Plain-English risk rating: 4 of 5 (Free/Starter/Creator) / 3 of 5 (Pro/Scale) / 2 of 5 (Enterprise with custom DPA)
ElevenLabs sits high on the consumer-AI risk axis for reasons different from any other vendor in this database. Voice is biometric data — legally classified as sensitive personal information under EU GDPR, California CPRA, and Illinois BIPA. Voice embeddings from AI voice models can reconstruct speaker identity with greater than 92% accuracy even when trained on anonymised datasets (Nature Communications, 2023). When you clone a voice in ElevenLabs, you are generating biometric material that has different legal protections than text or image data.
The second material risk: ElevenLabs' February 2025 Terms of Service update introduced a "perpetual, irrevocable, royalty-free, worldwide license" for voice recordings. Raw recordings are deleted after 3 years of inactivity, but ElevenLabs retains perpetual rights to use any models or derivatives created from those recordings. The third: ElevenLabs technology is the dominant infrastructure for AI voice scam attacks (CEO voice impersonation, vishing). Possessing an ElevenLabs API key in a stealable form is a substantial business risk.
Recommended for
- Sole proprietor (content creation): Creator plan at $22/month is acceptable for narration, podcast intros, character voices for fiction. Do not upload voice recordings of identifiable third parties without explicit consent.
- Small team (2-10 people): Pro at $99/month or Scale at $330/month with strict access controls on API keys. Document who has access and rotate keys quarterly.
- Regulated industry: Enterprise tier only, with a custom Data Processing Addendum, biometric data handling provisions, and explicit no-training contract terms. Voice biometrics in healthcare or finance contexts require legal review under BIPA, GDPR Article 9, or sector-specific regulation.
- The honest answer for most 1-10 employee businesses: ElevenLabs produces the highest-quality AI voice output available as of mid-2026, which is the reason most businesses choose it. If you need that quality, use Pro or higher with strict key management. Treat any voice recording you upload as biometric material with the legal weight of biometric material, and never clone the voice of a person who has not given explicit, documented consent.
Critical pre-deployment warning (API key management)
This is the most important sentence in this profile: An exposed ElevenLabs API key is the most actively-exploited credential class in the AI security landscape as of mid-2026.
ElevenLabs' technology drastically lowers the barrier for sophisticated vishing (voice phishing) and financial fraud. Attackers actively scan for exposed ElevenLabs API keys in GitHub repositories, accidentally-committed environment files, and breached SaaS systems because each key enables unlimited generation of voice deepfakes for CEO impersonation, supplier-account fraud, and family-emergency scams. ThreatNG and other external attack surface management vendors specifically flag exposed ElevenLabs keys as high-priority remediation.
Mitigations: store API keys in a dedicated secrets manager (1Password, AWS Secrets Manager, HashiCorp Vault), never commit to source control, rotate quarterly, monitor usage logs for unusual activity, and treat any unexpected character billing as potential compromise.
Data retention default
- Free, Starter, Creator: Voice recordings retained while account is active. Generated outputs retained per standard retention policy.
- Pro, Scale: Same defaults; configurable retention windows for some data classes
- Enterprise: Custom retention available with appropriate contracting; 30-day post-deletion backup retention per the Trust Center
- Voice clones (cloned voice models): Once trained, the model derived from your recordings is retained under the perpetual license clause introduced in February 2025
- Raw recordings: Deleted after 3 years of inactivity per the February 2025 ToS update; the derived models persist
Training opt-out
ElevenLabs' training defaults vary by plan tier and have changed multiple times during 2024-2026. As of mid-2026:
- Free, Starter, Creator: Training on user-provided voice data and prompts is generally opt-in for model improvement, but the perpetual license to derivatives applies regardless
- Pro, Scale, Enterprise: Stronger contractual protections; verify per-tier and per-contract
- The structural issue: Even with training opt-out, the February 2025 perpetual license clause means models or derivatives created from your voice recordings remain ElevenLabs' to use. Account deletion or data removal requests do not retroactively remove these derivatives.
The distinction between "training data" (used to improve ElevenLabs' foundation models) and "derivatives" (the voice clones themselves) matters. The former may have opt-out; the latter is covered by the perpetual license.
Zero Data Retention availability
- Not offered in the OpenAI/Anthropic API ZDR sense
- Enterprise customers can negotiate custom data handling terms including faster deletion timelines
- The character-based billing model logs per-request metadata that increases compliance surface area at scale, per Deepgram analysis (March 2026)
Plan tiers and pricing (as of early 2026)
| Tier | Price (USD) | Voice cloning | Suitable for |
|---|---|---|---|
| Free | $0 | Limited; no commercial use | Personal experimentation only |
| Starter | $5/month | Yes (limited) | Personal projects |
| Creator | $22/month | Yes; commercial use permitted | Individual content creators |
| Pro | $99/month | Yes; higher quotas | Small businesses with regular voice content needs |
| Scale | $330/month | Yes; team controls | Mid-size businesses, multi-seat |
| Business / Enterprise | Custom | Yes; custom DPA | Larger organisations needing custom contracts |
Free plans are explicitly restricted to non-commercial purposes per the February 2025 ToS update. Downgrading from a paid plan to a lower tier may cause loss of commercial usage rights for voices created on the higher tier.
Jurisdiction
- Primary processor: ElevenLabs Inc. (US-headquartered with UK and EU subsidiaries)
- Cloud infrastructure: Multi-cloud (specifics not fully disclosed in primary documentation)
- Data processing locations vary by plan and configuration; EU customers can request EU-resident processing
- Subject to GDPR Article 9 (biometric data) for EU customers, BIPA (Illinois) for Illinois-resident customers, CCPA/CPRA for California-resident customers
- Subprocessors disclosed in the Data Processing Addendum (April 2026 update)
Breach history (public incidents and structural exposure)
No major direct breach of ElevenLabs infrastructure has been publicly disclosed as of May 2026. This is meaningful, though the platform's most-discussed risk profile is not direct breach but downstream misuse of its technology.
Ongoing 2024-2026 — ElevenLabs voice clones as the dominant deepfake voice infrastructure
ElevenLabs' voice synthesis quality has made it the technology of choice for voice deepfake attacks. Documented attack patterns include:
- Executive impersonation (CEO Fraud): Clone a CEO's voice from publicly available recordings (podcast interviews, earnings calls, conference talks) and use the clone to call an accountant authorising an urgent wire transfer
- Family emergency scams: Clone a parent's or child's voice and use it to call relatives requesting bail money or emergency assistance
- Supplier impersonation: Clone a supplier's account manager voice and use it to update banking details for invoice payment
The FBI and equivalent agencies in the UK, Australia, and New Zealand have issued multiple advisories about AI voice scams during 2024-2026. ElevenLabs has implemented detection tools and policy enforcement (the AI Speech Classifier, the No-Go Voices restriction for prominent public figures), but the underlying capability remains broadly accessible.
Source: FBI IC3 advisories; ThreatNG security analysis (October 2025); ongoing media coverage
February 2025 — Terms of Service revision triggering customer migration
The February 28, 2025 ToS update introduced (1) the perpetual derivative-license clause, (2) free-plan commercial restrictions, and (3) downgrade-loses-commercial-rights provisions. Multiple ElevenLabs partner and reseller businesses publicly ended their integrations as a result — Kukarella's March 2025 announcement is one publicly-documented example. The ToS change is not a breach in the security sense but represents a unilateral expansion of rights to customer-generated content that materially changed the privacy/IP posture.
Source: Kukarella partnership termination announcement (March 2025); independent terms analysis
Pattern observation: ElevenLabs API keys are routinely found in exposed GitHub repositories, leaked credential databases, and breached SaaS systems. The combination of (a) high attacker value per key (each enables unlimited fraud-quality voice generation) and (b) frequent accidental exposure makes this one of the highest-priority credential classes to manage rigorously.
What this means in plain English for SMB owners
Three honest takeaways:
- Voice is biometric data with different legal protections than text or image data. If you are using ElevenLabs to clone voices for any business purpose, document the consent of the person whose voice you are cloning. For EU customers this is Article 9 GDPR territory; for Illinois customers it is BIPA territory. The legal exposure if you get this wrong is materially larger than if you misuse a text-based AI.
- Your ElevenLabs API key is the most actively-targeted AI credential class right now. Treat it the way you would treat a banking API key. Secrets manager, no source-control commits, quarterly rotation, usage monitoring. An exposed key enables unlimited generation of voice deepfakes that can defraud your accountants, your suppliers, and your family.
- The perpetual derivative license is the structurally important fact about ElevenLabs. Even after you delete your account, ElevenLabs retains rights to use the models trained from your voice recordings indefinitely. This may be acceptable for character voices in fiction. It may not be acceptable for your personal voice, your employees' voices, or any voice you have licensed from a third party. Treat the perpetual license as a hard fact when deciding what to upload.
Sources
- ElevenLabs Privacy Policy: https://elevenlabs.io/privacy-policy (verified 2026-05-24)
- ElevenLabs Data Processing Addendum: https://elevenlabs.io/dpa (April 2026 version verified 2026-05-24)
- ElevenLabs Trust Center (security documentation portal)
- Deepgram: How ElevenLabs Uses Your Audio Data compliance guide (March 2026)
- Kukarella: Important Changes to Our Voice Cloning Technology partnership termination (March 2025)
- ThreatNG Security: ElevenLabs glossary entry on external attack surface (October 2025)
- Alibaba product insights: Custom Voice Models Privacy Tradeoff analysis (February 2026)
- Nature Communications: Voice embedding speaker identity reconstruction study (2023)
- FBI IC3 voice deepfake fraud advisories (multiple, 2024-2026)
Related on AI Leakage
- Compare all 29 AI tools in the risk directory — see how ElevenLabs stacks up against the rest, tier by tier.
- Take the 5-minute “Am I Leaking?” check — a personalised view of your business’s AI exposure.
- Check a prompt before you paste it — our free Data-Safe Prompt Rewriter.
- Shadow AI vs AI leakage — why even approved tools like ElevenLabs can leak data.
- Get plain-English AI Leakage Alerts — we email you when an AI tool you use changes its data policy or has an incident.
- Get the free AI Acceptable Use Policy template — a plain-English policy with the tool-by-tool risk guide built in.