// Trust & Security Report

    Pixlr Pte. Ltd. (Designs.ai by Pixlr) logo

    Pixlr Pte. Ltd. (Designs.ai by Pixlr)

    Designs.ai all-in-one AI content creation platform (branding/logo, image, video, chat/copy, slides, audio) under the Pixlr Group

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    No mention of SOC 2 on the vendor's home, security, privacy, or terms pages. Security page is a vulnerability disclosure policy only.

    Verify on designs.ai
    ISO 27001
    HELD

    No mention of ISO 27001 anywhere on the vendor's own pages.

    Verify on designs.ai
    HIPAA
    HELD

    No mention of HIPAA anywhere on the vendor's own pages.

    Verify on designs.ai
    GDPR (regulatory alignment, not a certification)
    HELD

    Privacy Policy demonstrates an active GDPR-compliance posture: it maps every processing purpose to a GDPR legal basis (e.g. 'Art. 6(1)(b) of the GDPR'), names an EU representative RIVACY GmbH (Mexikoring 33, 22297 Hamburg, Germany) and a UK representative RIVACY Ltd. (West Sussex), provides a designated Data Protection Officer at dpo@pixlr.com, enumerates full data-subject rights (access, rectification, erasure, restriction, objection, portability, complaint to a supervisory authority), and applies standard contractual clauses / binding corporate rules to EEA transfers. This reflects a demonstrable GDPR alignment, not an independently audited certification, so it is recorded as regulatory alignment rather than a SOC 2 / ISO-style attestation.

    Verify on designs.ai

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not stated

    Data region

    Data controller is Pixlr Pte. Ltd., Singapore (36 Robinson Road, City House). Privacy policy states Personal Data 'may be transferred outside the European Economic Area (EEA)' with safeguards 'including binding corporate rules or standard data protection clauses adopted by the European Commission'. No fixed/single data residency guarantee offered.

    No explicit statement that user content trains AI models. Terms clause 7 states content 'may be retained by us for a reasonable period of time for the purposes of: (i) improving or enhancing the Website and Services... (ii) analysing and measuring the effectiveness of the Website and Services', which is ambiguous and could imply service/model improvement but does not clearly say models are trained on user inputs. Biometric data is explicitly protected: 'We do not store, collect or use your facial features for any other purposes' and 'facial geometry will not be shared to any third parties.' No dedicated AI/data-use or DPA page was found.

    // Security controls

    Vulnerability disclosure policy

    Self-managed, email-based (not HackerOne/Bugcrowd). 'please immediately send it to us by emailing Sylvester@designs.ai.' Accepts reports with CVSS 4.0 severity >= 6; in scope '*.designs.ai'; 90-day confidentiality window. No paid bug-bounty platform.

    designs.ai

    Penetration testing

    Referenced only as an example security measure in the privacy policy, not as a documented/attested program: 'appropriate securities measures (such as firewalls, penetration testing and etc)'. No pentest report, cadence, or third-party named.

    designs.ai

    Encryption

    Limited. Privacy policy mentions an 'encrypted password' at registration and 'reasonable steps to protect or secure this data'. No explicit statement of encryption in transit (TLS) or at rest for stored content.

    designs.ai

    Bug bounty platform

    None. No HackerOne or Bugcrowd; disclosure is via direct email.

    designs.ai

    Data deletion / retention

    Account data deleted within 30 days of account closure: 'we will delete your Personal Data and information within thirty (30) days', subject to legal-retention exceptions. Account deletion requires written notice to info@designs.ai.

    designs.ai

    Enterprise-readiness claim (unverified)

    Marketing claims 'Secure and Enterprise-Ready... secure infrastructure and governance controls that protect your data and assets', but no trust center, certifications, or audit evidence backs this claim.

    designs.ai

    // Products & data scope

    Designs.ai unified platform (Branding/Logomaker, Image, Video, Chat/Copy, Slides, Audio)AI content creation / design suite

    data: Account profile (name, email, country, encrypted password), optional billing/company details, browsing/usage data, user-uploaded content and prompts. Optional biometric/facial-geometry data when users upload images, used solely to produce AI output and not stored or shared.

    Multi-LLM platform that routes to multiple third-party language and creative models ('We bring leading language and creative models into Designs.ai'). User content may pass to third-party model/IT providers; review subprocessor exposure for sensitive inputs.

    Pixlr Group ecosystem (Pixlr, Designs.ai)Parent / related creative products

    data: Personal Data may be shared with 'other Pixlr Pte. Ltd. companies within the European Economic Area (EEA)' for internal administrative/accounting purposes.

    Designs.ai is operated by Pixlr Pte. Ltd. ('Designs.ai by Pixlr'); security/disclosure policy is branded 'PIXLR GROUP'. Data governance is shared across the Pixlr corporate group.

    // What to watch

    • No enterprise security certifications (SOC 2 / ISO 27001 / HIPAA) on any vendor-owned page.
    • No trust center or security/compliance documentation portal.
    • Marketing claims 'Secure and Enterprise-Ready' and 'governance controls' with zero supporting evidence (no certs, no audits, no trust center) — procurement should challenge this.
    • Bug bounty is email-only (Sylvester@designs.ai), not a managed HackerOne/Bugcrowd program.
    • No public DPA found; AI-training-on-user-content stance is ambiguous (Terms allow retention to 'improve or enhance the Service').
    • Encryption in transit/at rest not explicitly stated for stored user content.
    • Multi-LLM architecture routes user prompts/content to multiple third-party models — subprocessor data-handling is not enumerated.

    // At a glance

    Pricing model

    Subscription (monthly/yearly, auto-renewing) with monthly usage Credits that expire and do not roll over; separately Purchased Credits valid 1 year; all fees in USD. No free-forever enterprise tier documented.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Pixlr Pte. Ltd. (Designs.ai by Pixlr)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    designs.ai

    > Browse all vendor trust reports