// Trust & Security Report
Canva UK Operations Ltd
Flourish is a no-code data visualization and interactive storytelling platform owned by Canva. Core products: interactive charts, maps, scrollytelling experiences, and live-updating data visualizations. Serves newsrooms, financial services, marketing, nonprofits, and educational institutions.
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on flourish.studio“Flourish is certified to the internationally recognized info-security standard ISO27001 by the British Standards Institute.”
Verify on flourish.studio“transferring the Customer Personal Data to a recipient that has executed Module 3 (processor-to-processor transfers) of the SCCs and UK Addendum with Flourish.”
> Show 3 unconfirmed / not-held certifications
source: flourish.studioNot mentioned on Flourish's security page, DPA, or privacy policy. Parent company Canva holds SOC 2 Type II, but Flourish product does not explicitly claim this certification on its own vendor domain.
source: flourish.studioNo mention of HIPAA compliance on Flourish pages. Third-party sources explicitly state Canva/Flourish should not be used for PHI (Protected Health Information) without a BAA, and no BAA is offered.
source: flourish.studioNo evidence of PCI DSS certification on Flourish's security or compliance pages. Not mentioned in DPA or public documentation.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
European Economic Area (EEA), primarily Dublin, Ireland (AWS-hosted). May transfer outside EEA with Standard Contractual Clauses (SCCs) and UK Addendum for lawful processing.
Privacy policy mentions 'analyzing prompts and results to provide and enhance AI tools such as AI Assistant' but does not explicitly confirm whether customer visualization data or interactions are used to train AI models. Canva's AI Product Terms reference this but details are not provided in public Flourish documentation. Requires direct contact for clarity.
// Security controls
Access controls
Least privilege principle; only necessary personnel access customer data
flourish.studioMulti-factor authentication
2FA available for all users; 2FA enforcement available for enterprise accounts
flourish.studioSub-processor notification
Updated list maintained; customers notified at least 14 days before new sub-processors engaged. Customers may object within 14 days; non-resolution may trigger service termination with refund.
flourish.studio// Products & data scope
data: User-uploaded datasets, project metadata
Core product for creating static and interactive charts, maps, and data visualizations. No AI training claims specific to this product.
data: User content (text, images, data, narrative structure)
No-code scrollytelling experience builder. Data handling same as core platform.
data: Live data feeds, API integrations
Visualizations that update in real-time from data sources. Subject to same security and GDPR commitments.
data: User interactions, prompts, visualization descriptions
Referenced in privacy policy as under development. AI training practices on customer data are unclear; not explicitly detailed in public documentation.
// What to watch
- AI training posture unclear: Privacy policy mentions 'analyzing prompts and results' for AI enhancement but does not explicitly confirm whether customer visualization data or interactions train models. Clarification needed.
- SOC 2 not held by Flourish: While parent company Canva holds SOC 2 Type II, Flourish's own security page and DPA do not claim SOC 2 certification. Vendors should not imply Flourish is SOC 2 certified unless explicitly stated on flourish.studio domain.
- HIPAA not supported: Flourish is not suitable for Protected Health Information (PHI). No BAA offered. Explicitly not HIPAA compliant.
- Trust center: Flourish does not maintain a dedicated trust center on flourish.studio; relies on Canva's trust.canva.com. May impact vendor's independent security posture perception.
// At a glance
Pricing model
Freemium (free tier with limitations) + paid subscription tiers (Starter, Professional, Team, Enterprise)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Canva UK Operations Ltd's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.canva.com