// Trust & Security Report

    Ideogram, Inc. logo

    Ideogram, Inc.

    AI image generation and visual design platform (consumer app, API, enterprise custom models)

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    SOC 2 - Audited security, availability, and confidentiality controls. [...] SOC 2 audited. Your inputs aren't used to train shared models.

    Verify on ideogram.ai
    > Show 10 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on ideogram.ai, trust.ideogram.ai, or the enterprise page as of 2026-06-29.

    source: ideogram.ai
    GDPR
    NOT CONFIRMED

    DPA available for enterprise customers on request but no GDPR certification claimed. Privacy policy references user rights but lacks a dedicated GDPR section and names no EU-US data transfer mechanisms (e.g., SCCs).

    source: ideogram.ai
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or BAA availability on ideogram.ai, trust.ideogram.ai, or the enterprise page as of 2026-06-29.

    source: ideogram.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS compliance found on vendor domain as of 2026-06-29.

    source: ideogram.ai
    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found on vendor domain as of 2026-06-29.

    source: ideogram.ai
    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found on vendor domain as of 2026-06-29.

    source: ideogram.ai
    ISO 27701
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found on vendor domain as of 2026-06-29.

    source: ideogram.ai
    ISO 42001 (AI Management)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification found on vendor domain as of 2026-06-29.

    source: ideogram.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification found on vendor domain as of 2026-06-29.

    source: ideogram.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on vendor domain as of 2026-06-29.

    source: ideogram.ai

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Not disclosed. Privacy policy states data 'may be stored, transferred to and processed outside of your country of residence, including transferred to recipients in other countries which may have data privacy or protection rules that are different from your country of residence or citizenship.' No specific geographic regions named.

    Tier-dependent. API ToS states: 'the Company agrees that it shall not use any User Input or User Output to train the Ideogram AI Model, except if any such User Input or User Output is flagged as violating the Company's Usage Policies.' Enterprise page states: 'Enterprise inputs aren't used to train Ideogram's shared models. Custom training on your data is opt-in.' Consumer app ToS grants a broad license to 'access, use, host, cache, store, reproduce, transmit, display, publish, distribute, and modify...Your Content' for service operation and improvement, which may encompass model training; no explicit training opt-out is provided for consumer app users. Legacy consumer ToS and current AI practices should be reviewed together before relying on consumer-tier data isolation.

    // Security controls

    Encryption in transit

    Employed. Trust center lists 'Data encryption utilized' as a product security control. Protocol specifics not publicly disclosed.

    trust.ideogram.ai

    Encryption at rest / key management

    Trust center lists 'Encryption key access restricted' as an infrastructure security control. Algorithm and key management details not publicly disclosed.

    trust.ideogram.ai

    Penetration testing

    Trust center states 'Penetration testing performed' as a product security control. Frequency and scope not publicly disclosed.

    trust.ideogram.ai

    Disaster recovery

    Trust center states 'Continuity and Disaster Recovery plans established' and 'Continuity and Disaster Recovery plans tested' under internal security procedures.

    trust.ideogram.ai

    Authentication controls

    Trust center lists 'Unique account authentication enforced' and 'Unique production database authentication enforced' as infrastructure controls.

    trust.ideogram.ai

    SSO (enterprise)

    SSO via Microsoft and Google available for enterprise customers.

    ideogram.ai

    Data retention (enterprise)

    Configurable down to 30 minutes for enterprise customers.

    ideogram.ai

    Configuration management

    Trust center states 'Configuration management system established' under internal security procedures.

    trust.ideogram.ai

    Asset disposal

    Trust center states 'Asset disposal procedures utilized' under organizational security controls.

    trust.ideogram.ai

    Customer data deletion

    Trust center states 'Customer data deleted upon leaving' under data and privacy controls.

    trust.ideogram.ai

    Self-assessments

    Trust center states 'Control self-assessments conducted' under product security.

    trust.ideogram.ai

    // Products & data scope

    Ideogram AppConsumer and prosumer AI image generation

    data: User prompts, uploaded images, generated outputs, account data. Images are public by default unless private generation is enabled.

    Consumer ToS grants Ideogram a broad license to use content to 'improve the Services', which may include model training. No explicit training opt-out for consumer app users. Free-tier images may not be deletable after generation. Moderate privacy risk for users submitting sensitive content.

    Ideogram APIDeveloper API for image generation, editing, and upscaling

    data: API user input prompts and uploaded images; generated outputs.

    API ToS explicitly prohibits using user input or output to train the Ideogram AI Model (except content flagged for policy violations). No shared-model training by default. Developers must provide their own privacy notice to end users and must not submit health or children's data without required consents.

    Ideogram EnterpriseEnterprise custom image model, workflow automation, and branded model training

    data: Customer brand assets (opt-in for custom model training), production image inputs and outputs.

    Enterprise inputs not used to train shared models. Custom model training is opt-in only. SOC 2 audited. DPA available for EU customers (on request via enterprise sales). Data retention configurable to as low as 30 minutes. SSO via Microsoft and Google. Procurement documentation (DPAs, security questionnaires) available on request.

    // What to watch

    • SOC 2 claimed verbatim on enterprise page ('SOC 2 audited') but audit type (Type I vs. Type II) and auditor name are not publicly disclosed. Report access requires NDA via trust center Engagement Letter.
    • Consumer app AI training posture is ambiguous: ToS grants a broad license to improve the Services but no explicit opt-out from model training is offered to free or paid app users.
    • API ToS prohibits training on user data by default, but consumer app ToS does not contain an equivalent prohibition, creating a cross-tier inconsistency that buyers should clarify.
    • DPA available on request for enterprise EU customers but not publicly posted; no SCCs, Binding Corporate Rules, or other EU-US transfer mechanism is publicly named.
    • No data residency guarantees confirmed. Privacy policy states data may be processed 'outside of your country of residence' without naming specific regions or countries.
    • No ISO 27001, HIPAA, FedRAMP, CSA STAR, ISO 42001, ISO 27017, ISO 27018, or PCI DSS certifications found on vendor domain.
    • Privacy policy lacks a dedicated GDPR section and does not name applicable EU data transfer mechanisms.
    • Third-party assessment (VerifyWise AI Trust Index) rated Ideogram F (34/100), citing gaps in training opt-out disclosure, data minimization, security controls transparency, and breach notification procedures.

    // At a glance

    Pricing model

    Freemium (consumer app with free and paid tiers) + API pay-per-generation + Enterprise custom contract

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Ideogram, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.ideogram.ai

    > Browse all vendor trust reports