// Trust & Security Report

    James Betker (individual open-source maintainer; no registered company identified) logo

    James Betker (individual open-source maintainer; no registered company identified)

    Tortoise TTS — an open-source, self-hosted multi-voice text-to-speech model (Apache 2.0 license) distributed as a GitHub repo / pip package (`tortoise-tts`). No commercial entity, hosted SaaS product, or paid tier exists under this name; a community-run demo is hosted on Hugging Face Spaces (a third party, not the author).

    Certifications held

    0

    Maturity

    Unknown

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 9 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    no public evidence; this is a personal open-source software repository with no corporate entity, hosted service, or trust center

    source: github.com
    ISO 27001
    NOT CONFIRMED

    no public evidence; no company or hosted infrastructure exists to certify

    source: github.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    no public evidence

    source: github.com
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    no public evidence

    source: github.com
    CSA STAR / CSA STAR AI
    NOT CONFIRMED

    no public evidence

    source: github.com
    GDPR (formal posture/DPA)
    NOT CONFIRMED

    no privacy policy or GDPR statement published by the project; the README states the model 'runs entirely locally' with no vendor backend, so there is no vendor-side personal-data processing to attest to

    source: github.com
    HIPAA
    NOT CONFIRMED

    no public evidence; no BAA or hosted service exists

    source: github.com
    PCI DSS
    NOT CONFIRMED

    not applicable; project has no payment processing or commercial offering

    source: github.com
    FedRAMP
    NOT CONFIRMED

    no public evidence

    source: github.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    n/a — no vendor-hosted service; all inference runs on infrastructure the user controls

    Tortoise TTS is inference-only, self-hosted software: users run the model on their own NVIDIA GPU hardware (or a self-managed Docker container). The repo's README describes local installation via conda/pip/Docker with no network call-back to the author or any vendor service, so no user audio or text is transmitted to or trained on by the maintainer. The only network-facing surface is a third-party Hugging Face Spaces community demo (https://huggingface.co/spaces/Manmay/tortoise-tts), which is operated by Hugging Face / a community contributor, not by the Tortoise TTS author, and is out of scope for this vendor's own data-handling posture. No formal privacy policy, terms of service, or DPA is published for the project itself; only GitHub's own site-wide privacy/terms apply to the repository hosting, and those belong to GitHub, not to this project.

    // Security controls

    Encryption in transit

    Not applicable to the core project (no vendor-hosted API); repository access itself is served over HTTPS by GitHub.

    github.com

    Hosting model

    Self-hosted only. Users install and run the model locally or in their own Docker/cloud environment; there is no vendor-operated backend or API endpoint.

    github.com

    License / code transparency

    Apache-2.0 licensed, fully open-source (14.9k GitHub stars, 47 contributors), so code and model behavior are independently auditable.

    github.com

    Vulnerability reporting

    GitHub 'Security' tab exists for the repo (standard GitHub Security Overview features) but no dedicated vendor security policy or disclosure page was found.

    github.com

    // Products & data scope

    Tortoise TTS (core library / CLI)Open-source text-to-speech model, self-hosted

    data: Runs entirely on the user's own hardware; no data leaves the user's environment by default.

    Distributed via GitHub and PyPI (`pip install tortoise-tts`). Apache-2.0 license. Author is James Betker (also known for DALL-E work at OpenAI); the README states the project was built independently on the author's own hardware and 'their employer was not involved in any facet of Tortoise's development.'

    Hugging Face Spaces community demoThird-party hosted demo (not vendor-operated)

    data: Text/voice inputs submitted to the public demo are processed on Hugging Face's infrastructure, governed by Hugging Face's own privacy policy, not by the Tortoise TTS author.

    Listed in the README as a convenience for users without a local GPU; explicitly a separate operator (Hugging Face / community maintainer 'Manmay'), so its data handling is out of scope for this vendor assessment.

    // What to watch

    • This is a personal open-source software project (single maintainer, James Betker), not a company or commercial SaaS vendor — no trust center, privacy policy, terms of service, or compliance certifications exist, and none should be fabricated or implied.
    • AIFOXX listing risk: if displayed alongside hosted SaaS AI tools with compliance badges, this entry could misleadingly imply vendor-side data handling; the listing should clearly mark it as 'open-source, self-hosted' with no applicable compliance certs rather than showing blank/absent badges that read as a gap.
    • A separate, unaffiliated Hugging Face Spaces demo exists for convenience; do not attribute its data handling or any Hugging Face compliance posture to the Tortoise TTS project itself (host-vs-vendor conflation risk).

    // At a glance

    Pricing model

    Free, open source (Apache 2.0); no paid tiers or commercial SaaS offering

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on James Betker (individual open-source maintainer; no registered company identified)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    github.com

    > Browse all vendor trust reports