The boring parts, done right.
Suno is built from the ground up for HIPAA-protected data, with the kind of defense-in-depth security posture your IT team will check off without questions. Below: how it works, what we audit, and where to find the documentation.
Audited, attested, and accountable.
HIPAA Compliant
Full HIPAA / HITECH compliance. BAA executed at signing.
SOC 2 Type II AUDIT IN PROGRESS
Independent audit currently underway. Report available under NDA upon completion.
GDPR
Data Processing Agreement available for EU customers and partners.
PCI DSS
SAQ-A compliant via Stripe-tokenized payment handling.
Five things we won't cut corners on.
Encrypted end-to-end.
All PHI is encrypted at rest with AES-256 and in transit with TLS 1.3. Database-level field encryption for the most sensitive data. Key rotation managed by AWS KMS. Backups encrypted independently.
- AES-256 encryption at rest
- TLS 1.3 in transit, HSTS enforced
- Field-level encryption for SSN, payment data
- AWS KMS with annual key rotation
- Encrypted backups, geo-redundant
Least privilege, by default.
Role-based access controls, granular permissions, and configurable session policies. SAML SSO and 2FA for all admin accounts. Every action that touches PHI is logged.
- Role-based access controls (RBAC)
- SAML SSO via Okta, Azure AD, Google Workspace
- 2FA enforced for admin roles
- Configurable session timeouts
- Per-record audit log, retained indefinitely
Multi-region, auto-failover.
Suno runs on AWS infrastructure in multiple US regions with automatic failover. 99.99% uptime SLA on Enterprise tier. Public status page with incident history. No single point of failure.
- Multi-region AWS deployment
- Automatic failover, RTO under 15 minutes
- 99.99% uptime SLA on Enterprise
- Public status page
- Quarterly DR drills
Secure by construction.
Every code change reviewed by a second engineer. Dependency scanning in CI. Annual third-party penetration tests. Bug bounty program for responsible disclosure.
- Two-engineer code review on every merge
- Automated dependency scanning
- Annual third-party pentest
- Bug bounty program
- OWASP Top 10 mitigations baked in
Your data isn't training data.
PHI is never used to train models — ours or our vendors'. Inference happens via BAA-covered model providers (Anthropic, OpenAI, Deepgram) with zero-retention agreements. US-based infrastructure only.
- BAA with Anthropic, OpenAI, and Deepgram
- Zero-retention API contracts
- No PHI in model training
- US-only data residency
- Per-tenant data isolation
Background checks. Mandatory training.
Every Suno employee passes a background check at hire and signs the HIPAA workforce agreement. Annual security training. Role-scoped production access reviewed quarterly.
- Background checks at hire
- Annual HIPAA & security training
- Quarterly access reviews
- Workforce confidentiality agreements
- Vendor risk reviews on every new third party
The stack at a glance.
AWS · us-east-1, us-west-2
Active-active across two US regions. RDS multi-AZ Postgres for OLTP, S3 with object lock for documents, Aurora replicas for analytics.
24/7 · real humans
Datadog for metrics and traces. PagerDuty for alerting. On-call engineer always within 15 minutes of acknowledgment.
Point-in-time · 35 days
Continuous WAL archiving with point-in-time recovery up to 35 days. Daily encrypted snapshots retained for 1 year. Cross-region replication.
For your security review.
Found something? Tell us.
If you've discovered a vulnerability, we want to hear about it. We run a private bug bounty program with cash rewards for valid reports. Email support@suno.tech with details. We acknowledge reports within 24 hours and triage within 72.
Please don't test against production tenants — we'll provide a sandbox if you want to validate something deeper.