SoundSprout
en nl
Sign in Plan an intro call
Trust & security

Your data belongs to you.

SOC 2 Type II achieved. GDPR-compliant. AES-256 at rest, TLS 1.3 in transit, EU-only storage. And an audit log that tracks everything. Including us.

Download trust report (PDF) Request DPA
Compliance & encryption

What we deliver

SOC 2 Type II

Achieved in March 2026 by an independent auditor. Report on request under NDA.

GDPR-compliant

All personal data stored within the EU. DPA and sub-processor list publicly available.

AES-256 at rest

Everything we store is encrypted on disk end-to-end. Per-tenant encryption keys.

TLS 1.3 in transit

All traffic to and from SoundSprout via TLS 1.3. Older protocols are blocked.

EU-only storage

Main data centre: AWS Frankfurt. Backups: AWS Dublin. No US transfer, ever.

Audit log for everything

Every action our team takes in your account is logged. Always visible in your settings.

Sub-processors

Who touches your data

Four parties, all within the EU. No US transfer. The full up-to-date list at trust.soundsprout.nl/subprocessors.

Party
Purpose
Location
DPA
AWS
Hosting infrastructure
Frankfurt (EU)
✓ Online available
Stripe
Payment processing
Dublin (EU)
✓ Online available
Postmark
Transactional email
Frankfurt (EU)
✓ On request
Sentry
Error monitoring
Frankfurt (EU)
✓ On request
Security FAQ

Frequently asked questions

Who has access to my data inside SoundSprout?

Only support engineers with an active support ticket from your side. Access expires within 24 hours of the ticket closing. All access is logged and visible in your audit log.

Can I export or delete my data?

Always. Full export as JSON/CSV in one click. Deletion request fully completed within 30 days, including backups.

Which sub-processors do you use?

See the table above. Full up-to-date list including DPA status: trust.soundsprout.nl/subprocessors.

Do you have a vulnerability disclosure programme?

Yes. Reachable at security@soundsprout.nl. Reward from €100 for verified findings. Reply within 24 hours.

What happens to my data if I cancel my account?

Your account is deactivated immediately. Data stays exportable for 90 days (in case you come back). After that, everything is permanently deleted, also from all backups (within max 30 days).

Want the full report?

Trust report and DPA on request.

SOC 2 Type II audit report (full) under NDA, plus a standard DPA template. Email legal@soundsprout.nl and you'll get both within one business day.

✦ NDA standard · DPA per GDPR art. 28 · Reply within 24 hours

Plan een vrijblijvende kennismaking

Geen verkooppraatje. We bellen je terug, kijken of het past, en geven eerlijk advies. Mediane reactietijd: 4 uur.