// Trust & Security Report
Google LLC (product formerly operated by Galileo Technologies Inc., d/b/a "Galileo AI", acquired by Google in May 2025)
AI-generated UI/UX design tool that turns text prompts into editable mobile/web UI mockups with Figma export. Originally an independent startup (Galileo AI, getgalileo.ai), acquired by Google and relaunched as "Stitch" (stitch.withgoogle.com), a free Gemini-powered Google Labs experiment. No independent company or trust center exists anymore for this product.
Certifications held
0
Maturity
Unknown
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: cloud.google.comNo SOC 2 attestation is named on any google.com / withgoogle.com page for Stitch. Google Cloud Platform itself holds SOC 2 (cloud.google.com/security/compliance/soc-2), but that is the infrastructure host's certification, not a documented Stitch-product attestation. Third-party SEO blogs claim 'SOC2 Type II achieved Feb 2026' for Stitch but this appears on no Google-owned domain and is treated as unverified marketing content.
source: cloud.google.comNo ISO 27001 scope statement naming Stitch was found on any google.com / withgoogle.com page. Google Cloud Platform separately holds ISO 27001 for its own cloud services; no evidence this extends specifically to the free Stitch Labs experiment.
source: policies.google.comGoogle as a company documents general GDPR compliance (Standard Contractual Clauses / EU-U.S. Data Privacy Framework participation) at the corporate level, but that is the parent/host posture, not a Stitch-product attestation; treated as no public product-specific evidence rather than a held certification.
source: labs.googleNo HIPAA eligibility or BAA offering for Stitch is stated on any Google-owned domain. Stitch is a free consumer/experimental tool; Google's own Labs privacy notices instruct users not to enter sensitive, confidential, or personal information into prompts, which is inconsistent with HIPAA-covered use. Third-party blog claims of 'HIPAA-eligible' status could not be corroborated on any Google domain.
source: stitch.withgoogle.comNo public evidence found on any Google-owned domain of an ISO 42001 certification scoped to Stitch or the former Galileo AI product.
source: stitch.withgoogle.comNo public evidence of CSA STAR registration or attestation for Stitch.
source: stitch.withgoogle.comNot applicable / no public evidence; Stitch is a free tool with no payment processing surface identified.
source: cloud.google.comNo public evidence that Stitch specifically holds a FedRAMP authorization. Certain Google Cloud/Workspace services hold FedRAMP High, but this is not documented as covering the free Stitch Labs experiment.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not publicly specified for Stitch; runs on Google's global infrastructure with no documented region/residency controls for this product.
Tier-dependent and not confirmed Stitch-specific: per Google's structurally identical Labs/Workspace Experiments privacy notices, general/consumer-account interactions ARE used to help train Google's generative AI models (data retained up to 18 months, with human-reviewed copies retained longer), while signed-in Google Workspace accounts are explicitly excluded from generative-model training. No Stitch-specific carve-out statement was directly retrievable; this is inferred from Google's shared Labs privacy framework at labs.google/fx/privacy and should be re-verified manually against the live Stitch privacy page.
// Security controls
Encryption in transit
Not independently confirmed on a Stitch-specific page; Google's platform-wide practice is TLS encryption for all products, but no Stitch-specific security page was found to cite directly.
policies.google.comData retention (default)
Up to 18 months for interaction/history data under Google's Labs experiment framework (proxy: labs.google/fx notice); reduced to roughly 72 hours if history is disabled. Human-reviewed/annotated copies may be retained longer (reported as up to 4 years in related Workspace Experiments notices).
labs.googleHuman review of prompts/outputs
Google states interactions and outputs may be read/annotated by human reviewers for quality and safety, with account identifiers disconnected before review, per the shared Google Labs privacy framework.
labs.googleEnterprise admin controls
No admin console toggle, org-wide DPA coverage, or Workspace core-services designation was found documented for Stitch specifically.
support.google.com// Products & data scope
data: Text prompts, optional reference images/screenshots, and generated UI mockups/front-end code, processed by Google's Gemini models
Single free product; no paid/enterprise tier, no self-hosting, no admin console found. Successor to the independent Galileo AI startup, which no longer exists as a separate company after its May 2025 acquisition by Google.
// What to watch
- IDENTITY: The 'Galileo AI' UI-design startup (getgalileo.ai) was acquired by Google in May 2025 and its product has been folded into 'Stitch' (stitch.withgoogle.com), a free Google Labs experiment. It is no longer an independent vendor with its own trust center, compliance program, or legal entity. AIFOXX's own tools.json entry already reflects this (status: 'acquired', url: stitch.withgoogle.com).
- DO NOT CONFUSE with the unrelated company 'Galileo' (galileo.ai / rungalileo.io), an AI observability/evaluation platform for LLMs, separately being acquired by Cisco (2026). Different product, different founders, different certs and history; several web search results returned this unrelated company under 'Galileo AI' queries.
- Evidence-capture failure: the raw scraped JSON for this slug contains only a German Google cookie-consent interstitial (google.com), with zero Stitch/Galileo content.
- Findings on retention/training are inferred by analogy from Google's structurally identical labs.google/fx privacy notice and Google's general Privacy Policy -- a human should directly re-verify the live stitch.withgoogle.com/privacy page.
- OVER-CLAIM WARNING: third-party SEO/marketing blogs (e.g. two99.org) claim Stitch has 'SOC2 Type II (achieved Feb 2026)', ISO 27001, 'HIPAA-eligible' status, a Google Cloud Marketplace on-prem offering, and a 99.99% SLA. None of these claims appear on any google.com or withgoogle.com domain, and the source blog conflates its own site's certification badges with Stitch's in the same paragraph -- treat as unreliable and do not surface these claims to users.
// At a glance
Pricing model
Free (Google Labs experiment; no confirmed paid tier)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Google LLC (product formerly operated by Galileo Technologies Inc., d/b/a "Galileo AI", acquired by Google in May 2025)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
stitch.withgoogle.com