// Trust & Security Report
Sonix, Inc.
AI-powered audio/video transcription, translation, and subtitling platform with an add-on "Medical Sonix" offering for HIPAA-covered healthcare use and enterprise plans (SSO/SCIM, unlimited API access, granular permissions); also offers a consumer/prosumer web app, mobile capture app, and public API.
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on sonix.ai“SOC II Type II ... SOC 2 Type II certified with continuous security control monitoring. Our controls are independently audited annually. Enterprise: SOC 2 Type 2 certified. SSO, granular permissions, and unlimited API access for teams at scale.”
Verify on sonix.ai“HIPAA-Compliant ... Available through Medical Sonix for healthcare organizations. We sign Business Associate Agreements and implement required safeguards to protect PHI.”
> Show 7 unconfirmed / not-held certifications
source: sonix.aiSonix holds SOC 2 Type II certification with security controls that align with ISO 27001 requirements. (Note: this is an 'aligns with' statement, not a certification claim; ISO 27001 is not mentioned anywhere on the dedicated /security page.) The homepage comparison table lists 'SOC 2 + HIPAA, ISO 27001' as an enterprise-grade offering, which is not backed up by the vendor's own security page.
source: sonix.aiWe follow GDPR protocols and can sign DPA and SCC. These documents are available inside your Sonix account upon request. / For the purposes of data protection legislation in the European Union and the United Kingdom, Sonix, Inc. ... is the controller of your Personal Data.
source: sonix.aiNo public evidence of PCI DSS certification found on vendor-owned pages; Sonix does not appear to process cardholder payment data directly (billing likely handled by a third-party payment processor, not disclosed on security pages).
source: sonix.aiNo public evidence; not mentioned on the /security page or elsewhere on sonix.ai.
source: sonix.aiNo public evidence; not mentioned anywhere on sonix.ai.
source: sonix.aiNo public evidence; not mentioned anywhere on sonix.ai. Sonix is not positioned as a government/public-sector product.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States - security page: 'All data is stored at AWS in the USA.' Privacy policy separately confirms data may be transferred to and stored outside the EEA/UK, consistent with US-only storage.
Sonix states plainly on its security page: 'None of your data processed through Sonix is used for training purposes. Your information remains strictly confidential and is never used for training our systems.' The homepage repeats 'Zero training on customer data' as a top badge and the terms of service state Sonix will not use audio/video files 'for any other purposes except to provide you with our transcription, translation, analysis, and other related services' absent express permission. No tier-based exception was found (i.e., the no-training policy is not stated to be enterprise-only). One narrower clause exists: user feedback/suggestions submitted through support channels are explicitly excluded and may be used by Sonix 'for any purpose' - this is normal feedback-rights language, not a contradiction of the customer-content no-training policy.
// Security controls
Encryption in transit
TLS (search-indexed marketing copy specifies TLS 1.2/1.3); vendor's own /security page states: 'We encrypt all data between you and Sonix using TLS (Transport Layer Security).'
sonix.aiEncryption at rest
AES-256 server-side encryption. 'We use server-side encryption with AES-256, one of the strongest block ciphers available.'
sonix.aiSSO / access control
SSO/SCIM and granular permissions offered on Enterprise plan only, per homepage: 'SOC 2 Type II certified. SSO, granular permissions, and unlimited API access for teams at scale.'
sonix.aiPHI handling
Automatic PHI detection and BAA available for the Medical Sonix product line: 'HIPAA-compliant transcription for clinical notes, patient consultations, and medical research. Automatic PHI detection keeps sensitive data secure.'
sonix.aiContinuous monitoring
SOC 2 Type II control monitoring is stated as continuous/annually audited: 'SOC 2 Type II certified with continuous security control monitoring. Our controls are independently audited annually.'
sonix.ai// Products & data scope
data: User-uploaded audio/video files and generated transcripts
Standard SOC 2 Type II and encryption controls apply; no training on customer data.
data: Clinical notes, patient consultations, PHI
HIPAA BAA available; automatic PHI detection; this is the product tier where HIPAA compliance specifically applies, per vendor's own site.
data: Depositions, court proceedings, client interviews
Marketed with 'chain-of-custody audit trails'; no separate certification disclosed beyond the core SOC 2 Type II.
data: Same as core product, at scale
Adds SSO/SCIM, granular permissions, unlimited API access; this is the plan the homepage associates with the 'ISO 27001' claim that could not be verified against the vendor's own security page - see flags.
// What to watch
- Homepage over-claim: the homepage's comparison table lists 'SOC 2 + HIPAA, ISO 27001' as part of Sonix's enterprise-grade security stack, but Sonix's own dedicated /security page and a Sonix-authored blog post about ISO 27001 compliance both describe SOC 2 controls as merely 'aligning with' ISO 27001 requirements, not certification. No ISO 27001 certificate, auditor name, or certification date was found anywhere on sonix.ai. Recommend NOT crediting ISO 27001 as held, and flagging the homepage claim for the vendor to correct or substantiate.
- No dedicated trust center (e.g., a Vanta/Drata/SafeBase-hosted public trust portal) was found; a third-party search result referenced Sonix using Drata for SOC 2 control monitoring, but this could not be confirmed on a Sonix-owned page and is not counted as evidence.
- HIPAA compliance is explicitly scoped to the 'Medical Sonix' product/plan in the vendor's own copy; do not present it as a blanket certification covering all Sonix products without qualification.
- SOC 2 Type II date evidence (a 2024 announcement blog post) is a renewal/point-in-time claim; could not confirm the audit report is still current as of 2026 from public pages alone (SOC 2 reports typically require annual renewal, and the vendor's /security page claims 'audited annually' but does not show the latest audit date).
// At a glance
Pricing model
Usage-based (per-audio-hour) with free trial (30 minutes free); paid plans and an Enterprise tier
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Sonix, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
sonix.ai