// Trust & Security Report

    Adobe Inc. logo

    Adobe Inc.

    Adobe Firefly is Adobe's generative AI image and content creation platform, available as a standalone tool (firefly.adobe.com), within Creative Cloud, Adobe Express, and as an API. Firefly generates images, applies intelligent edits (Generative Fill, Expand, Match), and creates text effects powered by licensed datasets and public domain content.

    Certifications held

    11

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2–Type 2 (Security, Availability, & Confidentiality)... Firefly is SOC 2 Type II certified, demonstrating that it has strict controls for security, availability, and confidentiality of customer data.

    Verify on adobe.com
    SOC 3
    HELD

    Adobe products compliance list includes SOC 3 (Security, Availability, & Confidentiality)

    Verify on adobe.com
    ISO 27001:2022
    HELD

    ISO 27001:2022 standards... Adobe Firefly meets ISO 27001:2022 standards.

    Verify on adobe.com
    ISO 27017:2015
    HELD

    ISO 27017:2015 included in Adobe Firefly's compliance certifications

    Verify on adobe.com
    ISO 27018:2019
    HELD

    ISO 27018:2019 included in Adobe Firefly's compliance certifications

    Verify on adobe.com
    ISO 9001:2015
    HELD

    ISO 9001:2015 included in Adobe Firefly compliance certifications

    Verify on adobe.com
    ISO 22301:2019
    HELD

    ISO 22301:2019 included in Adobe Firefly compliance certifications

    Verify on adobe.com
    FedRAMP Tailored
    HELD

    Creative Cloud for enterprise edition is built with compliance at its core and supports certifications such as...FedRAMP Tailored

    Verify on adobe.com
    GDPR
    HELD

    Adobe Firefly can be GDPR compliant for companies with an enterprise DPA, SCCs for US data transfers, and proper controls over data entered into prompts. Enterprise content is excluded from Firefly model training under enterprise plans.

    Verify on compound.law
    GLBA
    HELD

    Creative Cloud for enterprise supports certifications such as...GLBA ready

    Verify on adobe.com
    FERPA
    HELD

    Adobe Firefly is FERPA ready

    Verify on adobe.com
    > Show 3 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Adobe Firefly as a creative tool is not among the designated HIPAA-ready services. While Adobe offers HIPAA-ready services with BAA support, these are limited to specific products such as Adobe Acrobat Sign and selected Experience Cloud components deployed in health data-ready environments, not Firefly.

    source: adobe.com
    ISO 42001 (AI Management)
    NOT CONFIRMED

    Adobe references ISO 42001 in its responsible AI adoption framework and awareness materials, but no public evidence that Adobe Firefly has obtained ISO/IEC 42001 certification.

    source: business.adobe.com
    PCI DSS
    NOT CONFIRMED

    Adobe maintains PCI DSS v4.0 compliance in its Common Controls Framework, but no specific evidence Firefly itself is directly PCI DSS certified (PCI is typically for payment processors).

    source: adobe.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Firefly inference processes and stores reference/generated content in AWS US-East and US-West data centers. Creative Cloud for Enterprise more broadly uses regional data centers in North America, Europe, and Japan, with content stored in the region assigned at user provisioning.

    Adobe Firefly does NOT train on customer Creative Cloud or Experience Cloud subscriber personal content or Firefly inputs/outputs. Firefly models are trained exclusively on licensed content (e.g., Adobe Stock) and public domain content where copyright has expired. However, customers' cloud-stored content (Adobe Cloud Documents, Behance, Adobe Stock) MAY be used to help improve Adobe services by default. Users can disable this setting and/or use Content Credentials 'Do Not Train' signal to explicitly prevent AI systems from using their work for future training or style imitation.

    // Security controls

    Encryption in Transit

    HTTPS/TLS encryption for all data transmitted to and from Firefly services

    adobe.com

    Encryption at Rest

    AES 256-bit encryption for reference content and generated output stored in AWS S3 buckets; customer cloud-stored content encrypted according to region-specific key management

    adobe.com

    Data Retention

    User-uploaded reference content for Firefly is stored in AES 256-bit encrypted AWS S3 and is deleted within 24 hours after initial creation (for inference purposes)

    adobe.com

    Audits & Assessments

    Annual SOC 2 audits, regular penetration testing, and third-party security assessments; customers can request SOC 2 reports

    docs.firefly.ai

    Content Moderation

    Adobe may access, view, and moderate user content through automated and manual methods for compliance, safety, and legal purposes

    adobe.com

    // Products & data scope

    Adobe Firefly (Standalone)Generative AI Image & Content Creation

    data: Image prompts, reference images, generated outputs; cloud storage optional

    Available at firefly.adobe.com; free and paid tiers. Generates images, applies intelligent edits (Fill, Expand, Match), and creates text effects.

    Adobe ExpressGenerative AI Design & Content Creation

    data: Project files, reference content, generated content; all stored in Creative Cloud by default if logged in

    Includes Firefly; available as web app and desktop/mobile apps; free and premium plans

    Creative Cloud for EnterpriseEnterprise Creative Suite

    data: All Creative Cloud apps including Firefly; enterprise data centers with regional storage

    Includes Firefly with enterprise compliance controls (DPA, BAA options, HIPAA-ready availability for other products, audit logging)

    Firefly APIProgrammatic Generative AI

    data: API calls with image prompts, reference images, generated content; outputs stored per API configuration

    Developer access to Firefly generative capabilities; supports Generative Fill, Expand, Match, and text effects; quota-based pricing

    Firefly Custom Models (Beta)Fine-tuned Generative AI

    data: User-supplied training images; custom model outputs; training data and models remain private

    Enables users to train custom Firefly models on their own artistic styles; training uploads not folded back into Adobe's broader Firefly models

    // What to watch

    • HIPAA-SCOPE MISMATCH: Firefly is a creative/generative AI tool, not designed for Protected Health Information (PHI) processing. It is NOT HIPAA-ready despite Adobe offering HIPAA-ready services for other products. Misrepresenting Firefly as HIPAA-compliant would be inaccurate.
    • OPT-IN FOR DATA IMPROVEMENT: Cloud-stored content (not prompts/inputs) may be used to improve Adobe services by default. Users must explicitly disable this setting and/or use Content Credentials to prevent training. This is a compliance consideration for regulated data.
    • HISTORICAL CONTROVERSY RESOLVED: In June 2024, Adobe faced backlash over ambiguous ToS language raising concerns about AI training on customer data. Adobe has since clarified and reiterated its commitment not to train Firefly on subscriber content. Current documentation is clear on this point.
    • ISO 42001 NOT CERTIFIED: While Adobe references ISO 42001 in responsible AI frameworks, there is no public evidence Firefly holds ISO/IEC 42001 (AI Management Systems) certification. Adobe appears aware of the standard but not certified.
    • DPA REQUIRES ENTERPRISE PLAN: GDPR and DPA coverage for Firefly is available only with enterprise Creative Cloud licensing. Free and individual plans do NOT include DPA coverage.
    • HIPAA BAA NOT AVAILABLE FOR FIREFLY: While Adobe offers Business Associate Agreements for certain health-data-ready products, Firefly is excluded. Healthcare organizations cannot use Firefly for PHI processing.

    // At a glance

    Pricing model

    Freemium (Firefly.adobe.com with monthly free generations); subscription-based for Creative Cloud (Single App, All Apps, Teams); API and Custom Models use token/credit consumption

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Adobe Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    adobe.com

    > Browse all vendor trust reports