// Trust & Security Report

    Civitai Inc. logo

    Civitai Inc.

    Civitai is an open-source AI art model marketplace and community platform where users discover, create, and share Stable Diffusion, Flux, and other generative AI models (LoRAs, checkpoints, VAEs, embeddings). Includes public model sharing, image generation, and creator monetization features.

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type 1 or 2)
    NOT CONFIRMED

    No public evidence. Claimed in Nudge Security vendor profile, but not published on civitai.com domain. Civic searches of civitai.com for 'SOC 2' return only unrelated AI model pages.

    ISO 27001
    NOT CONFIRMED

    No public evidence. Claimed in Nudge Security vendor profile, but not published on civitai.com domain. Site search returns only AI models with 'ISO' in their names, no certification documentation.

    GDPR Compliant
    NOT CONFIRMED

    Privacy policy contains minimal GDPR language: 'If you choose to use the Services from the European Union...you are transferring your personal information outside of those regions to the U.S.' No GDPR-specific rights, data processing agreements, lawful basis mechanisms, or DPA documented.

    source: civitai.com
    HIPAA Compliant
    NOT CONFIRMED

    No mention. HIPAA is not referenced in privacy policy, terms of service, or any civitai.com pages. Not applicable to platform use case (consumer AI art, not healthcare data handling).

    source: civitai.com
    PCI DSS
    NOT CONFIRMED

    Claimed in Nudge Security vendor profile. Civitai does process payments via Stripe integration, but no PCI compliance documentation published on civitai.com domain.

    FedRAMP
    NOT CONFIRMED

    Claimed in Nudge Security vendor profile. No evidence on civitai.com. FedRAMP is a U.S. government-specific framework not applicable to consumer platforms; this appears to be a false claim.

    CSA STAR Level 1
    NOT CONFIRMED

    Claimed in Nudge Security vendor profile. No evidence on civitai.com domain. CSA STAR Level 1 is a cloud security assessment; no vendor-domain proof.

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    United States (policy states data transfers outside EU to U.S.)

    CRITICAL GAP: Privacy policy is silent on whether Civitai trains on user-submitted models or images. Terms of service grant Civitai 'a worldwide, non-exclusive, irrevocable, royalty-free, fully paid right and license' to user-submitted content including 'reproduce and create derivative works,' but no explicit statement about model training use. This is a material gap for a platform where users upload AI models.

    // Security controls

    Encryption in transit

    Standard TLS via Cloudflare and Google Trust Services (SSL certificate). No specific encryption protocols documented.

    civitai.com

    Encryption at rest

    No documentation provided.

    civitai.com

    Security guarantees

    Company explicitly disclaims: 'no electronic transmission or storage of information can be entirely secure, we can make no guarantees as to the security or privacy of your information.'

    civitai.com

    Content moderation

    Automated AI tagging (Amazon Rekognition), human moderator review, community reporting, zero-strike policy for CSAM violations (permanent ban).

    civitai.com

    CSAM Prevention

    Generator checks every prompt to detect CSAM requests and denies generation if detected. Partnered with Moonbounce for image analysis.

    civitai.com

    Two-factor authentication

    Limited or no support according to Nudge Security profile (SMS, email, hardware, software, TOTP, U2F all show as not supported).

    security-profiles.nudgesecurity.com

    // Products & data scope

    Civitai Platform (Web)AI Model Marketplace

    data: User profiles, uploaded models, generated images, image metadata, community interactions (comments, ratings), payment info via Stripe

    Free and paid tiers. Users can publish models and images publicly or privately. Creator monetization via tips and commerce. No enterprise/team product offering documented.

    // What to watch

    • OVER-CLAIM DETECTED: Nudge Security vendor profile lists SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, FedRAMP, and CSA STAR Level 1 compliance for Civitai. However, ZERO of these certifications are published or referenced on civitai.com. Extensive site searches and direct fetches of privacy/terms pages yield no vendor-domain proof. This is either a questionnaire error, outdated information, or misrepresentation by the third-party vendor tool.
    • MATERIAL DATA-USE GAP: Privacy policy explicitly does not address AI model training, data retention, or deletion procedures. Terms grant broad content license rights but do not clarify data-use boundaries. For a platform where users upload AI models, this is a critical compliance gap.
    • SECURITY DISCLAIMER: Civitai explicitly disclaims all security guarantees ('we can make no guarantees as to the security or privacy of your information'). This is not typical of enterprise-grade platforms.
    • NO GDPR INFRASTRUCTURE: Privacy policy mentions GDPR only in the context of acknowledging data transfers to the U.S., with no mechanism for exercising GDPR rights (right to access, erasure, portability, etc.).
    • LIMITED 2FA SUPPORT: Nudge profile reports no or very limited 2-factor authentication options, limiting account security controls.
    • NO DPA AVAILABLE: As a consumer platform, Civitai does not appear to offer Data Processing Agreements for B2B/enterprise use.
    • STARTUP MATURITY: Founded 2022, seed-stage company with a16z backing. No indication of enterprise security programs (vulnerability disclosure, penetration testing, bug bounty, incident response SLA).
    • USE-CASE RISK: Platform enables generation and sharing of deepfakes and NSFW content (with stated policies against real-person deepfakes and CSAM). Regulatory risk in jurisdictions restricting such content (e.g., UK, Australia).

    // At a glance

    Pricing model

    Freemium (free model upload/sharing; monetization via Buzz virtual currency, creator marketplace, and tips)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Civitai Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    civitai.com

    > Browse all vendor trust reports