// Trust & Security Report

    Prisma Labs, Inc. logo

    Prisma Labs, Inc.

    Lensa — a consumer photo editing mobile app with AI-powered features including Magic Avatars, Art Styles, portrait retouching, background replacement, and effects. Owned by Prisma Labs, Inc. (Sunnyvale, CA).

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR Compliance (Posture)
    HELD

    Lensa addresses GDPR requirements for EU/UK users, including rights to access, rectification, erasure, and portability. The company implements 'Standard Contractual Clauses' for data transfers outside the EEA and uses 'UK Addendum to the EU Standard Contractual Clauses' for UK transfers.

    Verify on legal.lensa.app
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1 or 2)
    NOT CONFIRMED

    No public evidence of SOC 2 certification found on vendor-domain sources (legal.lensa.app, lensa.app, prisma-ai.com).

    source: legal.lensa.app
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on vendor-domain sources.

    source: legal.lensa.app
    HIPAA
    NOT CONFIRMED

    Not applicable. Lensa is a consumer photo editing app with no healthcare data processing or HIPAA scope.

    source: legal.lensa.app
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on vendor-domain sources.

    source: legal.lensa.app
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found on vendor-domain sources.

    source: legal.lensa.app
    ISO 27018 (Cloud Privacy)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found on vendor-domain sources.

    source: legal.lensa.app
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification found on vendor-domain sources.

    source: legal.lensa.app
    CSA STAR (Cloud Security Alliance)
    NOT CONFIRMED

    No public evidence of CSA STAR certification found on vendor-domain sources.

    source: legal.lensa.app

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    United States (AWS, Google Cloud). Standard Contractual Clauses for EEA/UK data transfers.

    Official privacy policy states: 'We do not use your Personal Data to train and/or create separate artificial intelligence/products.' However, Lensa does train custom per-user models on uploaded face data to generate personalized Magic Avatars and effects; these custom models are not retained after generation. Historical reports and external sources (2022-2023) suggested broader data use for model training, but current official policy explicitly prohibits this. Photos for Magic Avatars are deleted immediately after generation; Art Styles photos retained max 24 hours on AWS; AI-Assistant features use OpenAI which retains photos up to 30 days.

    // Security controls

    Data Protection

    Lensa employs 'reasonable and appropriate information security safeguards' but acknowledges limitations: 'we cannot guarantee the security of the collected information transmitted to or through Lensa.' The company notes 'there is no ideal technology or measure to maintain 100% security.'

    legal.lensa.app

    Encryption Standards

    No specific encryption protocols or standards (TLS versions, AES encryption, etc.) are documented in the public privacy policy or terms of service.

    legal.lensa.app

    Third-Party Data Processing

    User data shared with affiliates (Palta companies in Cyprus), AWS, Google Cloud Platform, Firebase, AppsFlyer, Amplitude, and OpenAI (for AI-Assistant features). Data may be disclosed during mergers or in response to legal requests.

    lensa.app

    Data Breach Notification

    Lensa commits to 'informing you of such security incident in accordance with our Privacy Policy' when data loss occurs outside their control.

    legal.lensa.app

    Third-Party Security Audits

    No public security audit reports, penetration testing results, or third-party security certifications found on vendor-domain sources.

    legal.lensa.app

    // Products & data scope

    Lensa Photo Editor (Mobile App)Consumer Photo Editing / AI Effects

    data: User uploads photos/videos; processes via cloud (AWS, GCP); generates AI effects (Magic Avatars, Art Styles, portrait retouching, background blur/replacement); deletes originals per retention policy.

    Primary product. Processes biometric data (facial geometry) via Apple's TrueDepth API. Trains temporary per-user models for avatar/effect generation only. Available on iOS and Android.

    // What to watch

    • NO FORMAL COMPLIANCE CERTIFICATIONS: Despite processing biometric data (facial geometry), Lensa holds no public SOC 2, ISO 27001, ISO 27017, or ISO 27018 certifications. This is unusual for a company handling sensitive personal data.
    • BBB F RATING: Better Business Bureau rates Prisma Labs, Inc. as 'F' due to failure to respond to 2 filed complaints. BBB file opened 12/5/2022; business started 5/15/2016. This raises questions about responsiveness to compliance issues.
    • AI TRAINING CONTRADICTION: Official privacy policy states 'We do not use your Personal Data to train separate AI products,' but historical reports (ArtNews, ArtMajeur, 2022-2023) and earlier ToS language suggest Lensa previously used user data for AI model training. Current policy appears to narrowly exclude per-user custom model training (used only for that user's avatars/effects) from the definition of 'training separate products.' This ambiguity should be clarified.
    • WEAK DATA SECURITY POSTURE: Privacy policy explicitly states Lensa 'cannot guarantee the security' and 'there is no ideal technology or measure to maintain 100% security.' This low-assurance language is concerning for a vendor processing biometric/facial data.
    • NO ENCRYPTION SPECIFICATIONS: Public privacy policy and terms do not specify encryption standards, protocols, or key management practices for data in transit or at rest.
    • NO PUBLIC TRUST CENTER: Lensa does not publish a trust center, security documentation, or compliance audit reports on its vendor domain.
    • BIOMETRIC DATA WITH MINIMAL OVERSIGHT: Lensa collects facial geometry (via Apple TrueDepth) and other biometric data without formal security certifications or third-party audits. BIPA lawsuit filed (Illinois Biometric Information Privacy Act) alleging collection of facial geometry without proper consent.
    • COPYRIGHTS/LICENSING CONCERN: Lensa's underlying Magic Avatars and Art Styles models use third-party models (Stable Diffusion) trained on internet images with unclear licensing. While this does not directly implicate Lensa's data handling, it raises questions about IP governance and vendor oversight of third-party dependencies.
    • DATA RETENTION GAPS: Data retention policies vary by feature (24 hours for Art Styles, immediate for Magic Avatars, 30 days for AI-Assistant via OpenAI). No global data retention policy; complex multi-vendor data lifecycle.
    • MINIMAL GDPR CERTIFICATION: Lensa claims GDPR compliance via Standard Contractual Clauses but provides no formal assessment letter, Data Protection Impact Assessment (DPIA), or auditor confirmation of adequacy of safeguards.

    // At a glance

    Pricing model

    Freemium (free app with in-app purchases for credits and subscriptions). Virtual item purchases are 'final and non-refundable.'

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Prisma Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    legal.lensa.app

    > Browse all vendor trust reports