// Trust & Security Report
Krea, Inc.
AI creative suite for image, video, and 3D generation/editing (Krea app, Krea 2 realtime/native models, upscaling, LoRA fine-tuning) plus a pay-per-use API, a Business/Enterprise tier with contractual data protections, and separately licensed open-weight Krea 2 models distributed on Hugging Face.
Certifications held
1
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.krea.ai“SOC2 Bridge Letter ... Request | Krea operates a continuously monitored and third-party audited security program. This page provides access to trust resources including policies, audits, pentests, and real-time status against security controls.”
> Show 7 unconfirmed / not-held certifications
source: trust.krea.aiNo public evidence. Krea's own trust center (trust.krea.ai) lists only a SOC2 Bridge Letter, CAIQ v4.0.2, and a 2025 pen test as requestable documents; ISO 27001 is not mentioned anywhere on krea.ai or trust.krea.ai. A third-party research aggregator (Contrary Research) states Krea was 'expected to launch...with compliance credentials including SOC 2 Type II and ISO 27001' but this is a forward-looking, unconfirmed third-party statement, not a vendor claim or proof.
source: trust.krea.aiGDPR is a regulation, not a certifiable standard, so it is graded on posture rather than a badge. Krea's trust center lists an 'Enterprise Data Processing Addendum (DPA)' available on request and a linked Privacy Policy, but no vendor page publishes GDPR-specific representations (EU representative, SCCs, EU data residency). See privacy object for detail.
source: trust.krea.aiNo public evidence. No mention of HIPAA, PHI, or a Business Associate Agreement anywhere on krea.ai or trust.krea.ai. Product is a general creative/generative-media tool, not marketed for healthcare data.
source: trust.krea.aiNo public evidence and likely not applicable directly to Krea: payment processing is delegated to Stripe (listed as a subprocessor: 'Stripe / Payment Processing / Data location: US'), which typically removes Krea itself from PCI DSS scope for card data.
source: trust.krea.aiNo public evidence. Not mentioned on krea.ai or trust.krea.ai.
source: trust.krea.aiNo CSA STAR registry listing found. Krea's trust center offers a 'CAIQv4.0.2' (CSA Consensus Assessment Initiative Questionnaire) as a requestable 'Security, Privacy, Compliance overview' document, which is a related CSA artifact but is not the same as a published CSA STAR certification/attestation, and no STAR listing is claimed.
source: trust.krea.aiNo public evidence; product is a consumer/commercial creative-AI tool with no indication of targeting U.S. federal government customers.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
US. Every subprocessor listed on the trust center (AWS, Stripe, GitHub, Grafana, PostHog, Cloudflare, Retool, Linear) shows 'Data location: US'; no EU or other regional hosting option is publicly documented.
Training practice differs by plan tier. The Enterprise page states plainly: 'We never use customer data to train or improve our models, and we never will.' The Pricing page describes the Business plan as including 'data protection and no-training clauses for your content,' implying this is a paid/contractual protection rather than a default. The homepage also lists 'Do not train / Safely generate proprietary data' as a named feature/capability rather than a blanket guarantee, which is consistent with default Free/Basic/Pro usage being eligible for training unless a customer is on a Business/Enterprise agreement with a no-training clause. No single vendor page states an unconditional 'we never train on any user's content' for all tiers.
// Security controls
Continuous compliance monitoring
Continuously monitored by Secureframe against SOC 2-style Trust Service Criteria (Change Management, Availability, Organizational Management, Confidentiality, Vulnerability Management, Incident Response, Risk Assessment, Network Security, Access Security, Physical Security)
trust.krea.aiAccess control
Unique Access IDs; periodic User Access Reviews; access to production restricted
trust.krea.aiVulnerability management
Vulnerability and Patch Management Policy; recurring vulnerability scanning; third-party penetration test conducted in 2025
trust.krea.aiIncident response
Documented Incident Response Plan with periodic testing and incident tracking
trust.krea.aiBusiness continuity
Business Continuity and Disaster Recovery Policy with uptime/availability monitoring
trust.krea.aiVendor risk management
Vendor SOC 2 reports (or equivalent) collected and reviewed from Krea's own vendors at least annually
trust.krea.ai// Products & data scope
data: Standard consumer terms; content may be used to help train/improve models unless the account is on a plan with a contractual no-training clause
Free tier: 100 compute units/day, limited model access. Basic/Pro add higher usage limits and model access.
data: Includes contractual data protection and no-training clauses for submitted content, per Krea's pricing page
Positioned as the entry point for legally binding no-training guarantees.
data: End-to-end encryption, SSO, custom DPA, and an explicit 'never use customer data to train or improve our models' commitment
Backed by the trust.krea.ai program (Secureframe-monitored controls, SOC2 bridge letter, pen test, CAIQ, Enterprise MSA available on request).
data: Pay-per-use programmatic access to the same generation/editing/upscaling models
No API-specific security terms were found beyond the general trust center.
data: Runs on the customer's own infrastructure once downloaded; not subject to Krea's SaaS data-handling terms
Distributed via Hugging Face under the 'Krea 2 Community License Agreement'; separate legal terms from the hosted app.
// What to watch
- SOC 2 status is ambiguous on the public trust center: only a 'SOC2 Bridge Letter' is listed as a requestable resource, not the underlying SOC 2 report itself, and Type I vs Type II is never stated publicly. A bridge letter is only issued to organizations that have already completed at least one SOC 2 examination, so this is real (not fabricated) evidence of an underlying audit, but AIFOXX should request the actual report before displaying a firm 'SOC 2 Type II' badge.
- A third-party aggregator (Contrary Research) states Krea 'is ISO 27001 compliant' / was 'expected to launch... with SOC 2 Type II and ISO 27001' -- this is speculative, forward-looking, third-party language, not confirmed on any krea.ai or trust.krea.ai page. Do not list ISO 27001 as held based on this source.
- AI-training posture is tier-dependent and could read as an over-claim if generalized: the Enterprise page's blanket 'we never train on customer data' statement applies to Enterprise (and per pricing, Business) plans, while Free/Basic/Pro plans have no equivalent public no-training guarantee and 'Do not train' is marketed as a differentiated feature.
- No HIPAA, PCI DSS, ISO/IEC 42001, CSA STAR, or FedRAMP evidence exists; none of these appear applicable to this product category today.
- All subprocessors are US-hosted with no public EU data residency option, which is relevant context for GDPR-sensitive prospective customers even though Krea does offer an Enterprise DPA on request.
// At a glance
Pricing model
Freemium SaaS (Free/Basic/Pro/Business monthly or annual subscriptions) plus custom-quoted Enterprise, pay-per-use API credits, and separately licensed open-weight models
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Krea, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.krea.ai