// Trust & Security Report
Murf Inc. (with Indian subsidiary Murf Software Solutions Private Limited, referred to together as "Murf Group")
AI voice platform: Murf Studio (voiceover/content creation with 200+ voices, voice cloning, custom pronunciation), Murf API / Murf Falcon (low-latency text-to-speech for real-time voice agents), Murf Dubbing (AI video/audio translation and localization), and Murf AI Voice Agents (conversational agents for customer service, sales, receptionist, IT helpdesk use cases)
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on murf.ai“Murf has successfully completed a SOC 2 Type II audit with no exceptions”
Verify on murf.ai“ISO/IEC 27001 is the leading international standard for information security management. Murf is ISO 27001 certified”
Verify on murf.ai“ISO/IEC 42001:2023 is the first global standard for Artificial Intelligence Management Systems (AIMS). Murf's ISO 42001 certification reflects our commitment to building and managing AI responsibly”
Verify on murf.ai“Murf Group is a data controller and processor for the purposes of the GDPR and with your consent, Murf Group is able to process your personal information”
Verify on murf.ai“We are ISO 42001, ISO 27001, SOC 2 Type II, CCPA and GDPR compliant, and we undergo regular third-party audits”
Verify on murf.ai“Murf's Privacy Policy follows the EU-U.S. Data Privacy Framework (DPF) Principles ... This is a significant milestone in our ongoing commitment to safeguarding personal information.”
Verify on murf.ai“If you have a Business or Enterprise subscription and intend to use our HIPAA Compliant Services, you can access our Business Associate Agreement (BAA)”
> Show 4 unconfirmed / not-held certifications
source: murf.aiNo public evidence that Murf itself is PCI DSS certified. Payment processing is handled by Stripe (listed as a sub-processor); PCI DSS compliance for card data belongs to Stripe as the payment processor, not to Murf.
source: murf.aiNo public evidence; the security page lists only ISO 27001 and ISO 42001 as ISO certifications held.
source: murf.aiNo public evidence; Murf's trust materials target commercial/enterprise SaaS buyers, with no mention of FedRAMP or U.S. federal authorization.
source: murf.aiNo public evidence of CSA STAR registration or certification on Murf's trust/security pages.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
General platform data: AWS US-East-2 (Ohio), described as the sole storage/backup region ('all operational and backup storage remains within this region'). The real-time voice API product, Murf Falcon, separately supports multi-region low-latency endpoints in 11 geographies (US East & West, Canada, UK, Germany, Japan, India, UAE, South Korea, Australia, Brazil) with full regional access for Enterprise and limited-concurrency trial access on Free/Pay-as-you-go tiers -- data residency therefore varies by product and should be confirmed per use case.
For contracted Business/Enterprise customers, the Master Service Agreement explicitly excludes customer data from model training: 'Use of Customer Data expressly excludes training of Provider's AI models or any other AI models used in providing the Service' (https://murf.ai/legal/master-service-agreement). The general consumer Privacy Policy and Terms of Service do not contain an equivalent explicit no-training clause, so the protection is clearest for contracted customers; free/self-serve users should be treated as an open question pending direct confirmation. Voice Cloning is a distinct, consent-gated feature: users must have 'explicit written consent of any third-party Consenting Speakers' before submitting audio to create a Cloning Voice, and access to the resulting cloned voice is restricted to the account holder and explicitly shared users. Separately, Murf also sources third-party voice-actor recordings (with consent/royalties) to train its own base Falcon/Gen2 models -- this is base-model training on licensed data, not on customer-submitted content. The sub-processor list separately notes that OpenAI (used for translation) 'will not use the data for any training of the LLM models,' a restriction stated only for that one sub-processor.
// Security controls
Encryption in transit
TLS 1.2 - 'All data transmitted between systems is encrypted in transit using TLS 1.2'
murf.aiEncryption at rest
AES-256 on AWS - 'All stored customer data is encrypted on AWS using AES-256'
murf.aiData residency (default)
AWS US-East-2 (Ohio); Murf Falcon (voice agent API) additionally offers 11 regional endpoints
murf.aiSub-processors
~20 disclosed sub-processors including AWS, Google Cloud, Microsoft Azure, IBM Cloud, Lambda Labs, AssemblyAI, OpenAI, Stripe, Atlassian, HubSpot, Mixpanel, Zoom, Calendly; India-based affiliate Murf Software Solutions Pvt. Ltd. processes data under Standard Contractual Clauses
murf.aiData retention / deletion
Personal information retained while the account is open or as needed to provide the Service; account/project/media/text data permanently deleted within 30 days of account termination (subject to legal, fraud-prevention, and dispute-resolution exceptions)
murf.aiHIPAA / BAA availability
Business Associate Agreement available on request, scoped to Business/Enterprise subscriptions using the Text to Speech API specifically (not confirmed platform-wide)
murf.aiVoice cloning consent control
Requires explicit written consent of the 'Consenting Speaker' before audio can be used to create a Cloning Voice; access to a cloned voice limited to the account holder and users it is explicitly shared with
murf.aiData Processing Agreement (standalone)
No standalone, publicly linked GDPR Data Processing Addendum document was found; data protection obligations appear via the Master Service Agreement and GDPR policy rather than a dedicated DPA artifact. Likely available on request for Enterprise contracts but unconfirmed.
murf.ai// Products & data scope
data: User-uploaded scripts and generated audio; supports voice cloning with consent controls
Consumer through team/business self-serve product; integrates with Canva, PowerPoint, Google Slides, Captivate
data: Programmatic text/audio streamed through the API; supports multi-region processing (11 geographies) for latency, with region access gated by plan tier
Marketed on 130ms end-to-end latency; separate data-residency profile from the rest of the platform
data: Uploaded video/audio content translated across 40+ languages
Served from a distinct portal (dub.murf.ai) per public documentation
data: Call/interaction data processed through voice agent workflows built on Falcon
Positioned as the enterprise automation use case; likely carries the most customer-PII exposure of the product family
// What to watch
- Homepage marketing states 'Enterprise-Grade Security... SOC 2, ISO 27001, GDPR, and HIPAA compliance' as a blanket claim; verification shows HIPAA is explicitly scoped to Business/Enterprise subscriptions using the Text to Speech API, not the whole platform -- listing should reflect the scoped reality, not the blanket homepage phrasing.
- No-training-on-customer-data commitment is explicit and contractual for Business/Enterprise customers (Master Service Agreement) but the general consumer Privacy Policy/Terms of Service carry no equivalent explicit clause, leaving free/self-serve tier data-use protection less clearly documented.
- Data residency differs materially by product: general platform data is fixed to AWS US-East-2 (Ohio), while the Murf Falcon voice-agent API supports 11 regions -- a buyer evaluating data residency needs to confirm which product they are using, not just read the top-level security page.
- No standalone public Data Processing Addendum (DPA) document was located; GDPR/data-protection commitments are embedded in the GDPR policy and Master Service Agreement rather than a dedicated DPA artifact obtainable pre-contract.
- PCI DSS is not held by Murf directly; card payments flow through Stripe as a sub-processor, so any PCI assurance is Stripe's, not Murf's -- flagged to avoid host/processor-vs-vendor conflation.
// At a glance
Pricing model
Freemium plus tiered subscriptions (Free/Creator/Business/Enterprise for Studio) and usage-based API pricing (marketed from 1 cent per minute for Falcon); custom Enterprise contracts via sales
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Murf Inc. (with Indian subsidiary Murf Software Solutions Private Limited, referred to together as "Murf Group")'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
murf.ai