// Trust & Security Report
Stability AI
DreamStudio is Stability AI's image generation web interface powered by Stable Diffusion. The domain dreamstudio.ai now redirects to Brand Studio, Stability AI's newer enterprise creative production platform launched April 2026.
Certifications held
3
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on stability.ai“SOC 2 Type II is a globally recognized benchmark for security compliance in the technology sector, especially in the emerging generative AI landscape. The certification process involves a comprehensive examination of our security practices across five trust service criteria: security, availability, processing integrity, confidentiality, and privacy.”
Verify on stability.ai“SOC 2 Type II and SOC 3 compliance, which validates our security controls and data protection practices through rigorous third-party auditing. Both reports are available in the Stability AI Trust Center Portal.”
Verify on stability.ai“If you wish to access, correct, update, or request deletion of your personal information, you can do so at any time by emailing dreamstudio@stability.ai.”
> Show 5 unconfirmed / not-held certifications
source: stability.aiNo vendor-domain evidence found. Nudge Security profile claims ISO 27001 compliance, but Stability AI's own domain does not list ISO 27001; only SOC 2 Type II, SOC 3, and GDPR are substantiated on vendor pages.
source: stability.aiNo vendor-domain evidence found. DreamStudio privacy policy and Stability AI public documents do not mention HIPAA compliance or healthcare data handling certifications.
source: stability.aiNo vendor-domain evidence found. Stability AI's own domain does not mention FedRAMP.
source: stability.aiNo public evidence found. Neither DreamStudio-specific documentation nor Stability AI public sources mention AI-specific governance certifications.
source: stability.aiNo vendor-domain evidence found. DreamStudio uses third-party payment processors; vendor-domain sources do not explicitly state PCI DSS certification.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
Not explicitly stated; payment processing handled by third parties. Third-party features (OpenRouter, Mistral AI, DeepInfra) route requests externally.
DreamStudio may store generated content, metadata, and text prompts for service improvement. Users can opt-out of model training via account settings. Terms indicate: 'Stability reserves rights to use your generated content for service improvement.' Users can disable training by navigating to Settings > User Preferences and toggling 'Training: Improve the Model for Everyone' off.
// Security controls
Data retention
EEA residents: data retained only as long as necessary for stated purposes; global: up to one year retention baseline
stability.aiAccount security
Standard login credentials; no explicit mention of MFA in DreamStudio docs
stability.aiThird-party integrations
Google Analytics for usage metrics; OpenRouter, Mistral AI, DeepInfra for optional AI enhancements (noted: these third parties prohibited from training on user prompts)
stability.ai// Products & data scope
data: Text prompts, generated images, account metadata, usage metrics
Original Stability AI image generation interface for Stable Diffusion. Now redirects to Brand Studio. Opt-in training data policy. Publicly available; free tier + paid subscriptions.
data: Brand assets, generated content, model routing metadata
Launched April 2026. Enterprise-focused evolution of DreamStudio. Targets marketing/advertising teams. Features curated model routing across Stability and third-party models (Nano Banana, Seedream).
data: API requests, generations, usage logs
Programmatic access to image generation. Separate terms and data handling from web interface.
// What to watch
- VENDOR-CONFIRMED: Stability AI announces SOC 2 Type II and SOC 3 on its own domain (stability.ai news update), with the cited wording matched verbatim. The full audit reports are gated behind the access-controlled Stability AI Trust Center Portal, so the certificates themselves are not publicly downloadable, but the vendor-domain claim is substantiated.
- OVER-CLAIM RISK: Nudge Security profile lists 7 certifications (PCI, HIPAA, SOC 2, GDPR, ISO 27001, FedRAMP, CSA STAR), but vendor-domain sources confirm only SOC 2 Type II, SOC 3, and GDPR. Do not list ISO 27001, HIPAA, FedRAMP, PCI, or CSA STAR without vendor-domain proof.
- PRODUCT TRANSITION: DreamStudio domain redirects to Brand Studio (a different, newer product launched April 2026). Unclear if all Stability AI certifications and privacy policies apply equally to Brand Studio.
- DATA TRAINING DEFAULT: DreamStudio defaults to training on user inputs/outputs for model improvement. Opt-out required; this is a deviation from privacy-first defaults.
- CERTIFICATION DATE INCOMPLETE: SOC 2 announcement specifies 'August 4' but article text does not include the year. Based on context (2026 announcements), likely August 2025 or August 2026.
- NO ISO 27001 VENDOR PROOF: Despite Nudge Security claims, no vendor-domain evidence of ISO 27001 certification found.
// At a glance
Pricing model
Freemium (web interface) + Pay-as-you-go credits + Enterprise tier. Brand Studio pricing not yet publicly detailed.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Stability AI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.stability.ai