// Trust & Security Report

    Krea, Inc. logo

    Krea, Inc.

    AI creative suite for image, video, and 3D generation/editing (Krea app, Krea 2 realtime/native models, upscaling, LoRA fine-tuning) plus a pay-per-use API, a Business/Enterprise tier with contractual data protections, and separately licensed open-weight Krea 2 models distributed on Hugging Face.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    SOC2 Bridge Letter ... Request | Krea operates a continuously monitored and third-party audited security program. This page provides access to trust resources including policies, audits, pentests, and real-time status against security controls.

    Verify on trust.krea.ai
    > Show 7 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence. Krea's own trust center (trust.krea.ai) lists only a SOC2 Bridge Letter, CAIQ v4.0.2, and a 2025 pen test as requestable documents; ISO 27001 is not mentioned anywhere on krea.ai or trust.krea.ai. A third-party research aggregator (Contrary Research) states Krea was 'expected to launch...with compliance credentials including SOC 2 Type II and ISO 27001' but this is a forward-looking, unconfirmed third-party statement, not a vendor claim or proof.

    source: trust.krea.ai
    GDPR
    NOT CONFIRMED

    GDPR is a regulation, not a certifiable standard, so it is graded on posture rather than a badge. Krea's trust center lists an 'Enterprise Data Processing Addendum (DPA)' available on request and a linked Privacy Policy, but no vendor page publishes GDPR-specific representations (EU representative, SCCs, EU data residency). See privacy object for detail.

    source: trust.krea.ai
    HIPAA
    NOT CONFIRMED

    No public evidence. No mention of HIPAA, PHI, or a Business Associate Agreement anywhere on krea.ai or trust.krea.ai. Product is a general creative/generative-media tool, not marketed for healthcare data.

    source: trust.krea.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence and likely not applicable directly to Krea: payment processing is delegated to Stripe (listed as a subprocessor: 'Stripe / Payment Processing / Data location: US'), which typically removes Krea itself from PCI DSS scope for card data.

    source: trust.krea.ai
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Not mentioned on krea.ai or trust.krea.ai.

    source: trust.krea.ai
    CSA STAR
    NOT CONFIRMED

    No CSA STAR registry listing found. Krea's trust center offers a 'CAIQv4.0.2' (CSA Consensus Assessment Initiative Questionnaire) as a requestable 'Security, Privacy, Compliance overview' document, which is a related CSA artifact but is not the same as a published CSA STAR certification/attestation, and no STAR listing is claimed.

    source: trust.krea.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence; product is a consumer/commercial creative-AI tool with no indication of targeting U.S. federal government customers.

    source: trust.krea.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    US. Every subprocessor listed on the trust center (AWS, Stripe, GitHub, Grafana, PostHog, Cloudflare, Retool, Linear) shows 'Data location: US'; no EU or other regional hosting option is publicly documented.

    Training practice differs by plan tier. The Enterprise page states plainly: 'We never use customer data to train or improve our models, and we never will.' The Pricing page describes the Business plan as including 'data protection and no-training clauses for your content,' implying this is a paid/contractual protection rather than a default. The homepage also lists 'Do not train / Safely generate proprietary data' as a named feature/capability rather than a blanket guarantee, which is consistent with default Free/Basic/Pro usage being eligible for training unless a customer is on a Business/Enterprise agreement with a no-training clause. No single vendor page states an unconditional 'we never train on any user's content' for all tiers.

    // Security controls

    Encryption

    End-to-end encryption offered on the Enterprise/Business tier

    krea.ai

    SSO

    Single sign-on available for Enterprise/Business customers

    krea.ai

    Continuous compliance monitoring

    Continuously monitored by Secureframe against SOC 2-style Trust Service Criteria (Change Management, Availability, Organizational Management, Confidentiality, Vulnerability Management, Incident Response, Risk Assessment, Network Security, Access Security, Physical Security)

    trust.krea.ai

    Access control

    Unique Access IDs; periodic User Access Reviews; access to production restricted

    trust.krea.ai

    Vulnerability management

    Vulnerability and Patch Management Policy; recurring vulnerability scanning; third-party penetration test conducted in 2025

    trust.krea.ai

    Incident response

    Documented Incident Response Plan with periodic testing and incident tracking

    trust.krea.ai

    Business continuity

    Business Continuity and Disaster Recovery Policy with uptime/availability monitoring

    trust.krea.ai

    Vendor risk management

    Vendor SOC 2 reports (or equivalent) collected and reviewed from Krea's own vendors at least annually

    trust.krea.ai

    // Products & data scope

    Krea (Free / Basic / Pro)Consumer & prosumer AI image, video, and 3D generation/editing

    data: Standard consumer terms; content may be used to help train/improve models unless the account is on a plan with a contractual no-training clause

    Free tier: 100 compute units/day, limited model access. Basic/Pro add higher usage limits and model access.

    Krea BusinessTeam/SMB plan

    data: Includes contractual data protection and no-training clauses for submitted content, per Krea's pricing page

    Positioned as the entry point for legally binding no-training guarantees.

    Krea EnterpriseEnterprise plan (contact sales)

    data: End-to-end encryption, SSO, custom DPA, and an explicit 'never use customer data to train or improve our models' commitment

    Backed by the trust.krea.ai program (Secureframe-monitored controls, SOC2 bridge letter, pen test, CAIQ, Enterprise MSA available on request).

    Krea APIDeveloper API

    data: Pay-per-use programmatic access to the same generation/editing/upscaling models

    No API-specific security terms were found beyond the general trust center.

    Krea 2 (Raw / Turbo, open-weight models)Self-hostable open-weight generative models distributed under a custom community license

    data: Runs on the customer's own infrastructure once downloaded; not subject to Krea's SaaS data-handling terms

    Distributed via Hugging Face under the 'Krea 2 Community License Agreement'; separate legal terms from the hosted app.

    // What to watch

    • SOC 2 status is ambiguous on the public trust center: only a 'SOC2 Bridge Letter' is listed as a requestable resource, not the underlying SOC 2 report itself, and Type I vs Type II is never stated publicly. A bridge letter is only issued to organizations that have already completed at least one SOC 2 examination, so this is real (not fabricated) evidence of an underlying audit, but AIFOXX should request the actual report before displaying a firm 'SOC 2 Type II' badge.
    • A third-party aggregator (Contrary Research) states Krea 'is ISO 27001 compliant' / was 'expected to launch... with SOC 2 Type II and ISO 27001' -- this is speculative, forward-looking, third-party language, not confirmed on any krea.ai or trust.krea.ai page. Do not list ISO 27001 as held based on this source.
    • AI-training posture is tier-dependent and could read as an over-claim if generalized: the Enterprise page's blanket 'we never train on customer data' statement applies to Enterprise (and per pricing, Business) plans, while Free/Basic/Pro plans have no equivalent public no-training guarantee and 'Do not train' is marketed as a differentiated feature.
    • No HIPAA, PCI DSS, ISO/IEC 42001, CSA STAR, or FedRAMP evidence exists; none of these appear applicable to this product category today.
    • All subprocessors are US-hosted with no public EU data residency option, which is relevant context for GDPR-sensitive prospective customers even though Krea does offer an Enterprise DPA on request.

    // At a glance

    Pricing model

    Freemium SaaS (Free/Basic/Pro/Business monthly or annual subscriptions) plus custom-quoted Enterprise, pay-per-use API credits, and separately licensed open-weight models

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Krea, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.krea.ai

    > Browse all vendor trust reports