// Trust & Security Report

    Podcastle Inc. (doing business as Async) logo

    Podcastle Inc. (doing business as Async)

    AI creative-content suite for video/podcast/audio editing (Async Creator: video editing, podcast recording, voiceover generation, translation & dubbing, thumbnail generation) plus a separate developer-facing Async Voice API (text-to-speech, instant voice cloning). Podcastle.ai now 308-redirects permanently to async.com; this is a rebrand of the same legal entity, not a different company.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    "SOC2 certified" (listed under a "Security & compliance" bullet list on the pricing page); "Advanced security and compliance features" for the Business tier including "SOC2 certification" (Help Center article); "SOC 2 compliant infrastructure" (Async Voice API page). Self-reported across three vendor-owned pages, but no auditor name, report date, report type (I/II), or downloadable documentation, and no public trust center to request evidence.

    Verify on async.com
    GDPR (compliance posture)
    HELD

    "GDPR compliant" (pricing page bullet). Privacy Policy separately details GDPR data-subject rights: "Request access to Your Personal Data," "Request erasure of Your Personal Data," "Request the transfer of Your Personal Data," right to withdraw consent, and right to lodge a complaint with a supervisory authority. GDPR has no formal 'certification'; this is graded as a self-declared compliance posture backed by consistent policy language, not an audited certificate.

    Verify on async.com
    > Show 7 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence. Not mentioned on the pricing page, privacy policy, terms of service, Voice API page, or anywhere else on async.com/podcastle.ai. A third-party aggregator (Nudge Security) lists Podcastle as 'ISO 27001 Compliant' but that claim is not on the vendor's own domain and could not be corroborated; the only ISO/SOC mention actually found in vendor-owned text belongs to a marketing subprocessor (Braze), not Async itself.

    source: async.com
    HIPAA
    NOT CONFIRMED

    No public evidence on any vendor-owned page. Privacy policy and terms make no mention of HIPAA, BAAs, or PHI handling; the product is a general-purpose consumer/creator audio-video tool, not marketed for healthcare use.

    source: async.com
    PCI DSS
    NOT CONFIRMED

    Privacy Policy states payment is handled by third-party processors and that 'PCI-DSS requirements help ensure the secure handling of payment information' - this describes the payment PROCESSOR's compliance obligation, not an Async-held PCI certification. Held=false for the vendor itself; flagged as a host/subprocessor-vs-vendor conflation risk.

    source: async.com
    FedRAMP
    NOT CONFIRMED

    No public evidence on any vendor-owned page. A third-party aggregator (Nudge Security) lists 'FedRamp Compliant' for Podcastle but this is not corroborated anywhere on async.com or podcastle.ai and is not admissible as vendor-domain proof; FedRAMP authorization is a formal, publicly listed government process and no async.com/Podcastle listing was found on marketplace.fedramp.gov.

    CSA STAR
    NOT CONFIRMED

    No public evidence on any vendor-owned page. A third-party aggregator (Nudge Security) lists 'CSA Star Level 1 Compliant' for Podcastle but this could not be corroborated on the CSA STAR public registry or on async.com/podcastle.ai.

    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Not mentioned anywhere on async.com or podcastle.ai.

    CSA STAR for AI / AI governance frameworks
    NOT CONFIRMED

    No public evidence. Not mentioned anywhere on async.com or podcastle.ai.

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Not publicly committed. Privacy Policy states data 'is processed at the Company's operating offices and in any other places where the parties involved in the processing are located,' implying international transfers with no specific data-residency guarantee. Legal entity (Podcastle Inc.) is Delaware-incorporated, US.

    Differs by product. Creative Suite (async.com consumer/team product): Terms of Service grant Async a 'perpetual, worldwide, royalty-free, sub-licensable, irrevocable' right to use user input/output 'for research and development, and to improve our services'; Privacy Policy separately states voice data may be used 'to improve our AI models' but that this requires 'separate explicit consent' beyond basic voice-cloning consent, and users can 'disable voice cloning features while maintaining access to other Services.' Voice biometric data (voiceprints) is stated to be used only for research/training, not ads/marketing, and is retained indefinitely unless deletion is requested (Illinois BIPA carve-out: destroyed within 3 years of last interaction or 1 year post account termination). Separately, the Async Voice API developer product markets a 'privacy-first data policy that keeps your content out of model training' - the opposite default from the consumer product. This tier-level contradiction (broad R&D license by default on Creative Suite vs. explicit no-training claim on the API) should be disclosed to buyers rather than treated as a single blanket policy.

    // Security controls

    Encryption in transit

    Claimed on pricing page ("Encryption in transit") and Privacy Policy ("Encryption of voice biometric data both in transit and at rest"). No further technical detail (TLS version, etc.) published.

    async.com

    Encryption at rest

    Claimed on pricing page ("Encryption at rest") and Privacy Policy, specifically for voice biometric data.

    async.com

    Vulnerability management

    Pricing page lists "Advanced vulnarability checks" [sic] as a security feature; no detail on cadence, scope, or third-party pentest reports.

    async.com

    SSO / enterprise auth

    A third-party aggregator (Nudge Security) indicates Okta/SSO and Google/Microsoft login support, but this was not independently confirmed on a vendor-owned page during this review.

    Account security responsibility

    Terms of Service place responsibility on users to safeguard account credentials and to notify Async of any suspected breach; no vendor-side incident-response commitment (SLA, notification timeline) was found.

    async.com

    // Products & data scope

    Async Creative Suite (formerly Podcastle Creator)AI video/podcast/audio editing (consumer + team)

    data: User-uploaded video, audio, and voice recordings; broad perpetual R&D/training license by default per ToS, with an opt-out route (email) and a separate voice-cloning disable option.

    Free, Essentials, Pro, Teams, and Business pricing tiers. Security & compliance bullets (SOC2 certified, GDPR compliant, encryption at rest/in transit, vulnerability checks) appear on the pricing page without tier differentiation in the copy itself, though the Help Center says the bundled 'advanced security and compliance features' apply to the Business tier.

    Async Voice APIDeveloper text-to-speech / voice-cloning API

    data: Markets a 'privacy-first data policy that keeps your content out of model training' - a stricter, opt-in-free posture than the consumer Creative Suite.

    Targets voice-app/agent developers (integrations: Pipecat, LiveKit, Twilio, n8n). Cites '99.9% uptime SLA,' 'SOC 2 compliant infrastructure,' and GDPR, with 'advanced security controls' for enterprise customers via contact-sales. The 'SOC 2 compliant infrastructure' phrasing is ambiguous as to whether it describes Async's own audited controls or its underlying cloud hosting.

    // What to watch

    • This is NOT a scraping error - podcastle.ai now 308-permanently-redirects to async.com, and async.com's own Privacy Policy/Terms identify the operator as 'Podcastle Inc. (DBA Async).' This is a rebrand of the same legal entity. AIFOXX's listing should be updated to reflect the current brand name 'Async (formerly Podcastle)' to avoid user confusion and stale-name mismatches elsewhere in the directory.
    • NO TRUST CENTER: All certification claims (SOC 2, GDPR) are self-reported marketing bullets on the pricing page, help center, and API page - there is no SafeBase/Vanta/Drata-style public trust center, auditor name, report date, or downloadable SOC 2 report. Treat as vendor self-attestation, not independently verified.
    • THIRD-PARTY OVER-CLAIM RISK: An aggregator site (Nudge Security) lists Podcastle as PCI, HIPAA, SOC 2, GDPR, ISO 27001, FedRAMP, and CSA STAR Level 1 'Compliant.' None of ISO 27001, HIPAA, PCI, FedRAMP, or CSA STAR could be corroborated on async.com or podcastle.ai. This looks like an automated inference that conflated subprocessor certifications mentioned in the privacy policy (Braze's own SOC 2/ISO 27001; the payment processor's PCI-DSS obligation) with Async's own compliance. Do not treat the aggregator page as a valid source for AIFOXX listing purposes.
    • HOST/SUBPROCESSOR CONFLATION: The Privacy Policy's PCI-DSS and ISO 27001 mentions belong to Async's payment processor and marketing vendor (Braze) respectively, not to Async's own certifications - graded held=false for Async accordingly.
    • AI-TRAINING CONTRADICTION ACROSS PRODUCTS: The Creative Suite ToS grants Async a broad perpetual R&D/training license over user content by default (opt-out via email), while the separate Voice API page markets an explicit 'keeps your content out of model training' promise. Buyers evaluating the API vs. the consumer app should not assume the same data-use policy applies to both.

    // At a glance

    Pricing model

    Freemium subscription (Free / Essentials / Pro / Teams / Business) for the Creative Suite; usage-based / contact-sales for the Voice API

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Podcastle Inc. (doing business as Async)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    async.com

    > Browse all vendor trust reports