// Trust & Security Report
Soundful Inc.
AI music generation platform. Main products: free/consumer AI Music Generator (soundful.com, browser-based track creation), tiered subscription plans (Music Creator, Music Creator Plus) for individual creators/producers, a Business/Enterprise plan for commercial teams, and a 'Brand Experience' offering (white-glove sonic branding services for enterprises). No public developer/API product or self-hosted option found.
Certifications held
0
Maturity
Startup
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: soundful.comNo public evidence of SOC 2 certification on soundful.com. No trust center, security page, or compliance page exists on the vendor domain; searches for 'Soundful SOC 2' and 'Soundful trust center' returned no vendor-domain results.
source: soundful.comNo public evidence of ISO 27001 certification. Not mentioned anywhere on soundful.com (home, privacy policy, terms, cookie policy, license, or help center pages checked).
source: soundful.comNo public evidence of ISO/IEC 42001 or any AI-governance certification. Vendor markets ethical training-data sourcing ('Crafted, Not Scraped') but this is a data-sourcing claim, not a certified AI management system.
source: soundful.comNo public evidence of CSA STAR registration or certification found on vendor domain.
source: soundful.comThe Privacy Policy (last updated November 18, 2021) is explicitly framed around the California Consumer Privacy Act (CCPA: 'This Privacy Policy is subject to the California Consumer Privacy Act...') and contains no reference to GDPR, EU data subject rights, or an EU/UK data transfer mechanism (no SCCs, adequacy, or Binding Corporate Rules mentioned). Cannot confirm a GDPR compliance program.
source: soundful.comNo public evidence of HIPAA compliance. Not applicable to Soundful's product (AI music generation; no health data handling).
source: soundful.comNo public evidence of PCI DSS certification on vendor domain, despite the site processing subscription payments. No mention of a certified payment processor or PCI attestation.
source: soundful.comNo public evidence of FedRAMP authorization. Not applicable; Soundful has no public government/federal offering.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Company headquartered at 3950 Sorrento Valley Blvd, Suite 400, San Diego, CA 92121, USA. No specific data-hosting region/cloud provider is disclosed on the vendor site.
Vendor markets its models as ethically trained on non-copyrighted material: help-center copy states 'Our AI is not trained on previously copyrighted music but instead based on music theory and foundation provided by our in-house production team,' and the homepage repeats 'Crafted, Not Scraped ... No stolen content. Built on respect for creators.' This addresses training-data sourcing (not scraping others' copyrighted works), NOT whether Soundful trains or fine-tunes on content that customers upload or generate. Separately, the Terms and Conditions grant Soundful a broad, irrevocable, perpetual license to 'use, copy, modify, display, archive, store, distribute, reproduce and create derivative works' from User Content 'for any purpose whatsoever, including but not limited to developing, manufacturing, and marketing products using or inspired by such User Content' -- language broad enough to permit training/product-development use of user content, though it is not explicitly labeled as 'AI training' anywhere. No opt-out mechanism for this license is documented. This is a genuine ambiguity, not a confirmed fact either way.
// Security controls
Encryption in transit / at rest
Privacy Policy states only generic, non-specific language: 'We maintain strict physical, electronic, and procedural safeguards ... and use encryption and authentication tools when appropriate.' No standard (e.g. TLS 1.2+, AES-256) or scope is specified, and the policy itself concedes 'no data transmission over the Internet can be guaranteed to be 100% secure.'
soundful.comEmployee access controls
'We restrict access to your Information to employees who we have determined need it ... we train our employees to safeguard customer information, and we require them to sign confidentiality and non-disclosure agreements.'
soundful.comVendor/sub-processor oversight
Policy states third-party service providers are contractually required to 'implement and maintain reasonable security procedures and practices.' Known third-party data recipient: Google Analytics ('anonymised tracking data to third party applications like Google Analytics'). No full sub-processor list is published.
soundful.comAuthentication (2FA/SSO)
Unknown - not publicly documented on vendor site.
Data residency
Unknown - not publicly documented beyond company HQ in San Diego, CA.
// Products & data scope
data: Account/profile data, generated track metadata, browser cookies/analytics
Free tier: 1 MP3 download/month, non-exclusive Personal License. Entry point for individual users; no enterprise controls.
data: Same as free tier plus payment data for subscription billing
Adds commercial usage rights (social, projects under 100K monthly users) and, on Plus, exclusive licensing of purchased-copyright tracks.
data: Team/org account data, payment data, larger-scale commercial usage rights
Required for commercial projects exceeding 100K monthly users, film, TV, ads, and apps/games. No dedicated enterprise security documentation, DPA, or SSO/SAML capability found publicly.
data: Client brand assets, creative briefs, custom-produced audio; likely direct engagement/contract rather than self-serve data flows
White-glove, producer-led sonic branding for enterprises/agencies. No public data-handling or security documentation specific to this service; likely handled via bespoke commercial contract, not verifiable from public pages.
// What to watch
- NO TRUST CENTER: soundful.com has no security, compliance, or trust page.
- STALE PRIVACY POLICY: Privacy Policy is dated 'Last Updated: November 18, 2021,' predating the current product line (Brand Experience, current AI-music FAQ language) by several years. Coverage of AI-specific data practices is likely outdated or absent.
- GDPR GAP: Policy is CCPA-framed only; no GDPR language, EU representative, or transfer-mechanism disclosure found, despite the product being available to EU users via a public website.
- AMBIGUOUS CONTENT LICENSE vs AI-TRAINING MARKETING: Homepage/help-center marketing emphasizes ethical, non-scraped model training ('Crafted, Not Scraped'), but the Terms and Conditions separately grant Soundful a broad perpetual license to use User Content 'for any purpose whatsoever, including ... developing ... products.' This is broad enough to cover training/product-development use of user-submitted content, and is not reconciled anywhere with the 'ethically trained' marketing claim. Recommend treating trains_on_customer_data as unconfirmed (null), not false, until clarified by the vendor.
- NO DPA PUBLISHED: No Data Processing Agreement is offered or referenced publicly, which is a gap for any team-tier business customer with EU/enterprise data-handling requirements.
- STARTUP MATURITY: Seed-stage company (~$3.8M raised, ~16-23 employees per Crunchbase/PitchBook, founded 2019, San Diego HQ). Consistent with an early-stage vendor without formal compliance certifications; this is not itself a red flag, but should be listed transparently rather than implied to be enterprise-grade.
// At a glance
Pricing model
Freemium consumer tiers + paid Music Creator/Plus subscriptions + custom Business/Enterprise and Brand Experience pricing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Soundful Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
soundful.com