// Trust & Security Report

    WellSaid Labs, Inc. logo

    WellSaid Labs, Inc.

    AI voice generation / text-to-speech platform: WellSaid Studio (web app for script-to-voiceover production, team workspaces), Developer API (real-time TTS integration for apps, LMS, IVR), and Adobe Express/Premiere Pro integrations. Sold on Online (self-serve/consumer) and Business & Enterprise (contracted) terms.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    As part of our continuing commitment to trust and security, we are proud to maintain SOC2 Type I and SOC2 Type II certifications.' Trust center compliance list also shows 'SOC 2 Type I - 2022' and 'SOC 2 Type I Attestation' as available reports.

    Verify on trust.wellsaidlabs.com
    SOC 2 Type II
    HELD

    We are SOC2 Type II certified and maintain compliance with the General Data Protection Regulation (GDPR) and the requirements of the EU AI Act.' Trust center resources list 'SOC 2 Type II - 2025' and 'SOC2 Type II - 2024' reports.

    Verify on wellsaid.io
    GDPR (posture)
    HELD

    WellSaid Labs is committed to protecting customer rights to privacy and prioritizes upholding the compliance standards for personal data under General Data Protection Regulation (GDPR).

    Verify on trust.wellsaidlabs.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No vendor-domain page claims a WellSaid-held ISO 27001 certificate. The only ISO reference found is 'All our infrastructure is deployed on FINRA, HIPAA and ISO-compliant services' (www.wellsaid.io/security), which describes the underlying cloud host's compliance posture (WellSaid runs on Google Cloud Platform per its subprocessor list), not a certification WellSaid itself holds.

    source: wellsaid.io
    HIPAA
    NOT CONFIRMED

    Same 'FINRA, HIPAA and ISO-compliant services' sentence describes hosting infrastructure, not a WellSaid-signed Business Associate Agreement or a HIPAA compliance program of its own. No BAA, no HIPAA page, and no mention of HIPAA in the trust center's Compliance section (which lists only SOC 2 Type I/II) or in the Privacy Policy/DPA.

    source: wellsaid.io
    PCI DSS
    NOT CONFIRMED

    No public evidence. Not mentioned on the trust center, security page, or privacy/DPA pages; the product does not process cardholder data directly (billing is not a core Studio/API function).

    source: trust.wellsaidlabs.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not referenced anywhere on wellsaid.io or trust.wellsaidlabs.com.

    source: trust.wellsaidlabs.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification. The company instead publishes a 'CSR and Generative AI Statement' and references EU AI Act compliance, but no formal AI-governance certification is claimed.

    source: trust.wellsaidlabs.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. Not mentioned on any vendor-domain page reviewed.

    source: trust.wellsaidlabs.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (WellSaid's Privacy Policy states the Service is hosted in the US; primary cloud subprocessor is Google Cloud Platform, US region, per the trust center subprocessor list).

    WellSaid explicitly states it does not train its (or any third party's) AI models on customer inputs/outputs: 'We do not use your inputs and outputs to train our models' / 'We do not use customer data to train our text-to-speech model, and we do not sell customer data or PII.' Voice actors used to build the base voice library are separately licensed and consented, distinct from customer-uploaded script/content data.

    // Security controls

    Encryption in transit

    TLS 1.2

    wellsaid.io

    Encryption at rest

    AES 256-bit

    wellsaid.io

    Backup / recoverability

    Snapshots every 24 hours; point-in-time recovery implemented

    wellsaid.io

    Monitoring

    24/7/365 monitoring and continuous vulnerability scanning of hosting infrastructure

    wellsaid.io

    Content moderation

    Dual-layer content moderation (uses subprocessor Hive.ai) for output safety

    wellsaid.io

    Subprocessors

    Google Cloud Platform (cloud storage / audio generation, US), Verisoul (user verification, US), Mixpanel (analytics, US), Hive.ai (content moderation, US)

    trust.wellsaidlabs.com

    // Products & data scope

    WellSaid StudioWeb app - AI voiceover production

    data: Customer scripts/text input, generated audio, project/workspace collaboration data

    Core self-serve and team product; covered by the Online WSA for individual/self-serve customers and the Business & Enterprise WSA for contracted customers.

    Developer APIAPI - real-time text-to-speech

    data: Text payloads sent for synthesis, returned audio; integrated into third-party apps, LMS platforms, IVRs

    Same underlying data-handling and no-training commitments as Studio per the Privacy Policy/DPA, which apply platform-wide.

    Adobe Express / Premiere Pro integrationsPlugin / integration

    data: Script and audio pass-through between Adobe tools and WellSaid

    No integration-specific security disclosures found beyond the general platform security page.

    // What to watch

    • Potential over-claim / host-vs-vendor ambiguity: the security page states infrastructure is 'deployed on FINRA, HIPAA and ISO-compliant services,' which a reader could mistake for WellSaid itself holding HIPAA or ISO 27001 certification. The trust center's own Compliance section lists only SOC 2 Type I/II, confirming this is a hosting-provider characteristic, not a WellSaid-held cert. Recommend the listing explicitly caveat this.
    • Two independent vendor-domain sources agree on SOC 2 Type I/II, so confidence in that specific cert is solid even though live re-fetch of the trust center was not possible this session.
    • No ISO 27001, HIPAA BAA, PCI DSS, FedRAMP, ISO 42001, or CSA STAR held by WellSaid itself; treat any customer-facing claim beyond SOC 2 + GDPR with caution.

    // At a glance

    Pricing model

    Tiered SaaS: self-serve/online plans (individual, small team) plus negotiated Business & Enterprise agreements; also a metered Developer API.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on WellSaid Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.wellsaidlabs.com

    > Browse all vendor trust reports