// Trust & Security Report
Vista (Cimpress Plc)
VistaCreate (formerly Crello) is an online graphic design tool offering drag-and-drop design templates, AI-powered editing features (image generation, background removal, object removal), stock media library (1M+ free, 70M+ paid), and team collaboration tools. Available as free Starter tier and Pro subscription ($10-13/month).
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on create.vista.com“Vendor privacy policy states: 'Vista serves and shall be considered as a "Processor" and not as the "Controller"' for End Users Information, and that transfers outside the EEA/UK/Switzerland 'will only take place under an approved transfer mechanism, such as through the use of standard contractual clauses approved by the European Commission.'”
> Show 4 unconfirmed / not-held certifications
source: vistasupport.comFound evidence of 'Vista achieves ISO 27001 in June 2019' but this refers to Vista Technology Support (UK-based managed service provider for retail/hospitality), NOT the parent company Cimpress/VistaCreate. Identity conflation risk; no ISO 27001 found for VistaCreate's actual parent entity.
source: cimpress.comNo public evidence found. Cimpress/Vista does not disclose SOC 2 attestation in their privacy or security pages.
source: cimpress.comNo public evidence found. Cimpress/Vista does not disclose SOC 2 attestation in their privacy or security pages.
No public evidence of HIPAA compliance or Business Associate Agreement offerings. Product is positioned as consumer/SMB design tool, not healthcare-focused.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Unknown. Privacy policy references Standard Contractual Clauses for EU data transfers but does not specify data center locations or regional data residency commitments.
VistaCreate offers AI-powered features (AI Image Generator, AI Writer, AI Object Remover) with 100 monthly credits for Pro users. However, no public disclosure found regarding whether customer designs or inputs are used to train these AI models. No opt-out mechanism documented. This represents an ambiguity in an AI-native product with real-time generative capabilities.
// Security controls
Encryption in transit
Stated. Privacy policy confirms 'encryption methods' implemented as part of 'technical and organisational security measures.'
cimpress.comEncryption at rest
Not explicitly specified in public documents.
Access controls
Stated. Privacy policy mentions 'access controls, controlled administration of user rights, and limiting access to personal information on a need-to-know basis.'
cimpress.comData retention policy
General statement: data retained as long as necessary for purpose. Specific retention windows not disclosed.
create.vista.comVulnerability disclosure / bug bounty
Email provided: bugbounty@cimpress.com. No formal public bug bounty program details disclosed.
cimpress.comThird-party security assessments
Parent company (Vista Technology Support, different entity) engaged LRQA for ISO 27001 validation in 2019. No recent independent audits published for Cimpress/VistaCreate.
vistasupport.com// Products & data scope
data: User designs, account info, minimal usage telemetry
50K+ static and animated templates, 1M+ royalty-free assets with unlimited downloads, background remover, basic brand kit, 100 AI generations monthly (stated in search results for Pro only, clarification needed for Free tier)
data: User designs, account info, usage analytics, collaboration data for up to 10 team members
150K+ templates, 70M+ premium assets, unlimited brand kits, unlimited storage, resize tool, sticker maker, team collaboration, version history, 100 AI credits monthly, social media scheduling
// What to watch
- IDENTITY CONFUSION RISK: Search result 'Vista achieves ISO 27001' refers to Vista Technology Support (UK-based managed IT services provider), NOT Cimpress/VistaCreate. Two entirely different companies share the 'Vista' name. Do NOT credit VistaCreate with that cert.
- No public trust center. Security/compliance info is embedded in privacy policy only, no dedicated transparency portal.
- No SOC 2 attestation found. Enterprise buyers may require this; not disclosed.
- AI TRAINING AMBIGUITY: Product has real-time generative AI features (AI Image Generator, AI Writer, AI Object Remover) but no public disclosure of whether customer inputs/designs are used for model training. Terms & Conditions do not address AI-specific data usage. This is a material gap for an AI-native product.
- HISTORICAL SECURITY INCIDENT: Parent company VistaPrint exposed 51,000+ customer service records (chats, emails, phone transcripts with PII) in November 2019 due to unencrypted database left accessible online. Incident was disclosed after TechCrunch report. Demonstrates historical infosec maturity gap.
- No HIPAA offerings or BAA documentation found. Not positioned as healthcare-compliant.
- No mention of ISO 27001, ISO 27701, CSA STAR AI, or other modern data governance certs for actual product entity (Cimpress/VistaCreate).
- Data residency: No regional data center commitments published. EU transfers use SCCs (GDPR-compliant) but location unspecified.
// At a glance
Pricing model
Freemium: Free Starter tier + Pro subscription ($10/month annual, $13/month monthly). No enterprise tier disclosed.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Vista (Cimpress Plc)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
create.vista.com