// Trust & Security Report
Canva Inc.
Visual design platform with AI-powered tools (Presentations, Social media, Video, Print, Brand Kit). Offers Free, Pro, Business, Enterprise, Education, and Nonprofit tiers.
Certifications held
8
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on canva.com“Canva has attained SOC2 Type II compliance and maintains an Information Security Management System (ISMS) meeting ISO 27001 requirements with periodic external surveillance audits.”
Verify on sekuro.io“Canva maintains an ISO 27001 certification, undergoing periodic external surveillance and recertification audits to ensure that its Information Security Management System (ISMS) meets the requirements of this standard.”
Verify on trust.canva.com“Canva's compliance credentials include SOC 2 Type 2, ISO/IEC 27001, PCI DSS, EU-US DPF, GDPR, CCPA, DSA, and VPAT.”
Verify on canva.com“Canva US Inc. adheres to the EU-U.S. DPF Principles regarding the processing of personal information transferred from the European Union to the United States in reliance on the EU-U.S. DPF, and from the United Kingdom (and Gibraltar) to the United States in reliance on the UK Extension to the EU-U.S. DPF.”
Verify on canva.com“Canva is committed to helping users understand the rights and obligations under the General Data Protection Regulation (GDPR) and maintains compliance with GDPR requirements. DPA available for Teams and Enterprise customers.”
Verify on canva.com“Canva adheres to CCPA compliance and maintains global standards including GDPR and CCPA.”
Verify on trust.canva.com“Canva's compliance credentials include EU-US DPF, GDPR, CCPA, DSA, and VPAT.”
Verify on content-management-files.canva.com“Canva's Accessibility Conformance Report WCAG 2.4 VPAT is publicly available, demonstrating commitment to accessibility standards.”
> Show 3 unconfirmed / not-held certifications
source: trust.canva.comNo public evidence of HIPAA certification. Canva does not market HIPAA compliance or include it in their compliance certifications list.
source: trust.canva.comNo public evidence of ISO 42001 certification. Canva does not list ISO 42001 among its certifications.
source: trust.canva.comNo public evidence of CSA STAR for AI certification. Canva does not list this among its certifications.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Default: United States and Australia. Enterprise customers can choose to store data in US or EU regions. Data processed by Canva group members in Australia, New Zealand, Philippines, United Kingdom, Singapore, Europe, and United States. Hosted on AWS.
Free and Pro users: AI training is enabled by default but users can opt-out via privacy settings. Teams, Business, Enterprise, and Education users: Content is NEVER used for AI training and cannot be opted in. Canva Creators receive payments for allowing templates to be used for AI training and can opt-out at any time.
// Security controls
Encryption in transit
TLS 1.2 or higher for data transmitted over public networks between customers and Canva application
canva.comInfrastructure hosting
Amazon Web Services (AWS) data centers with AWS physical, environmental, and infrastructure controls
canva.comISMS
ISO 27001-compliant Information Security Management System with internal audit program and management committee oversight
canva.com// Products & data scope
data: Personal designs, limited templates
AI training enabled by default, opt-out available. No DPA. Suitable for personal use only.
data: Professional designs, premium templates and assets
AI training enabled by default, opt-out available. No DPA. Intended for freelancers and solo creators.
data: Team-based designs, brand management, enterprise features
Content NEVER used for AI training. DPA available. Designed for growing teams and businesses.
data: Cross-functional organizational designs, advanced governance
Content NEVER used for AI training. Full DPA with Standard Contractual Clauses and IDT. Data residency choice (US/EU). Designed for 50+ users.
data: Educational institution designs
Content NEVER used for AI training. DPA included. Automatic for eligible institutions or via National Data Privacy Agreement.
data: Nonprofit organization designs
Free access for eligible nonprofits. AI training policy follows applicable plan tier.
// What to watch
- AI training is enabled by default for Free and Pro users (requires opt-out; available on privacy settings page)
- HIPAA certification not available; unsuitable for healthcare/regulated environments requiring HIPAA
- Free and Pro users do not have DPA; suitable for personal use only, not business data processing under GDPR
- Data residency options limited to US/EU for Enterprise; other regions use AWS default regions
- ISO 42001 and CSA STAR for AI not held; Canva does not have AI-specific governance certifications despite heavy AI feature set
// At a glance
Pricing model
Freemium with tiered pricing: Free, Pro ($15/user/month), Business ($20/user/month), Enterprise (custom)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Canva Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.canva.com