// Trust & Security Report
Soundtrap US Inc / Spotify AB (Soundtrap is a Spotify-owned service)
Browser-based collaborative music, vocal, and podcast creation studio, offered as Soundtrap for Music Makers (consumer/creator, tiered subscriptions), Soundtrap for Podcasters, and Soundtrap for Education (K-12/school-focused, with its own FERPA/COPPA/SOPIPA compliance program and DPA).
Certifications held
5
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on static.soundtrap.com“'The EU standard contractual clauses adopted by decision of 4 June 2021 document number C/2021/3972 (module 2, controllers to processors) ("SCCs") shall apply to any transfers of Personal Data under this DPA from the European Union ("EU") and the European Economic Area ("EEA")...' and 'Spotify undertakes to: ... Take all measures required pursuant to GDPR, Article 32.'”
Verify on static.soundtrap.com“"Soundtrap for Education is designed to comply with COPPA. Consistent with the COPPA regulations, we rely on the school to provide appropriate consent and authorization for a student under 13 to use our services..."”
Verify on static.soundtrap.com“"Soundtrap for Education is designed to meet our responsibilities to protect personal information from the students' educational records under FERPA."”
Verify on static.soundtrap.com“"Soundtrap for Education is a signatory of the Student Privacy Pledge ('the Pledge'), an industry standard of privacy principles for providers of K-12 educational services."”
Verify on static.soundtrap.com“"Soundtrap for Education is designed to comply with SOPIPA and California Assembly Bill 1584. We do not use student personal information for targeted advertising purposes."”
> Show 8 unconfirmed / not-held certifications
source: soundtrap.comNo public evidence. Soundtrap's own Trust Center PDF and legal pages (privacy policy, DPA, subcontractors index) do not mention SOC 2 anywhere. A third-party summary claims Spotify overall is 'SOC 2 Compliant', but the only vendor-domain SOC 2 reference found (spotify.com/backstage) is scoped to the unrelated 'Spotify Portal for Backstage' developer product, not Soundtrap.
source: soundtrap.comNo public evidence. Not mentioned in Soundtrap's Trust Center, DPA, or legal index.
source: soundtrap.comNo public evidence found on any Soundtrap vendor-domain page.
source: soundtrap.comNo public evidence. No AI-governance certification is referenced anywhere on Soundtrap's legal/trust pages.
source: soundtrap.comNo public evidence found on any Soundtrap vendor-domain page.
source: soundtrap.comNo public evidence and not applicable to the product's stated purpose (music/podcast/education creation tool, not a healthcare service). No BAA or HIPAA language found on any vendor page.
source: soundtrap.comNo public evidence found; payments are handled via subscription billing but no PCI attestation is published on the vendor's own domain.
source: soundtrap.comNo public evidence. Not a government-targeted product; no FedRAMP language on any Soundtrap page.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Not explicitly disclosed on any accessible vendor page. The DPA's SCC module (EU/EEA to third countries) implies personal data may be transferred outside the EU/EEA (consistent with a US-headquartered parent, Spotify/Soundtrap US Inc), but no specific hosting region or cloud provider is named in the accessible Trust Center, DPA, or legal pages.
No explicit statement was found, on the vendor's own domain, addressing whether user-created audio/vocal content is used to train AI/ML models. The Trust Center and DPA are silent on this. Given Soundtrap's DAW/loop-library product has no visible generative-AI feature, this is plausibly not applicable today, but the absence of an affirmative no-training statement (unlike some peers who now publish explicit AI clauses, e.g. SoundCloud's 2025 policy change) is a real gap and should be confirmed directly with the vendor before making claims either way.
// Security controls
GDPR data transfer mechanism
2021 EU Standard Contractual Clauses (Module 2, controller-to-processor) apply to transfers of personal data outside the EU/EEA.
static.soundtrap.comGDPR Article 32 technical/organizational measures
Vendor (Spotify, as processor) contractually undertakes to 'take all measures required pursuant to GDPR, Article 32,' and the SCC Annex II requires 'appropriate technical and organizational security measures ... taking into account available encryption technology,' but no specific encryption standard (e.g. AES-256, TLS version) is disclosed on the vendor's own pages.
static.soundtrap.comSubprocessor transparency
A subprocessor list is referenced and linked (https://www.soundtrap.com/legal/subcontractors) with a commitment to give 5 business days' notice before adding a new subcontractor with data access, but the actual current subprocessor names could not be extracted (page renders as a JavaScript app; content not accessible via automated fetch).
soundtrap.comData minimization for children (EDU)
"Only allows for the first name and last name to be stored in the profile. No profile picture, tags, location or description will be stored" and users are placed in a 'Walled Garden' invite-only environment not visible or contactable outside the school's EDU account.
support.soundtrap.comData retention (EDU)
"We do not collect or retain student personal information for longer than is necessary to provide the Service" and schools may request review/deletion of student data.
static.soundtrap.comNo sale of personal/student data
"We do not sell student personal information" (with a narrow carve-out for corporate transactions such as merger/acquisition, with notice and opt-out).
static.soundtrap.comEncryption in transit / at rest
Not disclosed with specifics on any accessible vendor page (no stated TLS version, at-rest encryption algorithm, or key management detail).
soundtrap.com// Products & data scope
data: Account data, user-created audio/project content, collaboration/chat data, usage data.
Tiered subscription plans (e.g. Sound Starter, Music Production, Production & Vocals per the vendor's own marketing copy). General consumer privacy policy applies, not the EDU-specific compliance program.
data: Same general account and content data as Music Makers; no education- or health-specific data handling.
Covered by the same general (non-EDU) privacy policy and terms.
data: Teacher and student account data, platform usage data; explicitly excludes sensitive data categories per the DPA ('Sensitive data: None').
The only product line with a documented compliance program: FERPA, COPPA, SOPIPA/AB 1584, NY Ed Law 2-d, Student Privacy Pledge signatory, dedicated DPA with 2021 EU SCCs, and a 'Walled Garden' safety design. This is where nearly all of Soundtrap's public trust/compliance documentation is concentrated.
// What to watch
- No SOC 2, ISO 27001, ISO 42001, HIPAA, PCI DSS, CSA STAR, or FedRAMP evidence found anywhere on Soundtrap's own domain; if AIFOXX marketing copy or third-party aggregators imply otherwise, that would be an over-claim to correct.
- Host/parent-vs-vendor ambiguity: third-party sources claim Spotify (the parent company) holds SOC 2/ISO 27001/FedRAMP, but the only vendor-domain SOC 2 reference found is scoped to a different Spotify product ('Spotify Portal for Backstage'), not Soundtrap. Do not credit Soundtrap with Spotify's or Backstage's certifications without direct proof naming Soundtrap.
- The Trust Center PDF is dated 'Last Updated: September 2020' despite being served from a 2026-copyrighted site; content (FERPA/COPPA/SOPIPA/NY Ed Law framing) may be stale and should be reconfirmed with the vendor before relying on it for a current-year procurement decision.
- Trust/compliance documentation is concentrated almost entirely in the Education product line; the consumer Music Makers/Podcasters privacy policy content could not be fully extracted (site renders via client-side JavaScript, blocking automated text extraction), so consumer-tier data handling specifics (encryption, retention, hosting region) remain unverified.
- AI-training posture on user-created audio content is not addressed anywhere found on the vendor's own domain; should be confirmed directly rather than assumed either way, especially as peer platforms (e.g. SoundCloud) have recently added explicit AI-training clauses.
// At a glance
Pricing model
Freemium consumer subscriptions (Music Makers/Podcasters) plus separate institutional licensing for Soundtrap for Education (school/district agreements).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Soundtrap US Inc / Spotify AB (Soundtrap is a Spotify-owned service)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
soundtrap.com