// Trust & Security Report

    Khroma (solo/small team operation by George Hastings) logo

    Khroma (solo/small team operation by George Hastings)

    Free browser-based AI color palette generator for designers. Uses local neural networks to learn user color preferences and generate personalized palettes. No accounts, subscriptions, or cloud storage required.

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1)
    NOT CONFIRMED

    No public evidence of SOC 2 Type 1 certification on khroma.co or vendor-domain trust pages. No trust center found.

    SOC 2 (Type 2)
    NOT CONFIRMED

    No public evidence of SOC 2 Type 2 certification on khroma.co or vendor-domain trust pages. No trust center found.

    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on khroma.co or vendor-domain trust pages. No trust center found.

    GDPR Compliance
    NOT CONFIRMED

    No GDPR compliance documentation, Data Processing Agreement (DPA), or privacy policy found on khroma.co. Product stores user data exclusively in browser local storage (no cloud backend). No formal privacy policy published.

    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance. Product scope (color palettes for designers) does not inherently require HIPAA; no healthcare data processing capability documented.

    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    Product does not use cloud storage for user data. Not applicable. No certification evidence found.

    ISO 27018 (Personal Data Protection in Cloud)
    NOT CONFIRMED

    Product uses browser-local storage only, not cloud. No certification evidence found.

    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification. Product is free (no payment processing), so PCI DSS not typically applicable.

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Browser-local only (no cloud backend)

    Product uses a neural network trained once at startup by the user selecting 50 color preferences. The model is trained locally in the browser. No evidence of ongoing training on user-generated palettes or sharing of user data for model retraining. Local-storage-only architecture suggests no server-side data collection or training.

    // Security controls

    Data Storage Location

    Browser local storage only. No cloud backend, no server-side storage of user data, no accounts.

    Encryption in Transit

    HTTPS on khroma.co (standard TLS). No explicit encryption statement from vendor.

    Authentication

    No authentication required. Product is public, no user accounts.

    Data Deletion

    User controls deletion via browser local storage management. No vendor-provided account deletion or data erasure mechanism (no accounts exist).

    // Products & data scope

    Khroma Color Palette GeneratorDesign Tools / AI

    data: User color selections and generated palettes stored in browser local storage only. No personal identifiable information collected or stored. No user accounts.

    Free, browser-based tool. Neural network training happens locally in user's browser. Palettes can be exported/imported manually. No cloud sync or account-based persistence.

    // What to watch

    • No privacy policy, terms of service, or legal documentation published on khroma.co. This is a gap for any web product, even free ones, though the local-storage-only architecture mitigates some risk.
    • No trust center or compliance documentation found. Absence of SOC 2 / ISO 27001 is common for early-stage indie tools, but no explicit security documentation to reassure users.
    • Founder-led solo/small team project with minimal public company structure information. No disclosed team size, funding, or organizational details beyond LinkedIn profile.
    • AI model training posture is privacy-friendly (local, browser-only), but no formal data handling or AI governance documentation (ISO/IEC 42001, CSA STAR AI) published.
    • Free pricing model with no disclosed revenue or business sustainability plan. Risk of service discontinuation without notice.

    // At a glance

    Pricing model

    Free (no premium tiers, no monetization model published)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Khroma (solo/small team operation by George Hastings)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    careerfoundry.com

    > Browse all vendor trust reports