// Trust & Security Report

    Soundtrap US Inc / Spotify AB (Soundtrap is a Spotify-owned service) logo

    Soundtrap US Inc / Spotify AB (Soundtrap is a Spotify-owned service)

    Browser-based collaborative music, vocal, and podcast creation studio, offered as Soundtrap for Music Makers (consumer/creator, tiered subscriptions), Soundtrap for Podcasters, and Soundtrap for Education (K-12/school-focused, with its own FERPA/COPPA/SOPIPA compliance program and DPA).

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture, not a certification)
    HELD

    'The EU standard contractual clauses adopted by decision of 4 June 2021 document number C/2021/3972 (module 2, controllers to processors) ("SCCs") shall apply to any transfers of Personal Data under this DPA from the European Union ("EU") and the European Economic Area ("EEA")...' and 'Spotify undertakes to: ... Take all measures required pursuant to GDPR, Article 32.'

    Verify on static.soundtrap.com
    COPPA (Children's Online Privacy Protection Act)
    HELD

    "Soundtrap for Education is designed to comply with COPPA. Consistent with the COPPA regulations, we rely on the school to provide appropriate consent and authorization for a student under 13 to use our services..."

    Verify on static.soundtrap.com
    FERPA (Family Educational Rights and Privacy Act)
    HELD

    "Soundtrap for Education is designed to meet our responsibilities to protect personal information from the students' educational records under FERPA."

    Verify on static.soundtrap.com
    Student Privacy Pledge (industry pledge, not a formal cert)
    HELD

    "Soundtrap for Education is a signatory of the Student Privacy Pledge ('the Pledge'), an industry standard of privacy principles for providers of K-12 educational services."

    Verify on static.soundtrap.com
    SOPIPA / California AB 1584
    HELD

    "Soundtrap for Education is designed to comply with SOPIPA and California Assembly Bill 1584. We do not use student personal information for targeted advertising purposes."

    Verify on static.soundtrap.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. Soundtrap's own Trust Center PDF and legal pages (privacy policy, DPA, subcontractors index) do not mention SOC 2 anywhere. A third-party summary claims Spotify overall is 'SOC 2 Compliant', but the only vendor-domain SOC 2 reference found (spotify.com/backstage) is scoped to the unrelated 'Spotify Portal for Backstage' developer product, not Soundtrap.

    source: soundtrap.com
    ISO/IEC 27001
    NOT CONFIRMED

    No public evidence. Not mentioned in Soundtrap's Trust Center, DPA, or legal index.

    source: soundtrap.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence found on any Soundtrap vendor-domain page.

    source: soundtrap.com
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence. No AI-governance certification is referenced anywhere on Soundtrap's legal/trust pages.

    source: soundtrap.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any Soundtrap vendor-domain page.

    source: soundtrap.com
    HIPAA
    NOT CONFIRMED

    No public evidence and not applicable to the product's stated purpose (music/podcast/education creation tool, not a healthcare service). No BAA or HIPAA language found on any vendor page.

    source: soundtrap.com
    PCI DSS
    NOT CONFIRMED

    No public evidence found; payments are handled via subscription billing but no PCI attestation is published on the vendor's own domain.

    source: soundtrap.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not a government-targeted product; no FedRAMP language on any Soundtrap page.

    source: soundtrap.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Not explicitly disclosed on any accessible vendor page. The DPA's SCC module (EU/EEA to third countries) implies personal data may be transferred outside the EU/EEA (consistent with a US-headquartered parent, Spotify/Soundtrap US Inc), but no specific hosting region or cloud provider is named in the accessible Trust Center, DPA, or legal pages.

    No explicit statement was found, on the vendor's own domain, addressing whether user-created audio/vocal content is used to train AI/ML models. The Trust Center and DPA are silent on this. Given Soundtrap's DAW/loop-library product has no visible generative-AI feature, this is plausibly not applicable today, but the absence of an affirmative no-training statement (unlike some peers who now publish explicit AI clauses, e.g. SoundCloud's 2025 policy change) is a real gap and should be confirmed directly with the vendor before making claims either way.

    // Security controls

    GDPR data transfer mechanism

    2021 EU Standard Contractual Clauses (Module 2, controller-to-processor) apply to transfers of personal data outside the EU/EEA.

    static.soundtrap.com

    GDPR Article 32 technical/organizational measures

    Vendor (Spotify, as processor) contractually undertakes to 'take all measures required pursuant to GDPR, Article 32,' and the SCC Annex II requires 'appropriate technical and organizational security measures ... taking into account available encryption technology,' but no specific encryption standard (e.g. AES-256, TLS version) is disclosed on the vendor's own pages.

    static.soundtrap.com

    Subprocessor transparency

    A subprocessor list is referenced and linked (https://www.soundtrap.com/legal/subcontractors) with a commitment to give 5 business days' notice before adding a new subcontractor with data access, but the actual current subprocessor names could not be extracted (page renders as a JavaScript app; content not accessible via automated fetch).

    soundtrap.com

    Data minimization for children (EDU)

    "Only allows for the first name and last name to be stored in the profile. No profile picture, tags, location or description will be stored" and users are placed in a 'Walled Garden' invite-only environment not visible or contactable outside the school's EDU account.

    support.soundtrap.com

    Data retention (EDU)

    "We do not collect or retain student personal information for longer than is necessary to provide the Service" and schools may request review/deletion of student data.

    static.soundtrap.com

    No sale of personal/student data

    "We do not sell student personal information" (with a narrow carve-out for corporate transactions such as merger/acquisition, with notice and opt-out).

    static.soundtrap.com

    Encryption in transit / at rest

    Not disclosed with specifics on any accessible vendor page (no stated TLS version, at-rest encryption algorithm, or key management detail).

    soundtrap.com

    // Products & data scope

    Soundtrap for Music MakersConsumer/creator online DAW (digital audio workstation)

    data: Account data, user-created audio/project content, collaboration/chat data, usage data.

    Tiered subscription plans (e.g. Sound Starter, Music Production, Production & Vocals per the vendor's own marketing copy). General consumer privacy policy applies, not the EDU-specific compliance program.

    Soundtrap for PodcastersPodcast recording/editing tool

    data: Same general account and content data as Music Makers; no education- or health-specific data handling.

    Covered by the same general (non-EDU) privacy policy and terms.

    Soundtrap for EducationK-12 classroom music/podcast platform

    data: Teacher and student account data, platform usage data; explicitly excludes sensitive data categories per the DPA ('Sensitive data: None').

    The only product line with a documented compliance program: FERPA, COPPA, SOPIPA/AB 1584, NY Ed Law 2-d, Student Privacy Pledge signatory, dedicated DPA with 2021 EU SCCs, and a 'Walled Garden' safety design. This is where nearly all of Soundtrap's public trust/compliance documentation is concentrated.

    // What to watch

    • No SOC 2, ISO 27001, ISO 42001, HIPAA, PCI DSS, CSA STAR, or FedRAMP evidence found anywhere on Soundtrap's own domain; if AIFOXX marketing copy or third-party aggregators imply otherwise, that would be an over-claim to correct.
    • Host/parent-vs-vendor ambiguity: third-party sources claim Spotify (the parent company) holds SOC 2/ISO 27001/FedRAMP, but the only vendor-domain SOC 2 reference found is scoped to a different Spotify product ('Spotify Portal for Backstage'), not Soundtrap. Do not credit Soundtrap with Spotify's or Backstage's certifications without direct proof naming Soundtrap.
    • The Trust Center PDF is dated 'Last Updated: September 2020' despite being served from a 2026-copyrighted site; content (FERPA/COPPA/SOPIPA/NY Ed Law framing) may be stale and should be reconfirmed with the vendor before relying on it for a current-year procurement decision.
    • Trust/compliance documentation is concentrated almost entirely in the Education product line; the consumer Music Makers/Podcasters privacy policy content could not be fully extracted (site renders via client-side JavaScript, blocking automated text extraction), so consumer-tier data handling specifics (encryption, retention, hosting region) remain unverified.
    • AI-training posture on user-created audio content is not addressed anywhere found on the vendor's own domain; should be confirmed directly rather than assumed either way, especially as peer platforms (e.g. SoundCloud) have recently added explicit AI-training clauses.

    // At a glance

    Pricing model

    Freemium consumer subscriptions (Music Makers/Podcasters) plus separate institutional licensing for Soundtrap for Education (school/district agreements).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Soundtrap US Inc / Spotify AB (Soundtrap is a Spotify-owned service)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    soundtrap.com

    > Browse all vendor trust reports