// Trust & Security Report
SOUNDRAW, Inc.
SOUNDRAW AI Music Generator (royalty-free AI music generation, browser-based mixer, stems/WAV export, plus API and enterprise/store-BGM offerings)
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on soundraw.io“No SOC 2 attestation is mentioned anywhere on soundraw.io (home, privacy, GDPR, or terms pages), and no trust/security page exists.”
Verify on soundraw.io“No ISO 27001 certification is referenced on the vendor's site; the only security statement found is a generic GDPR clause.”
Verify on soundraw.io“No privacy-information-management certification is referenced on the vendor's site.”
Verify on soundraw.io“"SOUNDRAW, Inc. ... will comply with the EU General Data Protection Regulation (GDPR) and other relevant laws and regulations in handling personal data (personal information) located in the EEA ... you have access to your personal information, right of correction, right of deletion, right to restrict processing, right of data portability, and right to object."”
> Show 1 unconfirmed / not-held certifications
source: soundraw.ioNot applicable. SOUNDRAW is a consumer/creator AI music tool that does not process health data; no HIPAA claim is made and none would be expected.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
unknown (SOUNDRAW, Inc. is a Japan-based company; the standard privacy policy is framed around Japan's Act on the Protection of Personal Information, with a separate GDPR policy for EEA users. No specific hosting region or data-residency commitment is published.)
SOUNDRAW's generative model is trained ONLY on music produced in-house by their own producers, not on user content or third-party scraped songs. Home page: "SOUNDRAW's AI is trained only on music we create in-house. Every beat is legally yours." Commitment section: "powered by proprietary algorithms trained exclusively on music produced in-house by our professional team ... we own the master recordings and publishing rights to every note that trains our AI." The Terms further prohibit users from "Developing a model that competes with the Service by using Generated Music generated by the Service." NUANCE: This 'trained only in-house' claim concerns the music-generation model. The privacy policy separately reserves use of personal/usage data for analytics and marketing surveys ("aggregating and analyzing personal information attributes and creating statistical data" / "conducting marketing surveys"), which is ordinary product analytics, not generative-model training. No statement was found expressly ruling out use of user prompts/usage for product improvement.
// Security controls
Security measures (general)
Only a generic commitment: "We will take appropriate technical and organizational measures to ensure proper security when processing personal data." No detail on encryption-at-rest/in-transit, key management, or access controls.
soundraw.ioEncryption
unknown - no explicit encryption-at-rest or in-transit statement published (site is served over HTTPS).
soundraw.ioBug bounty program
none found - no HackerOne, Bugcrowd, or security.txt / responsible-disclosure program located on the vendor's site or via search.
soundraw.ioPenetration testing
unknown - no public statement that third-party pen testing is performed.
soundraw.ioThird-party data sharing
"SOUNDRAW will not provide your personal information to third parties without first obtaining your consent, except in the following cases" (legal requirement, protection of life/property, government cooperation, prior notice). Subcontractors may process data "to the extent necessary to achieve the purpose of use."
soundraw.ioData subject rights
Disclosure, correction, deletion, and suspension-of-use rights are documented; EEA users additionally get GDPR rights (access, rectification, erasure, restriction, portability, objection, consent withdrawal).
soundraw.ioPrivacy policy change practice
FLAG: "The content of this policy may be changed without any notification to users" and "changes ... shall take effect from the time of their publication on this website." Unilateral change without notice is a procurement caution.
soundraw.io// Products & data scope
data: Account data (name, DOB, address, phone, email, credit card), usage/browsing history, IP, cookies, device ID. User generates and downloads royalty-free tracks; license is non-exclusive, non-transferable, non-sublicensable.
Self-serve web app. No enterprise security controls (SSO, audit logs, DPA) advertised at these tiers.
data: Programmatic generation for video platforms, games, and ad tech; tracks cleared for perpetual commercial use. Same in-house-trained model.
Contact-sales / contract-based. "Easy integration with dedicated technical support." Compliance terms would be set in the bespoke contract; nothing published.
data: Unlimited royalty-free generation, permanent commercial clearance, dedicated enterprise support including feature/genre requests.
Contact-sales. No published enterprise security certifications, DPA template, or SLA.
data: Generated BGM matched to a store's atmosphere; copyright-cleared.
Contact-sales. Lowest data-sensitivity product.
data: Education-focused licensing; may involve minors' usage, raising additional privacy considerations not detailed publicly.
Listed in footer; no dedicated education privacy addendum located.
// What to watch
- No trust center, no security page, no SOC 2 / ISO 27001 evidence - normal for a creative-tools startup/growth vendor, not a red flag by itself.
- Privacy policy states it 'may be changed without any notification to users' and takes effect on publication - a procurement caution for contractual stability.
- No DPA, sub-processor list, encryption detail, pen-test, or bug-bounty program published.
- Strong, well-evidenced claim that the generative model is trained only on in-house-owned music (not user content or scraped data) - the vendor's core differentiator and a positive for copyright/IP risk.
- Dual privacy regime: a Japan-PIPA-style general policy plus a separate GDPR policy for EEA users; data hosting region not disclosed.
- SOUNDRAW for Schools may involve minors; no dedicated youth/education privacy addendum found.
// At a glance
Pricing model
Freemium trial + tiered subscription (Creator ~EUR5.83/mo to Artist Unlimited ~EUR17.42/mo) plus contact-sales API, Enterprise, and Store BGM plans.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on SOUNDRAW, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
soundraw.io