// Trust & Security Report

    Bytedance Pte. Ltd. logo

    Bytedance Pte. Ltd.

    CapCut is a free AI-powered video and image editing platform with multiple products: CapCut Desktop (desktop app), CapCut Online (web editor), CapCut Pad (tablet app), and CapCut Mobile (iOS/Android apps). Also includes Dreamina AI (image/video generation) and Pippit AI (creative agent). Owned by ByteDance (Chinese conglomerate).

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 11 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence on vendor domain. RFP.wiki assessment explicitly states: 'No certifications identified in the analysis.'

    source: rfp.wiki
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence on vendor domain. CapCut's privacy policy contains only general statement: 'technical, administrative, and organisational measures' with no third-party audit.

    source: capcut.com
    ISO 27001
    NOT CONFIRMED

    No public evidence on vendor domain. Privacy policy does not mention ISO 27001 or any ISO standards. RFP.wiki: 'Limited public evidence of industry certifications.'

    source: capcut.com
    GDPR Compliance
    NOT CONFIRMED

    CapCut lacks formal DPA and relies on standard contractual clauses. Compliance concerns noted per Articles 13-14 (transparency) and 17 (right to deletion). No explicit GDPR certification on vendor domain.

    source: capcut.com
    HIPAA
    NOT CONFIRMED

    CapCut is not subject to HIPAA and makes no HIPAA compliance claims. Not a healthcare provider or business associate under HIPAA definitions.

    source: capcut.com
    PCI DSS
    NOT CONFIRMED

    No public evidence on vendor domain. CapCut does not process payment card data directly; this is handled by app stores (Apple, Google).

    source: capcut.com
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence on vendor domain. No third-party certifications listed.

    source: capcut.com
    ISO 27018 (Personal Data Protection)
    NOT CONFIRMED

    No public evidence on vendor domain. Personal data handling not covered by any cited certification.

    source: capcut.com
    ISO 42001 (AI Management)
    NOT CONFIRMED

    No public evidence on vendor domain. CapCut heavily uses AI for content generation and ML training but has no AI governance certification.

    source: capcut.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. CapCut does not market itself as a government-approved cloud service.

    source: capcut.com
    CSA STAR Certification
    NOT CONFIRMED

    No public evidence on vendor domain. Cloud Security Alliance certification not mentioned.

    source: capcut.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Malaysia, Singapore, and United States

    CRITICAL: CapCut explicitly trains on user-uploaded content. Privacy policy states: 'train, test, and improve technology, such as machine learning models and algorithms.' Users grant broad license: 'non-exclusive, royalty-free, transferable, sub-licensable, perpetual and worldwide licence to use your User Content.' No opt-out available.

    // Security controls

    Security Guarantee

    EXPLICITLY NOT GUARANTEED: 'We do not guarantee that our Services will be secure or free from bugs or viruses.' No SLA or status page published.

    capcut.com

    Encryption

    General mention of 'advanced encryption' but not specific (TLS version, cipher suites not disclosed). No third-party audit.

    capcut.com

    Data Centers

    Located in Malaysia, Singapore, and United States. No specific facility certifications mentioned.

    capcut.com

    Security Audits

    Referenced as 'regular security audits' but no public audit reports, frequency, or third-party attestation provided.

    capcut.com

    Biometric Data

    Face/body data deleted after applying effects but collected and analyzed for processing. Lawsuit alleges improper biometric data harvesting (ongoing).

    capcut.com

    Health Data Collection

    CapCut may collect inferred health information from user content, including physical and mental health conditions. Separate Consumer Health Data Privacy Policy published.

    capcut.com

    // Products & data scope

    CapCut DesktopVideo Editing (Desktop App)

    data: User-uploaded videos, images, audio; clipboard access; local file system access (on user's machine)

    Powerful desktop editor with AI features. Free with optional paid features.

    CapCut OnlineVideo Editing (Web App)

    data: User-uploaded videos, images, audio stored on CapCut servers (Malaysia, Singapore, US)

    Browser-based editor, no installation required. Data leaves user device immediately.

    CapCut Mobile (iOS/Android)Video Editing (Mobile App)

    data: Device media library, camera/microphone, clipboard, contacts. Data uploaded to servers for processing.

    Most widely used variant (100M+ downloads). App Store rating 4.7/5 but subject to class-action lawsuit.

    CapCut PadVideo Editing (Tablet App)

    data: Similar to mobile app but optimized for tablet UI

    Edit anywhere, anytime positioning.

    Dreamina AIImage & Video Generation

    data: Text prompts, reference images, generated outputs. Uses external AI models.

    AI-powered image and video creation tool. Seedance 2.0 update in development.

    Pippit AICreative Agent

    data: User prompts and project context

    AI assistant for creative projects. Limited public information.

    // What to watch

    • OVER-CLAIM DETECTED: Initial web search result (Nudge Security) claimed CapCut holds SOC 2, ISO 27001, GDPR, HIPAA, FedRAMP, and CSA STAR certifications. These claims are FALSE and not supported by vendor domain evidence. RFP.wiki assessment explicitly states 'No certifications identified.' This appears to be a false positive or outdated listing.
    • ACTIVE LITIGATION: Class-action lawsuit filed July 28, 2023 in US District Court (Northern District of Illinois) alleging illegal biometric data harvesting and privacy violations. March 2025 ruling allowed privacy claims under California Constitution and Illinois BIPA to proceed. September 2025 update: Computer Fraud and Abuse Act claims dismissed but BIPA and privacy claims remain active.
    • AI TRAINING ON USER DATA: CapCut explicitly trains ML models on user-uploaded content with NO opt-out. This is a core business practice, not incidental. No data minimization visible.
    • NO SECURITY GUARANTEE: Terms of Service explicitly state: 'We do not guarantee that our Services will be secure or free from bugs or viruses.' This is an unusual and concerning disclosure.
    • GDPR COMPLIANCE GAPS: No formal DPA, relies on standard contractual clauses, and has documented concerns per Article 13/14 (transparency) and Article 17 (right to deletion).
    • HEALTH DATA COLLECTION: CapCut collects and infers health information from user content (Separate CHDP published). This data is also subject to AI training.
    • IDENTITY VERIFIED: CapCut is ByteDance product (confirmed). Legal entity: Bytedance Pte. Ltd. (Singapore). No confusion with other vendors.
    • MATURITY MISMATCH: Rated 2.6/5 by RFP.wiki. Suitable for social creators only, NOT enterprise. No SSO, SCIM, DLP, or enterprise controls. No third-party plugin ecosystem.
    • LIMITED SECURITY DOCUMENTATION: A consumer Trust Center exists (https://www.capcut.com/trust/ with Privacy, Safety, Responsible AI, and Legal sections), but it publishes no third-party audit reports, attestations, or formal certifications. Security detail (encryption, audit cadence) is described only in general terms across multiple policy documents.

    // At a glance

    Pricing model

    Freemium: Free tier with watermark, paid Premium removes watermark and adds features. No enterprise pricing model.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Bytedance Pte. Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    capcut.com

    > Browse all vendor trust reports