// Trust & Security Report
Speechify Inc.
Consumer/prosumer voice AI: Text-to-Speech reader (web, iOS, Android, Mac, Windows, Chrome/Edge extensions), Voice Typing dictation, AI Voice Assistant, AI Podcasts, and Speechify Studio (voice cloning, dubbing, voiceover, community voices). Separate B2B/API line 'SpeechifyAI' (speechify.ai / docs.speechify.ai) offers TTS, voice agent, and streaming APIs plus a 'Speechify for Enterprise & EDU' tier; same corporate entity (GitHub org SpeechifyInc), but a distinct product surface with its own trust page.
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on speechify.com“Speechify is proud to say that it is SOC2 compliant and undergoes regular audits to ensure compliance.”
Verify on speechify.com“You have the right to: Request a Personal Data report... Have your Personal Data corrected or deleted... Object to us processing your Personal Data.”
> Show 6 unconfirmed / not-held certifications
source: speechify.comNo public evidence on Speechify's own domain (speechify.com, speechify.ai, docs.speechify.ai). Third-party vendor-risk aggregator summaries mention ISO 27001, but this could not be corroborated with any vendor-domain page, badge, or blog post after targeted searches (site:speechify.com ISO 27001 returns unrelated results).
source: speechify.comNo public evidence of HIPAA certification or a Business Associate Agreement (BAA) offering. Marketing blog content uses the informal phrase 'HIPAA-safe' for the Voice Typing dictation feature aimed at doctors, but this is not a compliance claim and no BAA or HIPAA program is documented anywhere on the vendor's own domain.
source: speechify.comNo public evidence on the vendor's own domain. Payment processing is presumably outsourced to a third-party processor; no PCI claim made by Speechify itself.
source: speechify.comNo public evidence on the vendor's own domain. Not a plausible fit for a consumer/prosumer product with no government cloud offering advertised.
source: speechify.aiNo public evidence of an AI governance certification on any vendor-domain page found.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States (per Privacy Policy: 'Information submitted to Speechify will be transferred to, processed, and stored in the United States.')
Contradiction found between product lines. The SpeechifyAI/API trust page states plainly: 'We never train models on your data' (speechify.ai/trust), and directs enterprise buyers to contact sales for a DPA or security review. However, the main consumer Privacy Policy (speechify.com/privacy/) says Speechify staff may view User Content 'to improve our algorithms as described in the User Content section of our Terms of Service,' and the consumer Terms of Service (speechify.com/terms/, Section 7 USER MATERIAL) grant Speechify an 'irrevocable, perpetual, non-exclusive, royalty free, worldwide license to use, copy, perform, display, edit, distribute and otherwise exploit' user-submitted content, including creating derivative works, and to analyze content for R&D such as 'recognizing patterns in data for improving the quality of the Service.' This is a legacy-ToS-language vs current-AI-trust-page contradiction: the no-training claim is scoped to the API/enterprise product, while the consumer app's own terms reserve broad rights to use uploaded content to improve its models/service. Net: trains_on_customer_data is graded null (unresolved / tier-dependent) rather than a single true/false.
// Security controls
Encryption
Vendor blog references encryption as part of its audited data-security controls ('data centers, access controls, environmental controls, regular audits, encryption') but does not publish specifics (algorithm, in-transit vs at-rest detail, key management).
speechify.comSOC 2 audit report availability
Not self-serve/public. 'Enterprise clients can request a copy of the Speechify SOC2 report.'
speechify.comAI Voice API training exclusion
'We never train models on your data' (stated for the SpeechifyAI/API product specifically).
speechify.aiChildren's data
'Speechify does not knowingly collect personal information from children under the age of 13' outside of a licensed Speechify for Education account.
speechify.comData retention (Studio product)
'No purpose in this Privacy Policy will require us keeping your personal information for longer than twelve (12) months past the termination of the user's account' (Studio/voice-cloning privacy policy; not stated for the main consumer app).
speechify.com// Products & data scope
data: Uploaded documents/PDFs, dictated voice audio, usage/device telemetry; broad perpetual license granted to Speechify per ToS Section 7.
No cert beyond a 2023 SOC2 blog claim; consumer ToS reserves rights to analyze content for R&D/algorithm improvement.
data: Uploaded voice samples (treated as non-sensitive per policy), generated audio, 12-month post-termination retention cap.
Own privacy policy references GDPR/UK-GDPR/CCPA; no explicit AI-training statement for voice samples, called out as a notable omission.
data: Customer-submitted text/voice via API; dedicated infrastructure and 'enterprise-grade security' advertised for scale customers.
Explicit no-training-on-your-data claim and DPA/security-review-on-request offer; still no published cert list, no downloadable SOC2/ISO artifacts on this page.
// What to watch
- No public trust center for the primary consumer product (speechify.com/trust returns 404); the only trust-style page found (speechify.ai/trust) belongs to the separate API/enterprise product line and lists no certifications, only an AI-training statement.
- SOC 2 claim rests solely on a single 2023 marketing blog post with no report artifact, auditor name, Type 1/Type 2 designation, or renewal date published; treat as self-attested until an enterprise buyer independently verifies via the report.
- Third-party vendor-risk/aggregator sources (not the vendor's own domain) list Speechify as PCI, HIPAA, GDPR, ISO 27001, FedRAMP, and CSA STAR compliant; none of these could be corroborated on speechify.com, speechify.ai, or docs.speechify.ai. Do not surface these on the listing as vendor-confirmed; likely an over-claim/aggregator error.
- Legacy-ToS vs current-AI-page contradiction: the API trust page says user data is never used to train models, while the consumer Terms of Service (Section 7, User Material) grant a broad perpetual/irrevocable license and reference using content to improve algorithms/service quality. AIFOXX should not claim a blanket 'does not train on your data' for the consumer product.
- 'HIPAA-safe' language appears in Speechify's own blog marketing for its Voice Typing/medical-dictation use case without any accompanying BAA or HIPAA compliance program disclosure; risk of user over-trust for regulated healthcare use.
// At a glance
Pricing model
Freemium consumer subscription (Speechify Premium) plus a separate Enterprise/EDU tier and a usage-based/API pricing tier for SpeechifyAI developer products.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Speechify Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
speechify.ai