// Trust & Security Report

    Google LLC (product formerly operated by Galileo Technologies Inc., d/b/a "Galileo AI", acquired by Google in May 2025) logo

    Google LLC (product formerly operated by Galileo Technologies Inc., d/b/a "Galileo AI", acquired by Google in May 2025)

    AI-generated UI/UX design tool that turns text prompts into editable mobile/web UI mockups with Figma export. Originally an independent startup (Galileo AI, getgalileo.ai), acquired by Google and relaunched as "Stitch" (stitch.withgoogle.com), a free Gemini-powered Google Labs experiment. No independent company or trust center exists anymore for this product.

    Certifications held

    0

    Maturity

    Unknown

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No SOC 2 attestation is named on any google.com / withgoogle.com page for Stitch. Google Cloud Platform itself holds SOC 2 (cloud.google.com/security/compliance/soc-2), but that is the infrastructure host's certification, not a documented Stitch-product attestation. Third-party SEO blogs claim 'SOC2 Type II achieved Feb 2026' for Stitch but this appears on no Google-owned domain and is treated as unverified marketing content.

    source: cloud.google.com
    ISO 27001
    NOT CONFIRMED

    No ISO 27001 scope statement naming Stitch was found on any google.com / withgoogle.com page. Google Cloud Platform separately holds ISO 27001 for its own cloud services; no evidence this extends specifically to the free Stitch Labs experiment.

    source: cloud.google.com
    GDPR (posture)
    NOT CONFIRMED

    Google as a company documents general GDPR compliance (Standard Contractual Clauses / EU-U.S. Data Privacy Framework participation) at the corporate level, but that is the parent/host posture, not a Stitch-product attestation; treated as no public product-specific evidence rather than a held certification.

    source: policies.google.com
    HIPAA
    NOT CONFIRMED

    No HIPAA eligibility or BAA offering for Stitch is stated on any Google-owned domain. Stitch is a free consumer/experimental tool; Google's own Labs privacy notices instruct users not to enter sensitive, confidential, or personal information into prompts, which is inconsistent with HIPAA-covered use. Third-party blog claims of 'HIPAA-eligible' status could not be corroborated on any Google domain.

    source: labs.google
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence found on any Google-owned domain of an ISO 42001 certification scoped to Stitch or the former Galileo AI product.

    source: stitch.withgoogle.com
    CSA STAR / CSA STAR for AI
    NOT CONFIRMED

    No public evidence of CSA STAR registration or attestation for Stitch.

    source: stitch.withgoogle.com
    PCI DSS
    NOT CONFIRMED

    Not applicable / no public evidence; Stitch is a free tool with no payment processing surface identified.

    source: stitch.withgoogle.com
    FedRAMP
    NOT CONFIRMED

    No public evidence that Stitch specifically holds a FedRAMP authorization. Certain Google Cloud/Workspace services hold FedRAMP High, but this is not documented as covering the free Stitch Labs experiment.

    source: cloud.google.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Not publicly specified for Stitch; runs on Google's global infrastructure with no documented region/residency controls for this product.

    Tier-dependent and not confirmed Stitch-specific: per Google's structurally identical Labs/Workspace Experiments privacy notices, general/consumer-account interactions ARE used to help train Google's generative AI models (data retained up to 18 months, with human-reviewed copies retained longer), while signed-in Google Workspace accounts are explicitly excluded from generative-model training. No Stitch-specific carve-out statement was directly retrievable; this is inferred from Google's shared Labs privacy framework at labs.google/fx/privacy and should be re-verified manually against the live Stitch privacy page.

    // Security controls

    Encryption in transit

    Not independently confirmed on a Stitch-specific page; Google's platform-wide practice is TLS encryption for all products, but no Stitch-specific security page was found to cite directly.

    policies.google.com

    Data retention (default)

    Up to 18 months for interaction/history data under Google's Labs experiment framework (proxy: labs.google/fx notice); reduced to roughly 72 hours if history is disabled. Human-reviewed/annotated copies may be retained longer (reported as up to 4 years in related Workspace Experiments notices).

    labs.google

    Human review of prompts/outputs

    Google states interactions and outputs may be read/annotated by human reviewers for quality and safety, with account identifiers disconnected before review, per the shared Google Labs privacy framework.

    labs.google

    Enterprise admin controls

    No admin console toggle, org-wide DPA coverage, or Workspace core-services designation was found documented for Stitch specifically.

    support.google.com

    // Products & data scope

    Stitch (formerly Galileo AI)AI UI/UX design generation

    data: Text prompts, optional reference images/screenshots, and generated UI mockups/front-end code, processed by Google's Gemini models

    Single free product; no paid/enterprise tier, no self-hosting, no admin console found. Successor to the independent Galileo AI startup, which no longer exists as a separate company after its May 2025 acquisition by Google.

    // What to watch

    • IDENTITY: The 'Galileo AI' UI-design startup (getgalileo.ai) was acquired by Google in May 2025 and its product has been folded into 'Stitch' (stitch.withgoogle.com), a free Google Labs experiment. It is no longer an independent vendor with its own trust center, compliance program, or legal entity. AIFOXX's own tools.json entry already reflects this (status: 'acquired', url: stitch.withgoogle.com).
    • DO NOT CONFUSE with the unrelated company 'Galileo' (galileo.ai / rungalileo.io), an AI observability/evaluation platform for LLMs, separately being acquired by Cisco (2026). Different product, different founders, different certs and history; several web search results returned this unrelated company under 'Galileo AI' queries.
    • Evidence-capture failure: the raw scraped JSON for this slug contains only a German Google cookie-consent interstitial (google.com), with zero Stitch/Galileo content.
    • Findings on retention/training are inferred by analogy from Google's structurally identical labs.google/fx privacy notice and Google's general Privacy Policy -- a human should directly re-verify the live stitch.withgoogle.com/privacy page.
    • OVER-CLAIM WARNING: third-party SEO/marketing blogs (e.g. two99.org) claim Stitch has 'SOC2 Type II (achieved Feb 2026)', ISO 27001, 'HIPAA-eligible' status, a Google Cloud Marketplace on-prem offering, and a 99.99% SLA. None of these claims appear on any google.com or withgoogle.com domain, and the source blog conflates its own site's certification badges with Stitch's in the same paragraph -- treat as unreliable and do not surface these claims to users.

    // At a glance

    Pricing model

    Free (Google Labs experiment; no confirmed paid tier)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Google LLC (product formerly operated by Galileo Technologies Inc., d/b/a "Galileo AI", acquired by Google in May 2025)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    stitch.withgoogle.com

    > Browse all vendor trust reports