// Trust & Security Report
Craiyon LLC
Craiyon is a free and paid AI text-to-image generation platform (formerly DALL-E mini, 2021–2022). The product offers tiered pricing: free tier with basic quality and square format only; Supporter, Professional, and Ultra tiers with higher quality outputs, more generation credits, private image generation, and faster processing. Users can generate images via text prompts, use style presets (Artistic, Photo, Anime, Illustration, Vector, Raw), and browse a public gallery of community-created images.
Certifications held
0
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 7 unconfirmed / not-held certifications
No public evidence of Craiyon holding SOC 2 Type II certification. No Craiyon-specific SOC 2 documentation found on the craiyon.com domain.
No public evidence of Craiyon holding SOC 2 Type I certification.
No public evidence of Craiyon holding ISO 27001 certification. No ISO 27001 documentation found on the craiyon.com domain.
No public Data Processing Agreement (DPA) or explicit GDPR compliance statement found on Craiyon domain. Direct access to craiyon.com/privacy and craiyon.com/terms returned HTTP 403 Forbidden (Cloudflare protection). No evidence of vendor-domain documentation regarding GDPR Article 28 DPA, lawful basis for processing, or data subject rights mechanisms.
No public evidence of HIPAA compliance or BAA availability. Craiyon is an image generation service not marketed for healthcare use; no HIPAA commitment found on vendor domain.
No public evidence of ISO/IEC 42001 AI management system certification for Craiyon.
No public evidence of PCI DSS compliance. Craiyon processes payments for subscription tiers, but no PCI DSS certification or documentation found on vendor domain.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Unknown; likely US-based (Craiyon LLC is headquartered in Houston, TX). No data residency terms publicly specified on the craiyon.com domain.
Craiyon's core models are trained on millions of public internet images and captions (including Conceptual 12M dataset, a public dataset). No evidence found that user-generated images (prompts or outputs) are used to train the core model. However, Craiyon operates a public gallery where community-created images are discoverable; users can generate private images via Professional/Ultra tiers. No explicit opt-out mechanism for model training found in public documentation. User Terms of Use state that generated images can be used commercially (free tier requires attribution), but mechanism for opting out of community gallery discoverability is unclear.
// Security controls
Encryption in transit
Stated in general terms (HTTPS, TLS implied); no specific cipher suite or protocol version details publicly documented.
craiyon.comEncryption at rest
No public documentation found regarding encryption of stored user data or generated images.
Access control
General statement: 'limit access to personal information to those employees, agents, contractors and other third parties who have a business need to know.' No role-based access control (RBAC) policy or privileged access management (PAM) details publicly available.
craiyon.comVulnerability disclosure
No public vulnerability disclosure policy, bug bounty program, or security.txt found on Craiyon domain.
Incident response
No public incident response plan, notification timeline, or breach disclosure policy found.
Third-party security assessments
General statement: 'thoroughly scanned by advanced security systems and verified by industry-leading partners, with no signs of viruses, malware, or spyware.' Partners and assessment scope not disclosed; appears to be generic malware scanning, not formal penetration testing or security audit.
craiyon.com// Products & data scope
data: Prompts and generated images stored; user account data required for login. Images appear in public gallery. No explicit data deletion option mentioned.
No cost. Basic model quality. Square format only. Images include Craiyon watermark. Free users required to attribute craiyon.com. Generating images may incur queue wait times during peak usage.
data: Prompts, generated images, user account data. Paid subscription allows configurable privacy (images can be kept private or public).
Paid monthly subscription. Includes Pro-quality credits, unlimited basic-tier image generation, all aspect ratios, no watermark, priority generation queue, higher-quality downloads.
data: Prompts, generated images (can be kept completely private), user account data. Privacy setting: images NOT shared publicly by default.
Paid monthly subscription. All Supporter features plus private image generation by default, higher priority queue, early access to new features. More Pro-quality credits per month.
data: Prompts, generated images (private), user account data, edit operations logged.
Paid monthly subscription. All Professional features plus the highest monthly Pro-quality credit allowance and Edit-credit allowance.
// What to watch
- Direct access to craiyon.com/privacy and craiyon.com/terms returns HTTP 403 Forbidden (bot/edge protection); privacy policy and terms of service not accessible to automated review despite offering paid services and collecting user data (emails, payment info, prompts, generated images).
- No GDPR Data Processing Agreement publicly available despite processing data from EU users. This is a potential compliance gap if customers are EU-based.
- No HIPAA BAA despite processing customer data at scale; unsuitable for healthcare use without explicit commitment.
- Training data transparency limited: public internet images + Conceptual 12M dataset disclosed, but no mechanism disclosed for users to verify their data is not used in future model updates or customer-specific fine-tuning.
- Public image gallery creates potential re-identification risk for users who believe images are private. No clear deletion/removal mechanism documented.
- No formal vulnerability disclosure policy or bug bounty program found, limiting security researcher engagement.
- No AI governance certifications (ISO/IEC 42001, CSA STAR AI) found, despite operating a large-scale AI model.
// At a glance
Pricing model
Freemium: Free tier with limited quality, aspect ratio, and generation speed; three paid subscription tiers (Supporter, Professional, Ultra) with monthly credit renewal and optional additional credit packages.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Craiyon LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
craiyon.com