// Trust & Security Report
Everimaging (Chengdu Everimaging Science and Technology Co., Ltd.)
Online photo editor with AI-powered image generation, enhancement, and design tools. Core products include: Fotor web editor, AI Image Generator, AI Photo Enhancer, Background Remover, AI Avatar, AI Poster Generator, AI Presentation Maker, and mobile apps.
Certifications held
0
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 7 unconfirmed / not-held certifications
source: fotor.comNo public evidence of SOC 2 certification on Fotor's official domain. Third-party vendor databases (Nudge Security) claim this certification, but it is not advertised on fotor.com privacy policy, terms of service, or any dedicated security page.
source: fotor.comNo public evidence of ISO 27001 certification on Fotor's official domain. Nudge Security lists this, but is not mentioned on fotor.com.
source: fotor.comFotor is not positioned as a HIPAA-compliant healthcare solution. No HIPAA-specific security features, business associate agreements, or healthcare compliance documentation found on fotor.com. Fotor is a general-purpose photo editor, not a healthcare-regulated product.
source: fotor.comPrivacy Policy states 'we will make our best effort for you to exercise your rights pursuant to your local data privacy legislation (e.g. GDPR or CCPA)' but does not claim formal GDPR certification. Jurisdiction is governed by China law, not EU law. No Data Processing Agreement or regulatory compliance audit mentioned.
source: support.fotor.comFotor states 'payments encrypted using 128-bit SSL encryption' and 'credit card information sent securely over HTTPS,' demonstrating payment security practices, but no PCI DSS certification is claimed on vendor domain.
source: fotor.comNo public evidence of Cloud Security Alliance STAR certification on fotor.com.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
AWS USA (default), China jurisdiction for legal disputes
Fotor's privacy policy explicitly states 'We DO NOT use your Face Data to train any other AI products' (section 4.3.2), and that face data is temporarily stored and deleted after avatar generation. This non-training commitment is specific to Face Data; the policy does not extend the same explicit guarantee to other uploaded content (e.g. AIGC inputs), so general training on non-face customer content is not fully ruled out.
// Security controls
Encryption in Transit
128-bit SSL encryption for payments; HTTPS for all connections
support.fotor.comEncryption at Rest
Personal information encrypted and securely stored where service is hosted; progressive encryption technology used
fotor.comData Deletion
Account deletion results in data removal; users can request deletion of AI-generated outcomes; face data temporarily stored and deleted after use
fotor.comAuthentication
Password-based; users responsible for account security and notifying Fotor of misuse
fotor.comThird-party Integration
User data transferred to AI model providers only when user explicitly uploads and selects specific engines; no automatic third-party sharing
fotor.com// Products & data scope
data: Photos uploaded, edited, and optionally stored; personal account data (email, login)
Free tier with watermarks; premium removes watermarks and adds advanced features
data: Text prompts, generated images
Uses third-party AI models; user prompts transferred to model providers
data: Selfies uploaded; face data temporarily stored during processing
Face data explicitly NOT used for training other products; deleted after processing
data: Photos uploaded for enhancement
Improves quality via AI; photos processed securely
data: Photos uploaded for processing
AI-powered object removal and background editing
data: Designs, templates, text, images
Template-based design tools with collaborative features
// What to watch
- Over-claim risk: Third-party vendor databases (Nudge Security) list Fotor as SOC 2, ISO 27001, HIPAA, FedRamp, and CSA STAR compliant, but NONE of these certifications are advertised or mentioned on Fotor's official domain (fotor.com). Procurement teams using third-party databases may be misled into believing Fotor has formal certifications that it does not publicly claim. This is a significant identity-confidence and over-claim risk.
- Jurisdiction conflict: Fotor's Privacy Policy and Terms of Service are governed by China law (People's Republic of China), not EU law. While Fotor states it will 'make best effort' to comply with GDPR and CCPA, disputes and enforcement are subject to Chinese jurisdiction, creating potential conflicts for EU customers.
- No formal certifications despite a large user base: Fotor reports 800M+ customers worldwide and offers enterprise features (AI generation, bulk editing, team collaboration), yet holds no public SOC 2, ISO 27001, or other industry-standard certifications. This suggests either: (1) Fotor is not targeting regulated enterprise buyers, or (2) certifications exist but are not publicly available.
- Vague GDPR compliance: Privacy policy commits to 'best effort' GDPR compliance 'so far as it's not in conflict with applicable laws' of China. This ambiguous language and China-law jurisdiction may not satisfy strict GDPR enforcement.
- No Data Processing Agreement: Fotor does not appear to offer a DPA, which would be required for GDPR lawful processing with EU customers.
- Limited security transparency: No dedicated security or trust page on fotor.com. Security details are minimal (generic encryption mentions, no audit reports, no vulnerability disclosure policy visible).
// At a glance
Pricing model
Freemium (free tier with limitations; premium subscription for unlimited features)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Everimaging (Chengdu Everimaging Science and Technology Co., Ltd.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
fotor.com