// Trust & Security Report

    Stability AI logo

    Stability AI

    DreamStudio is Stability AI's image generation web interface powered by Stable Diffusion. The domain dreamstudio.ai now redirects to Brand Studio, Stability AI's newer enterprise creative production platform launched April 2026.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II is a globally recognized benchmark for security compliance in the technology sector, especially in the emerging generative AI landscape. The certification process involves a comprehensive examination of our security practices across five trust service criteria: security, availability, processing integrity, confidentiality, and privacy.

    Verify on stability.ai
    SOC 3
    HELD

    SOC 2 Type II and SOC 3 compliance, which validates our security controls and data protection practices through rigorous third-party auditing. Both reports are available in the Stability AI Trust Center Portal.

    Verify on stability.ai
    GDPR
    HELD

    If you wish to access, correct, update, or request deletion of your personal information, you can do so at any time by emailing dreamstudio@stability.ai.

    Verify on stability.ai
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No vendor-domain evidence found. Nudge Security profile claims ISO 27001 compliance, but Stability AI's own domain does not list ISO 27001; only SOC 2 Type II, SOC 3, and GDPR are substantiated on vendor pages.

    source: stability.ai
    HIPAA
    NOT CONFIRMED

    No vendor-domain evidence found. DreamStudio privacy policy and Stability AI public documents do not mention HIPAA compliance or healthcare data handling certifications.

    source: stability.ai
    FedRAMP
    NOT CONFIRMED

    No vendor-domain evidence found. Stability AI's own domain does not mention FedRAMP.

    source: stability.ai
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence found. Neither DreamStudio-specific documentation nor Stability AI public sources mention AI-specific governance certifications.

    source: stability.ai
    PCI DSS
    NOT CONFIRMED

    No vendor-domain evidence found. DreamStudio uses third-party payment processors; vendor-domain sources do not explicitly state PCI DSS certification.

    source: stability.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Not explicitly stated; payment processing handled by third parties. Third-party features (OpenRouter, Mistral AI, DeepInfra) route requests externally.

    DreamStudio may store generated content, metadata, and text prompts for service improvement. Users can opt-out of model training via account settings. Terms indicate: 'Stability reserves rights to use your generated content for service improvement.' Users can disable training by navigating to Settings > User Preferences and toggling 'Training: Improve the Model for Everyone' off.

    // Security controls

    Encryption in transit

    HTTPS/TLS connection; specific cipher suites not disclosed

    stability.ai

    Data retention

    EEA residents: data retained only as long as necessary for stated purposes; global: up to one year retention baseline

    stability.ai

    Account security

    Standard login credentials; no explicit mention of MFA in DreamStudio docs

    stability.ai

    Third-party integrations

    Google Analytics for usage metrics; OpenRouter, Mistral AI, DeepInfra for optional AI enhancements (noted: these third parties prohibited from training on user prompts)

    stability.ai

    // Products & data scope

    DreamStudio Web InterfaceImage Generation

    data: Text prompts, generated images, account metadata, usage metrics

    Original Stability AI image generation interface for Stable Diffusion. Now redirects to Brand Studio. Opt-in training data policy. Publicly available; free tier + paid subscriptions.

    Brand StudioEnterprise Creative Production

    data: Brand assets, generated content, model routing metadata

    Launched April 2026. Enterprise-focused evolution of DreamStudio. Targets marketing/advertising teams. Features curated model routing across Stability and third-party models (Nano Banana, Seedream).

    Stable Diffusion APIAPI/Developer Tools

    data: API requests, generations, usage logs

    Programmatic access to image generation. Separate terms and data handling from web interface.

    // What to watch

    • VENDOR-CONFIRMED: Stability AI announces SOC 2 Type II and SOC 3 on its own domain (stability.ai news update), with the cited wording matched verbatim. The full audit reports are gated behind the access-controlled Stability AI Trust Center Portal, so the certificates themselves are not publicly downloadable, but the vendor-domain claim is substantiated.
    • OVER-CLAIM RISK: Nudge Security profile lists 7 certifications (PCI, HIPAA, SOC 2, GDPR, ISO 27001, FedRAMP, CSA STAR), but vendor-domain sources confirm only SOC 2 Type II, SOC 3, and GDPR. Do not list ISO 27001, HIPAA, FedRAMP, PCI, or CSA STAR without vendor-domain proof.
    • PRODUCT TRANSITION: DreamStudio domain redirects to Brand Studio (a different, newer product launched April 2026). Unclear if all Stability AI certifications and privacy policies apply equally to Brand Studio.
    • DATA TRAINING DEFAULT: DreamStudio defaults to training on user inputs/outputs for model improvement. Opt-out required; this is a deviation from privacy-first defaults.
    • CERTIFICATION DATE INCOMPLETE: SOC 2 announcement specifies 'August 4' but article text does not include the year. Based on context (2026 announcements), likely August 2025 or August 2026.
    • NO ISO 27001 VENDOR PROOF: Despite Nudge Security claims, no vendor-domain evidence of ISO 27001 certification found.

    // At a glance

    Pricing model

    Freemium (web interface) + Pay-as-you-go credits + Enterprise tier. Brand Studio pricing not yet publicly detailed.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Stability AI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.stability.ai

    > Browse all vendor trust reports