// Trust & Security Report
Adobe Inc.
Adobe Firefly is Adobe's generative AI image and content creation platform, available as a standalone tool (firefly.adobe.com), within Creative Cloud, Adobe Express, and as an API. Firefly generates images, applies intelligent edits (Generative Fill, Expand, Match), and creates text effects powered by licensed datasets and public domain content.
Certifications held
11
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on adobe.com“SOC 2–Type 2 (Security, Availability, & Confidentiality)... Firefly is SOC 2 Type II certified, demonstrating that it has strict controls for security, availability, and confidentiality of customer data.”
Verify on adobe.com“Adobe products compliance list includes SOC 3 (Security, Availability, & Confidentiality)”
Verify on adobe.com“ISO 27001:2022 standards... Adobe Firefly meets ISO 27001:2022 standards.”
Verify on adobe.com“ISO 27017:2015 included in Adobe Firefly's compliance certifications”
Verify on adobe.com“ISO 27018:2019 included in Adobe Firefly's compliance certifications”
Verify on adobe.com“ISO 9001:2015 included in Adobe Firefly compliance certifications”
Verify on adobe.com“ISO 22301:2019 included in Adobe Firefly compliance certifications”
Verify on adobe.com“Creative Cloud for enterprise edition is built with compliance at its core and supports certifications such as...FedRAMP Tailored”
Verify on compound.law“Adobe Firefly can be GDPR compliant for companies with an enterprise DPA, SCCs for US data transfers, and proper controls over data entered into prompts. Enterprise content is excluded from Firefly model training under enterprise plans.”
Verify on adobe.com“Creative Cloud for enterprise supports certifications such as...GLBA ready”
> Show 3 unconfirmed / not-held certifications
source: adobe.comAdobe Firefly as a creative tool is not among the designated HIPAA-ready services. While Adobe offers HIPAA-ready services with BAA support, these are limited to specific products such as Adobe Acrobat Sign and selected Experience Cloud components deployed in health data-ready environments, not Firefly.
source: business.adobe.comAdobe references ISO 42001 in its responsible AI adoption framework and awareness materials, but no public evidence that Adobe Firefly has obtained ISO/IEC 42001 certification.
source: adobe.comAdobe maintains PCI DSS v4.0 compliance in its Common Controls Framework, but no specific evidence Firefly itself is directly PCI DSS certified (PCI is typically for payment processors).
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Firefly inference processes and stores reference/generated content in AWS US-East and US-West data centers. Creative Cloud for Enterprise more broadly uses regional data centers in North America, Europe, and Japan, with content stored in the region assigned at user provisioning.
Adobe Firefly does NOT train on customer Creative Cloud or Experience Cloud subscriber personal content or Firefly inputs/outputs. Firefly models are trained exclusively on licensed content (e.g., Adobe Stock) and public domain content where copyright has expired. However, customers' cloud-stored content (Adobe Cloud Documents, Behance, Adobe Stock) MAY be used to help improve Adobe services by default. Users can disable this setting and/or use Content Credentials 'Do Not Train' signal to explicitly prevent AI systems from using their work for future training or style imitation.
// Security controls
Encryption in Transit
HTTPS/TLS encryption for all data transmitted to and from Firefly services
adobe.comEncryption at Rest
AES 256-bit encryption for reference content and generated output stored in AWS S3 buckets; customer cloud-stored content encrypted according to region-specific key management
adobe.comData Retention
User-uploaded reference content for Firefly is stored in AES 256-bit encrypted AWS S3 and is deleted within 24 hours after initial creation (for inference purposes)
adobe.comAudits & Assessments
Annual SOC 2 audits, regular penetration testing, and third-party security assessments; customers can request SOC 2 reports
docs.firefly.aiContent Moderation
Adobe may access, view, and moderate user content through automated and manual methods for compliance, safety, and legal purposes
adobe.com// Products & data scope
data: Image prompts, reference images, generated outputs; cloud storage optional
Available at firefly.adobe.com; free and paid tiers. Generates images, applies intelligent edits (Fill, Expand, Match), and creates text effects.
data: Project files, reference content, generated content; all stored in Creative Cloud by default if logged in
Includes Firefly; available as web app and desktop/mobile apps; free and premium plans
data: All Creative Cloud apps including Firefly; enterprise data centers with regional storage
Includes Firefly with enterprise compliance controls (DPA, BAA options, HIPAA-ready availability for other products, audit logging)
data: API calls with image prompts, reference images, generated content; outputs stored per API configuration
Developer access to Firefly generative capabilities; supports Generative Fill, Expand, Match, and text effects; quota-based pricing
data: User-supplied training images; custom model outputs; training data and models remain private
Enables users to train custom Firefly models on their own artistic styles; training uploads not folded back into Adobe's broader Firefly models
// What to watch
- HIPAA-SCOPE MISMATCH: Firefly is a creative/generative AI tool, not designed for Protected Health Information (PHI) processing. It is NOT HIPAA-ready despite Adobe offering HIPAA-ready services for other products. Misrepresenting Firefly as HIPAA-compliant would be inaccurate.
- OPT-IN FOR DATA IMPROVEMENT: Cloud-stored content (not prompts/inputs) may be used to improve Adobe services by default. Users must explicitly disable this setting and/or use Content Credentials to prevent training. This is a compliance consideration for regulated data.
- HISTORICAL CONTROVERSY RESOLVED: In June 2024, Adobe faced backlash over ambiguous ToS language raising concerns about AI training on customer data. Adobe has since clarified and reiterated its commitment not to train Firefly on subscriber content. Current documentation is clear on this point.
- ISO 42001 NOT CERTIFIED: While Adobe references ISO 42001 in responsible AI frameworks, there is no public evidence Firefly holds ISO/IEC 42001 (AI Management Systems) certification. Adobe appears aware of the standard but not certified.
- DPA REQUIRES ENTERPRISE PLAN: GDPR and DPA coverage for Firefly is available only with enterprise Creative Cloud licensing. Free and individual plans do NOT include DPA coverage.
- HIPAA BAA NOT AVAILABLE FOR FIREFLY: While Adobe offers Business Associate Agreements for certain health-data-ready products, Firefly is excluded. Healthcare organizations cannot use Firefly for PHI processing.
// At a glance
Pricing model
Freemium (Firefly.adobe.com with monthly free generations); subscription-based for Creative Cloud (Single App, All Apps, Teams); API and Custom Models use token/credit consumption
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Adobe Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
adobe.com