// Trust & Security Report
Civitai Inc.
Civitai is an open-source AI art model marketplace and community platform where users discover, create, and share Stable Diffusion, Flux, and other generative AI models (LoRAs, checkpoints, VAEs, embeddings). Includes public model sharing, image generation, and creator monetization features.
Certifications held
0
Maturity
Startup
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 7 unconfirmed / not-held certifications
No public evidence. Claimed in Nudge Security vendor profile, but not published on civitai.com domain. Civic searches of civitai.com for 'SOC 2' return only unrelated AI model pages.
No public evidence. Claimed in Nudge Security vendor profile, but not published on civitai.com domain. Site search returns only AI models with 'ISO' in their names, no certification documentation.
source: civitai.comPrivacy policy contains minimal GDPR language: 'If you choose to use the Services from the European Union...you are transferring your personal information outside of those regions to the U.S.' No GDPR-specific rights, data processing agreements, lawful basis mechanisms, or DPA documented.
source: civitai.comNo mention. HIPAA is not referenced in privacy policy, terms of service, or any civitai.com pages. Not applicable to platform use case (consumer AI art, not healthcare data handling).
Claimed in Nudge Security vendor profile. Civitai does process payments via Stripe integration, but no PCI compliance documentation published on civitai.com domain.
Claimed in Nudge Security vendor profile. No evidence on civitai.com. FedRAMP is a U.S. government-specific framework not applicable to consumer platforms; this appears to be a false claim.
Claimed in Nudge Security vendor profile. No evidence on civitai.com domain. CSA STAR Level 1 is a cloud security assessment; no vendor-domain proof.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
United States (policy states data transfers outside EU to U.S.)
CRITICAL GAP: Privacy policy is silent on whether Civitai trains on user-submitted models or images. Terms of service grant Civitai 'a worldwide, non-exclusive, irrevocable, royalty-free, fully paid right and license' to user-submitted content including 'reproduce and create derivative works,' but no explicit statement about model training use. This is a material gap for a platform where users upload AI models.
// Security controls
Encryption in transit
Standard TLS via Cloudflare and Google Trust Services (SSL certificate). No specific encryption protocols documented.
civitai.comSecurity guarantees
Company explicitly disclaims: 'no electronic transmission or storage of information can be entirely secure, we can make no guarantees as to the security or privacy of your information.'
civitai.comContent moderation
Automated AI tagging (Amazon Rekognition), human moderator review, community reporting, zero-strike policy for CSAM violations (permanent ban).
civitai.comCSAM Prevention
Generator checks every prompt to detect CSAM requests and denies generation if detected. Partnered with Moonbounce for image analysis.
civitai.comTwo-factor authentication
Limited or no support according to Nudge Security profile (SMS, email, hardware, software, TOTP, U2F all show as not supported).
security-profiles.nudgesecurity.com// Products & data scope
data: User profiles, uploaded models, generated images, image metadata, community interactions (comments, ratings), payment info via Stripe
Free and paid tiers. Users can publish models and images publicly or privately. Creator monetization via tips and commerce. No enterprise/team product offering documented.
// What to watch
- OVER-CLAIM DETECTED: Nudge Security vendor profile lists SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, FedRAMP, and CSA STAR Level 1 compliance for Civitai. However, ZERO of these certifications are published or referenced on civitai.com. Extensive site searches and direct fetches of privacy/terms pages yield no vendor-domain proof. This is either a questionnaire error, outdated information, or misrepresentation by the third-party vendor tool.
- MATERIAL DATA-USE GAP: Privacy policy explicitly does not address AI model training, data retention, or deletion procedures. Terms grant broad content license rights but do not clarify data-use boundaries. For a platform where users upload AI models, this is a critical compliance gap.
- SECURITY DISCLAIMER: Civitai explicitly disclaims all security guarantees ('we can make no guarantees as to the security or privacy of your information'). This is not typical of enterprise-grade platforms.
- NO GDPR INFRASTRUCTURE: Privacy policy mentions GDPR only in the context of acknowledging data transfers to the U.S., with no mechanism for exercising GDPR rights (right to access, erasure, portability, etc.).
- LIMITED 2FA SUPPORT: Nudge profile reports no or very limited 2-factor authentication options, limiting account security controls.
- NO DPA AVAILABLE: As a consumer platform, Civitai does not appear to offer Data Processing Agreements for B2B/enterprise use.
- STARTUP MATURITY: Founded 2022, seed-stage company with a16z backing. No indication of enterprise security programs (vulnerability disclosure, penetration testing, bug bounty, incident response SLA).
- USE-CASE RISK: Platform enables generation and sharing of deepfakes and NSFW content (with stated policies against real-person deepfakes and CSAM). Regulatory risk in jurisdictions restricting such content (e.g., UK, Australia).
// At a glance
Pricing model
Freemium (free model upload/sharing; monetization via Buzz virtual currency, creator marketplace, and tips)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Civitai Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
civitai.com