// Trust & Security Report
Ideogram, Inc.
AI image generation and visual design platform (consumer app, API, enterprise custom models)
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on ideogram.ai“SOC 2 - Audited security, availability, and confidentiality controls. [...] SOC 2 audited. Your inputs aren't used to train shared models.”
> Show 10 unconfirmed / not-held certifications
source: ideogram.aiNo public evidence of ISO 27001 certification on ideogram.ai, trust.ideogram.ai, or the enterprise page as of 2026-06-29.
source: ideogram.aiDPA available for enterprise customers on request but no GDPR certification claimed. Privacy policy references user rights but lacks a dedicated GDPR section and names no EU-US data transfer mechanisms (e.g., SCCs).
source: ideogram.aiNo public evidence of HIPAA compliance or BAA availability on ideogram.ai, trust.ideogram.ai, or the enterprise page as of 2026-06-29.
source: ideogram.aiNo public evidence of PCI DSS compliance found on vendor domain as of 2026-06-29.
source: ideogram.aiNo public evidence of ISO 27017 certification found on vendor domain as of 2026-06-29.
source: ideogram.aiNo public evidence of ISO 27018 certification found on vendor domain as of 2026-06-29.
source: ideogram.aiNo public evidence of ISO 27701 certification found on vendor domain as of 2026-06-29.
source: ideogram.aiNo public evidence of ISO 42001 certification found on vendor domain as of 2026-06-29.
source: ideogram.aiNo public evidence of CSA STAR certification found on vendor domain as of 2026-06-29.
source: ideogram.aiNo public evidence of FedRAMP authorization found on vendor domain as of 2026-06-29.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Not disclosed. Privacy policy states data 'may be stored, transferred to and processed outside of your country of residence, including transferred to recipients in other countries which may have data privacy or protection rules that are different from your country of residence or citizenship.' No specific geographic regions named.
Tier-dependent. API ToS states: 'the Company agrees that it shall not use any User Input or User Output to train the Ideogram AI Model, except if any such User Input or User Output is flagged as violating the Company's Usage Policies.' Enterprise page states: 'Enterprise inputs aren't used to train Ideogram's shared models. Custom training on your data is opt-in.' Consumer app ToS grants a broad license to 'access, use, host, cache, store, reproduce, transmit, display, publish, distribute, and modify...Your Content' for service operation and improvement, which may encompass model training; no explicit training opt-out is provided for consumer app users. Legacy consumer ToS and current AI practices should be reviewed together before relying on consumer-tier data isolation.
// Security controls
Encryption in transit
Employed. Trust center lists 'Data encryption utilized' as a product security control. Protocol specifics not publicly disclosed.
trust.ideogram.aiEncryption at rest / key management
Trust center lists 'Encryption key access restricted' as an infrastructure security control. Algorithm and key management details not publicly disclosed.
trust.ideogram.aiPenetration testing
Trust center states 'Penetration testing performed' as a product security control. Frequency and scope not publicly disclosed.
trust.ideogram.aiDisaster recovery
Trust center states 'Continuity and Disaster Recovery plans established' and 'Continuity and Disaster Recovery plans tested' under internal security procedures.
trust.ideogram.aiAuthentication controls
Trust center lists 'Unique account authentication enforced' and 'Unique production database authentication enforced' as infrastructure controls.
trust.ideogram.aiConfiguration management
Trust center states 'Configuration management system established' under internal security procedures.
trust.ideogram.aiAsset disposal
Trust center states 'Asset disposal procedures utilized' under organizational security controls.
trust.ideogram.aiCustomer data deletion
Trust center states 'Customer data deleted upon leaving' under data and privacy controls.
trust.ideogram.aiSelf-assessments
Trust center states 'Control self-assessments conducted' under product security.
trust.ideogram.ai// Products & data scope
data: User prompts, uploaded images, generated outputs, account data. Images are public by default unless private generation is enabled.
Consumer ToS grants Ideogram a broad license to use content to 'improve the Services', which may include model training. No explicit training opt-out for consumer app users. Free-tier images may not be deletable after generation. Moderate privacy risk for users submitting sensitive content.
data: API user input prompts and uploaded images; generated outputs.
API ToS explicitly prohibits using user input or output to train the Ideogram AI Model (except content flagged for policy violations). No shared-model training by default. Developers must provide their own privacy notice to end users and must not submit health or children's data without required consents.
data: Customer brand assets (opt-in for custom model training), production image inputs and outputs.
Enterprise inputs not used to train shared models. Custom model training is opt-in only. SOC 2 audited. DPA available for EU customers (on request via enterprise sales). Data retention configurable to as low as 30 minutes. SSO via Microsoft and Google. Procurement documentation (DPAs, security questionnaires) available on request.
// What to watch
- SOC 2 claimed verbatim on enterprise page ('SOC 2 audited') but audit type (Type I vs. Type II) and auditor name are not publicly disclosed. Report access requires NDA via trust center Engagement Letter.
- Consumer app AI training posture is ambiguous: ToS grants a broad license to improve the Services but no explicit opt-out from model training is offered to free or paid app users.
- API ToS prohibits training on user data by default, but consumer app ToS does not contain an equivalent prohibition, creating a cross-tier inconsistency that buyers should clarify.
- DPA available on request for enterprise EU customers but not publicly posted; no SCCs, Binding Corporate Rules, or other EU-US transfer mechanism is publicly named.
- No data residency guarantees confirmed. Privacy policy states data may be processed 'outside of your country of residence' without naming specific regions or countries.
- No ISO 27001, HIPAA, FedRAMP, CSA STAR, ISO 42001, ISO 27017, ISO 27018, or PCI DSS certifications found on vendor domain.
- Privacy policy lacks a dedicated GDPR section and does not name applicable EU data transfer mechanisms.
- Third-party assessment (VerifyWise AI Trust Index) rated Ideogram F (34/100), citing gaps in training opt-out disclosure, data minimization, security controls transparency, and breach notification procedures.
// At a glance
Pricing model
Freemium (consumer app with free and paid tiers) + API pay-per-generation + Enterprise custom contract
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Ideogram, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.ideogram.ai