// Trust & Security Report

    Distributed Creation Inc. (dba Splice) logo

    Distributed Creation Inc. (dba Splice)

    Royalty-free sample/loop library and creator tools: Splice Sounds (subscription sample catalog), Splice INSTRUMENT (free virtual instrument plugin), Rent-to-Own Plugins (e.g. Serum 2, Abbey Road Two), Splice Mobile, the in-DAW Sounds Plugin (beta), and new generative AI tools (Variations, Craft, Magic Fit). Recently acquired Spitfire Audio (2025), which continues to operate as a distinct brand/product not covered by this assessment.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR compliance posture (self-attested, not a certification)
    HELD

    "Splice is the controller of your personal information for purposes of European Data Protection Laws." UK representative: Distributed Creation UK, Ltd.; EU representative: The DPO Centre Europe Ltd, reachable at gdpr@splice.com.

    Verify on splice.com
    > Show 5 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence: no SOC 2 report, badge, or mention found on splice.com (home page, Privacy Policy, or Terms of Use); no dedicated trust/security page exists on the domain.

    source: splice.com
    ISO 27001
    NOT CONFIRMED

    No public evidence: no ISO 27001 certificate or mention found on splice.com.

    source: splice.com
    HIPAA
    NOT CONFIRMED

    No public evidence and not applicable: Splice is a consumer/creator sample and plugin marketplace, not a healthcare data processor; no HIPAA language on the vendor domain.

    source: splice.com
    PCI DSS
    NOT CONFIRMED

    No public evidence: payment processing details are not disclosed on the vendor's own privacy/terms pages; likely handled by a third-party payment processor but no PCI attestation is published by Splice itself.

    source: splice.com
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence: Splice publishes 'Responsible AI Principles' as a policy statement, not a certified AI-governance standard (no ISO 42001 or CSA STAR AI mention found).

    source: splice.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Not explicitly disclosed. Privacy Policy states personal information "may be transferred from time to time to our offices or personnel, or to third parties, located throughout the world," including "the United States or other countries that do not ensure adequate protection" of personal data.

    Splice's Terms of Use explicitly state: "Neither User Audio nor Mic Capture will (a) be used by Splice as training data for machine learning models or (b) be accessible to any other User." Users are also barred from using downloaded Sounds or Instrument Presets "as source or training material for generative or other types of artificial intelligence models." Separately, Splice's own 2026 generative AI features (Variations, Craft, Magic Fit) use catalog sounds as source material for AI-generated variations and compensate the original sound's creator each time it is used as a source or an AI variation is downloaded (per Splice blog/press coverage, not the ToS itself). No public evidence of a per-track creator opt-out mechanism for inclusion in this AI-variation catalog was found on the vendor domain.

    // Security controls

    Encryption in transit / at rest

    General statement only, no technical detail: "We take a number of organizational, technical and physical measures designed to protect the personal information we collect, both during transmission and once we receive it." No named encryption standard, and the policy adds: "no security safeguards are 100% secure and we cannot guarantee the security of your information."

    splice.com

    Data retention

    "We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for..." but notes Splice "may retain indefinitely certain information associated with content you upload to the Service, such as the title and authorship of your projects." User Audio/Mic Capture is deleted "within thirty (30) days" of account cancellation.

    splice.com

    Dedicated trust/security page

    None found.

    splice.com

    // Products & data scope

    Splice SoundsSample library / subscription

    data: User account, payment/billing info, user-uploaded audio (Stacks)

    Core credits-based subscription (e.g. $4.99/mo for 200 credits) for royalty-free samples.

    Splice INSTRUMENTVirtual instrument plugin

    data: Plugin usage/download activity

    Free VST/AU plugin with monthly free preset drops.

    Rent-to-Own PluginsPlugin financing/marketplace

    data: Recurring billing/payment data

    Installment-plan purchases of third-party plugins (e.g. Serum 2, Abbey Road Two: Iconic Strings Pro).

    Splice MobileMobile app

    data: Mic Capture audio recordings, device data

    Mic Capture is explicitly excluded from AI/ML training use per Terms of Use.

    Sounds Plugin (beta)In-DAW plugin

    data: In-DAW search/download activity

    Beta in-DAW sample browser integrated with Ableton Live 12.3+.

    AI tools (Variations, Craft, Magic Fit)Generative AI music tools

    data: Catalog sound sources, user prompts/selections

    Launched 2026; generates AI variations of catalog sounds and pays the original creator when their sound is used as a source or an AI variation is downloaded.

    Spitfire AudioVirtual instrument libraries (affiliated brand)

    data: Not assessed

    Acquired by Distributed Creation Inc. (Splice) in 2025; continues to operate under its own name, brand, and terms. Not covered by this assessment's evidence.

    // What to watch

    • No SOC2, ISO 27001, HIPAA, or PCI DSS certification evidence found anywhere on splice.com; absence is not unusual for a consumer/creator sample-and-plugin marketplace, but should be re-verified if this vendor is ever pitched for enterprise/B2B use.
    • No dedicated trust center or security page exists on the vendor domain, limiting how confidently technical security controls can be graded beyond the general Privacy Policy language.
    • Splice recently acquired Spitfire Audio (2025); Spitfire operates under its own brand/terms and was NOT evaluated here - do not apply this assessment's findings to Spitfire Audio.
    • Splice's own 2026 AI variation features (Variations, Craft, Magic Fit) use catalog sounds as generation sources with creator compensation; no vendor-domain evidence of an explicit creator opt-out from this AI-source use was found, which is worth flagging as an open question rather than a confirmed gap.
    • No search-independent third-party confirmation (e.g. a compliance database or auditor listing) was available to cross-check the absence of SOC2/ISO27001; this assessment relies on vendor-domain silence plus targeted web search, not a definitive vendor denial.

    // At a glance

    Pricing model

    Freemium + tiered credits-based subscription (from ~$4.99/mo) plus one-time and rent-to-own installment purchases for plugins

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Distributed Creation Inc. (dba Splice)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    splice.com

    > Browse all vendor trust reports