
    • Strong compliance posture concentrated in Enterprise tier; consumer/free tier has materially weaker data-use protections (default training).

    // At a glance

    Pricing model

    Freemium + tiered subscription (Free, Starter, Creator, Pro, Scale, Business) plus usage-based API and custom Enterprise contracts

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on ElevenLabs (Eleven Labs, Inc. / Eleven Labs Ltd. UK)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    compliance.elevenlabs.io

    > Browse all vendor trust reports