// Trust & Security Report

    Craiyon LLC logo

    Craiyon LLC

    Craiyon is a free and paid AI text-to-image generation platform (formerly DALL-E mini, 2021–2022). The product offers tiered pricing: free tier with basic quality and square format only; Supporter, Professional, and Ultra tiers with higher quality outputs, more generation credits, private image generation, and faster processing. Users can generate images via text prompts, use style presets (Artistic, Photo, Anime, Illustration, Vector, Raw), and browse a public gallery of community-created images.

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 7 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No public evidence of Craiyon holding SOC 2 Type II certification. No Craiyon-specific SOC 2 documentation found on the craiyon.com domain.

    SOC 2 Type I
    NOT CONFIRMED

    No public evidence of Craiyon holding SOC 2 Type I certification.

    ISO 27001
    NOT CONFIRMED

    No public evidence of Craiyon holding ISO 27001 certification. No ISO 27001 documentation found on the craiyon.com domain.

    GDPR Compliance
    NOT CONFIRMED

    No public Data Processing Agreement (DPA) or explicit GDPR compliance statement found on Craiyon domain. Direct access to craiyon.com/privacy and craiyon.com/terms returned HTTP 403 Forbidden (Cloudflare protection). No evidence of vendor-domain documentation regarding GDPR Article 28 DPA, lawful basis for processing, or data subject rights mechanisms.

    HIPAA Business Associate Agreement (BAA)
    NOT CONFIRMED

    No public evidence of HIPAA compliance or BAA availability. Craiyon is an image generation service not marketed for healthcare use; no HIPAA commitment found on vendor domain.

    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 AI management system certification for Craiyon.

    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS compliance. Craiyon processes payments for subscription tiers, but no PCI DSS certification or documentation found on vendor domain.

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Unknown; likely US-based (Craiyon LLC is headquartered in Houston, TX). No data residency terms publicly specified on the craiyon.com domain.

    Craiyon's core models are trained on millions of public internet images and captions (including Conceptual 12M dataset, a public dataset). No evidence found that user-generated images (prompts or outputs) are used to train the core model. However, Craiyon operates a public gallery where community-created images are discoverable; users can generate private images via Professional/Ultra tiers. No explicit opt-out mechanism for model training found in public documentation. User Terms of Use state that generated images can be used commercially (free tier requires attribution), but mechanism for opting out of community gallery discoverability is unclear.

    // Security controls

    Encryption in transit

    Stated in general terms (HTTPS, TLS implied); no specific cipher suite or protocol version details publicly documented.

    craiyon.com

    Encryption at rest

    No public documentation found regarding encryption of stored user data or generated images.

    Access control

    General statement: 'limit access to personal information to those employees, agents, contractors and other third parties who have a business need to know.' No role-based access control (RBAC) policy or privileged access management (PAM) details publicly available.

    craiyon.com

    Vulnerability disclosure

    No public vulnerability disclosure policy, bug bounty program, or security.txt found on Craiyon domain.

    Incident response

    No public incident response plan, notification timeline, or breach disclosure policy found.

    Third-party security assessments

    General statement: 'thoroughly scanned by advanced security systems and verified by industry-leading partners, with no signs of viruses, malware, or spyware.' Partners and assessment scope not disclosed; appears to be generic malware scanning, not formal penetration testing or security audit.

    craiyon.com

    // Products & data scope

    Craiyon Free TierAI Image Generation

    data: Prompts and generated images stored; user account data required for login. Images appear in public gallery. No explicit data deletion option mentioned.

    No cost. Basic model quality. Square format only. Images include Craiyon watermark. Free users required to attribute craiyon.com. Generating images may incur queue wait times during peak usage.

    Craiyon Supporter PlanAI Image Generation

    data: Prompts, generated images, user account data. Paid subscription allows configurable privacy (images can be kept private or public).

    Paid monthly subscription. Includes Pro-quality credits, unlimited basic-tier image generation, all aspect ratios, no watermark, priority generation queue, higher-quality downloads.

    Craiyon Professional PlanAI Image Generation

    data: Prompts, generated images (can be kept completely private), user account data. Privacy setting: images NOT shared publicly by default.

    Paid monthly subscription. All Supporter features plus private image generation by default, higher priority queue, early access to new features. More Pro-quality credits per month.

    Craiyon Ultra PlanAI Image Generation

    data: Prompts, generated images (private), user account data, edit operations logged.

    Paid monthly subscription. All Professional features plus the highest monthly Pro-quality credit allowance and Edit-credit allowance.

    // What to watch

    • Direct access to craiyon.com/privacy and craiyon.com/terms returns HTTP 403 Forbidden (bot/edge protection); privacy policy and terms of service not accessible to automated review despite offering paid services and collecting user data (emails, payment info, prompts, generated images).
    • No GDPR Data Processing Agreement publicly available despite processing data from EU users. This is a potential compliance gap if customers are EU-based.
    • No HIPAA BAA despite processing customer data at scale; unsuitable for healthcare use without explicit commitment.
    • Training data transparency limited: public internet images + Conceptual 12M dataset disclosed, but no mechanism disclosed for users to verify their data is not used in future model updates or customer-specific fine-tuning.
    • Public image gallery creates potential re-identification risk for users who believe images are private. No clear deletion/removal mechanism documented.
    • No formal vulnerability disclosure policy or bug bounty program found, limiting security researcher engagement.
    • No AI governance certifications (ISO/IEC 42001, CSA STAR AI) found, despite operating a large-scale AI model.

    // At a glance

    Pricing model

    Freemium: Free tier with limited quality, aspect ratio, and generation speed; three paid subscription tiers (Supporter, Professional, Ultra) with monthly credit renewal and optional additional credit packages.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Craiyon LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    craiyon.com

    > Browse all vendor trust reports