// Trust & Security Report
WellSaid Labs, Inc.
AI voice generation / text-to-speech platform: WellSaid Studio (web app for script-to-voiceover production, team workspaces), Developer API (real-time TTS integration for apps, LMS, IVR), and Adobe Express/Premiere Pro integrations. Sold on Online (self-serve/consumer) and Business & Enterprise (contracted) terms.
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.wellsaidlabs.com“As part of our continuing commitment to trust and security, we are proud to maintain SOC2 Type I and SOC2 Type II certifications.' Trust center compliance list also shows 'SOC 2 Type I - 2022' and 'SOC 2 Type I Attestation' as available reports.”
Verify on wellsaid.io“We are SOC2 Type II certified and maintain compliance with the General Data Protection Regulation (GDPR) and the requirements of the EU AI Act.' Trust center resources list 'SOC 2 Type II - 2025' and 'SOC2 Type II - 2024' reports.”
Verify on trust.wellsaidlabs.com“WellSaid Labs is committed to protecting customer rights to privacy and prioritizes upholding the compliance standards for personal data under General Data Protection Regulation (GDPR).”
> Show 6 unconfirmed / not-held certifications
source: wellsaid.ioNo vendor-domain page claims a WellSaid-held ISO 27001 certificate. The only ISO reference found is 'All our infrastructure is deployed on FINRA, HIPAA and ISO-compliant services' (www.wellsaid.io/security), which describes the underlying cloud host's compliance posture (WellSaid runs on Google Cloud Platform per its subprocessor list), not a certification WellSaid itself holds.
source: wellsaid.ioSame 'FINRA, HIPAA and ISO-compliant services' sentence describes hosting infrastructure, not a WellSaid-signed Business Associate Agreement or a HIPAA compliance program of its own. No BAA, no HIPAA page, and no mention of HIPAA in the trust center's Compliance section (which lists only SOC 2 Type I/II) or in the Privacy Policy/DPA.
source: trust.wellsaidlabs.comNo public evidence. Not mentioned on the trust center, security page, or privacy/DPA pages; the product does not process cardholder data directly (billing is not a core Studio/API function).
source: trust.wellsaidlabs.comNo public evidence. Not referenced anywhere on wellsaid.io or trust.wellsaidlabs.com.
source: trust.wellsaidlabs.comNo public evidence of ISO 42001 certification. The company instead publishes a 'CSR and Generative AI Statement' and references EU AI Act compliance, but no formal AI-governance certification is claimed.
source: trust.wellsaidlabs.comNo public evidence. Not mentioned on any vendor-domain page reviewed.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (WellSaid's Privacy Policy states the Service is hosted in the US; primary cloud subprocessor is Google Cloud Platform, US region, per the trust center subprocessor list).
WellSaid explicitly states it does not train its (or any third party's) AI models on customer inputs/outputs: 'We do not use your inputs and outputs to train our models' / 'We do not use customer data to train our text-to-speech model, and we do not sell customer data or PII.' Voice actors used to build the base voice library are separately licensed and consented, distinct from customer-uploaded script/content data.
// Security controls
Monitoring
24/7/365 monitoring and continuous vulnerability scanning of hosting infrastructure
wellsaid.ioContent moderation
Dual-layer content moderation (uses subprocessor Hive.ai) for output safety
wellsaid.ioSubprocessors
Google Cloud Platform (cloud storage / audio generation, US), Verisoul (user verification, US), Mixpanel (analytics, US), Hive.ai (content moderation, US)
trust.wellsaidlabs.com// Products & data scope
data: Customer scripts/text input, generated audio, project/workspace collaboration data
Core self-serve and team product; covered by the Online WSA for individual/self-serve customers and the Business & Enterprise WSA for contracted customers.
data: Text payloads sent for synthesis, returned audio; integrated into third-party apps, LMS platforms, IVRs
Same underlying data-handling and no-training commitments as Studio per the Privacy Policy/DPA, which apply platform-wide.
data: Script and audio pass-through between Adobe tools and WellSaid
No integration-specific security disclosures found beyond the general platform security page.
// What to watch
- Potential over-claim / host-vs-vendor ambiguity: the security page states infrastructure is 'deployed on FINRA, HIPAA and ISO-compliant services,' which a reader could mistake for WellSaid itself holding HIPAA or ISO 27001 certification. The trust center's own Compliance section lists only SOC 2 Type I/II, confirming this is a hosting-provider characteristic, not a WellSaid-held cert. Recommend the listing explicitly caveat this.
- Two independent vendor-domain sources agree on SOC 2 Type I/II, so confidence in that specific cert is solid even though live re-fetch of the trust center was not possible this session.
- No ISO 27001, HIPAA BAA, PCI DSS, FedRAMP, ISO 42001, or CSA STAR held by WellSaid itself; treat any customer-facing claim beyond SOC 2 + GDPR with caution.
// At a glance
Pricing model
Tiered SaaS: self-serve/online plans (individual, small team) plus negotiated Business & Enterprise agreements; also a metered Developer API.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on WellSaid Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.wellsaidlabs.com