// Trust & Security Report
Khroma (solo/small team operation by George Hastings)
Free browser-based AI color palette generator for designers. Uses local neural networks to learn user color preferences and generate personalized palettes. No accounts, subscriptions, or cloud storage required.
Certifications held
0
Maturity
Startup
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
No public evidence of SOC 2 Type 1 certification on khroma.co or vendor-domain trust pages. No trust center found.
No public evidence of SOC 2 Type 2 certification on khroma.co or vendor-domain trust pages. No trust center found.
No public evidence of ISO 27001 certification on khroma.co or vendor-domain trust pages. No trust center found.
No GDPR compliance documentation, Data Processing Agreement (DPA), or privacy policy found on khroma.co. Product stores user data exclusively in browser local storage (no cloud backend). No formal privacy policy published.
No public evidence of HIPAA compliance. Product scope (color palettes for designers) does not inherently require HIPAA; no healthcare data processing capability documented.
Product does not use cloud storage for user data. Not applicable. No certification evidence found.
Product uses browser-local storage only, not cloud. No certification evidence found.
No public evidence of PCI DSS certification. Product is free (no payment processing), so PCI DSS not typically applicable.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Browser-local only (no cloud backend)
Product uses a neural network trained once at startup by the user selecting 50 color preferences. The model is trained locally in the browser. No evidence of ongoing training on user-generated palettes or sharing of user data for model retraining. Local-storage-only architecture suggests no server-side data collection or training.
// Security controls
Data Storage Location
Browser local storage only. No cloud backend, no server-side storage of user data, no accounts.
Encryption in Transit
HTTPS on khroma.co (standard TLS). No explicit encryption statement from vendor.
Authentication
No authentication required. Product is public, no user accounts.
Data Deletion
User controls deletion via browser local storage management. No vendor-provided account deletion or data erasure mechanism (no accounts exist).
// Products & data scope
data: User color selections and generated palettes stored in browser local storage only. No personal identifiable information collected or stored. No user accounts.
Free, browser-based tool. Neural network training happens locally in user's browser. Palettes can be exported/imported manually. No cloud sync or account-based persistence.
// What to watch
- No privacy policy, terms of service, or legal documentation published on khroma.co. This is a gap for any web product, even free ones, though the local-storage-only architecture mitigates some risk.
- No trust center or compliance documentation found. Absence of SOC 2 / ISO 27001 is common for early-stage indie tools, but no explicit security documentation to reassure users.
- Founder-led solo/small team project with minimal public company structure information. No disclosed team size, funding, or organizational details beyond LinkedIn profile.
- AI model training posture is privacy-friendly (local, browser-only), but no formal data handling or AI governance documentation (ISO/IEC 42001, CSA STAR AI) published.
- Free pricing model with no disclosed revenue or business sustainability plan. Risk of service discontinuation without notice.
// At a glance
Pricing model
Free (no premium tiers, no monetization model published)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Khroma (solo/small team operation by George Hastings)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
careerfoundry.com