// Trust & Security Report

    Sonix, Inc. logo

    Sonix, Inc.

    AI-powered audio/video transcription, translation, and subtitling platform with an add-on "Medical Sonix" offering for HIPAA-covered healthcare use and enterprise plans (SSO/SCIM, unlimited API access, granular permissions); also offers a consumer/prosumer web app, mobile capture app, and public API.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC II Type II ... SOC 2 Type II certified with continuous security control monitoring. Our controls are independently audited annually. Enterprise: SOC 2 Type 2 certified. SSO, granular permissions, and unlimited API access for teams at scale.

    Verify on sonix.ai
    HIPAA
    HELD

    HIPAA-Compliant ... Available through Medical Sonix for healthcare organizations. We sign Business Associate Agreements and implement required safeguards to protect PHI.

    Verify on sonix.ai
    > Show 7 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Sonix holds SOC 2 Type II certification with security controls that align with ISO 27001 requirements. (Note: this is an 'aligns with' statement, not a certification claim; ISO 27001 is not mentioned anywhere on the dedicated /security page.) The homepage comparison table lists 'SOC 2 + HIPAA, ISO 27001' as an enterprise-grade offering, which is not backed up by the vendor's own security page.

    source: sonix.ai
    GDPR (posture, not a cert)
    NOT CONFIRMED

    We follow GDPR protocols and can sign DPA and SCC. These documents are available inside your Sonix account upon request. / For the purposes of data protection legislation in the European Union and the United Kingdom, Sonix, Inc. ... is the controller of your Personal Data.

    source: sonix.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on vendor-owned pages; Sonix does not appear to process cardholder payment data directly (billing likely handled by a third-party payment processor, not disclosed on security pages).

    source: sonix.ai
    ISO 27017 / ISO 27018 / ISO 27701
    NOT CONFIRMED

    No public evidence; not mentioned on the /security page or elsewhere on sonix.ai.

    source: sonix.ai
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence; not mentioned anywhere on sonix.ai.

    source: sonix.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence; not mentioned anywhere on sonix.ai.

    source: sonix.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence; not mentioned anywhere on sonix.ai. Sonix is not positioned as a government/public-sector product.

    source: sonix.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States - security page: 'All data is stored at AWS in the USA.' Privacy policy separately confirms data may be transferred to and stored outside the EEA/UK, consistent with US-only storage.

    Sonix states plainly on its security page: 'None of your data processed through Sonix is used for training purposes. Your information remains strictly confidential and is never used for training our systems.' The homepage repeats 'Zero training on customer data' as a top badge and the terms of service state Sonix will not use audio/video files 'for any other purposes except to provide you with our transcription, translation, analysis, and other related services' absent express permission. No tier-based exception was found (i.e., the no-training policy is not stated to be enterprise-only). One narrower clause exists: user feedback/suggestions submitted through support channels are explicitly excluded and may be used by Sonix 'for any purpose' - this is normal feedback-rights language, not a contradiction of the customer-content no-training policy.

    // Security controls

    Encryption in transit

    TLS (search-indexed marketing copy specifies TLS 1.2/1.3); vendor's own /security page states: 'We encrypt all data between you and Sonix using TLS (Transport Layer Security).'

    sonix.ai

    Encryption at rest

    AES-256 server-side encryption. 'We use server-side encryption with AES-256, one of the strongest block ciphers available.'

    sonix.ai

    SSO / access control

    SSO/SCIM and granular permissions offered on Enterprise plan only, per homepage: 'SOC 2 Type II certified. SSO, granular permissions, and unlimited API access for teams at scale.'

    sonix.ai

    PHI handling

    Automatic PHI detection and BAA available for the Medical Sonix product line: 'HIPAA-compliant transcription for clinical notes, patient consultations, and medical research. Automatic PHI detection keeps sensitive data secure.'

    sonix.ai

    Continuous monitoring

    SOC 2 Type II control monitoring is stated as continuous/annually audited: 'SOC 2 Type II certified with continuous security control monitoring. Our controls are independently audited annually.'

    sonix.ai

    // Products & data scope

    Sonix (core web app / API)AI transcription, translation, subtitling

    data: User-uploaded audio/video files and generated transcripts

    Standard SOC 2 Type II and encryption controls apply; no training on customer data.

    Medical SonixHealthcare-specific transcription

    data: Clinical notes, patient consultations, PHI

    HIPAA BAA available; automatic PHI detection; this is the product tier where HIPAA compliance specifically applies, per vendor's own site.

    Sonix LegalLegal transcription

    data: Depositions, court proceedings, client interviews

    Marketed with 'chain-of-custody audit trails'; no separate certification disclosed beyond the core SOC 2 Type II.

    Sonix EnterpriseTeam/enterprise plan

    data: Same as core product, at scale

    Adds SSO/SCIM, granular permissions, unlimited API access; this is the plan the homepage associates with the 'ISO 27001' claim that could not be verified against the vendor's own security page - see flags.

    // What to watch

    • Homepage over-claim: the homepage's comparison table lists 'SOC 2 + HIPAA, ISO 27001' as part of Sonix's enterprise-grade security stack, but Sonix's own dedicated /security page and a Sonix-authored blog post about ISO 27001 compliance both describe SOC 2 controls as merely 'aligning with' ISO 27001 requirements, not certification. No ISO 27001 certificate, auditor name, or certification date was found anywhere on sonix.ai. Recommend NOT crediting ISO 27001 as held, and flagging the homepage claim for the vendor to correct or substantiate.
    • No dedicated trust center (e.g., a Vanta/Drata/SafeBase-hosted public trust portal) was found; a third-party search result referenced Sonix using Drata for SOC 2 control monitoring, but this could not be confirmed on a Sonix-owned page and is not counted as evidence.
    • HIPAA compliance is explicitly scoped to the 'Medical Sonix' product/plan in the vendor's own copy; do not present it as a blanket certification covering all Sonix products without qualification.
    • SOC 2 Type II date evidence (a 2024 announcement blog post) is a renewal/point-in-time claim; could not confirm the audit report is still current as of 2026 from public pages alone (SOC 2 reports typically require annual renewal, and the vendor's /security page claims 'audited annually' but does not show the latest audit date).

    // At a glance

    Pricing model

    Usage-based (per-audio-hour) with free trial (30 minutes free); paid plans and an Enterprise tier

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Sonix, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    sonix.ai

    > Browse all vendor trust reports