// Trust & Security Report

    Leonardo Interactive Pty Ltd (owned by Canva) logo

    Leonardo Interactive Pty Ltd (owned by Canva)

    Generative AI platform for creating, editing, and animating images and videos using AI models. Features include image generation, video generation, image upscaling, background removal, custom model training, and real-time canvas editing. Serves individual creators and enterprise teams.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    Leonardo.ai is fully SOC 2 Type I and Type II accredited, demonstrating our commitment to the highest standards of security, availability, and data integrity.

    Verify on leonardo.ai
    SOC 2 Type II
    HELD

    Leonardo.ai is fully SOC 2 Type I and Type II accredited, demonstrating our commitment to the highest standards of security, availability, and data integrity.

    Verify on leonardo.ai
    GDPR
    HELD

    Leonardo's Data Processing Addendum implements EU GDPR and UK GDPR obligations: it incorporates the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914 of 4 June 2021, controller-to-processor module) for restricted transfers and designates the European Data Protection Office (EDPO) in Dublin and EDPO UK in London as its EU/UK representatives. Verified on the vendor DPA page; the homepage does not mention GDPR.

    Verify on leonardo.ai
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on Leonardo.ai's domain. Third-party sources (Nudge Security) claim compliance, but vendor documentation does not reference this certification. Parent company Canva holds ISO 27001.

    source: leonardo.ai
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance. Leonardo.ai is a consumer/enterprise creative AI tool, not a healthcare-focused product. No HIPAA-specific documentation found on vendor domain.

    source: leonardo.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS compliance. Leonardo.ai does not directly process payment card data (payments handled by third parties). No PCI DSS documentation on vendor domain.

    source: leonardo.ai
    FedRamp
    NOT CONFIRMED

    No public evidence of FedRamp authorization. Not found on Leonardo.ai or parent company Canva's documentation. FedRamp is for US government cloud services, outside Leonardo's scope.

    source: leonardo.ai
    CSA STAR Level 1
    NOT CONFIRMED

    No public evidence of CSA STAR Level 1 certification on vendor domain. CSA STAR requires detailed cloud security certification and governance documentation.

    source: leonardo.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Multiple (uses AWS, Vercel, Google Workspace, Auth0 as infrastructure partners)

    Tiered approach: Free tier content is public and used for training AI models and developing new offerings. Paid tier content can be marked private and explicitly NOT used for training. Users on paid plans retain full control over whether content is used for model training.

    // Security controls

    Encryption in Transit

    TLS 1.2 or higher for data transmitted over public networks

    leonardo.ai

    Encryption at Rest

    AES 256 or stronger for customer personal data stored on Leonardo's servers

    leonardo.ai

    Penetration Testing

    Annual third-party penetration testing of application and infrastructure

    leonardo.ai

    Vulnerability Scanning

    Third-party application vulnerability scanning service employed

    leonardo.ai

    Employee Security Training

    Information security awareness training required at employment start and annually thereafter

    leonardo.ai

    Data Deletion

    Automated process for deleting customer personal data on request within 30 days

    leonardo.ai

    Data Export

    Customers can request download of their personal data

    leonardo.ai

    International Data Transfers

    EU Model Clauses and UK International Data Transfer Addendum for transfers outside Europe

    leonardo.ai

    // Products & data scope

    Image GenerationGenerative AI

    data: Free and paid tiers; free tier content used for training, paid tier can be private

    Supports multiple models including Nano Banana (Google), GPT models, and Leonardo's proprietary models. Available as web app and mobile app.

    Video GenerationGenerative AI

    data: Free and paid tiers; free tier content used for training, paid tier can be private

    Supports Veo 3 (Google) and Kling Video 3.0. Can generate video from text prompts or animate images.

    Image Editing & UpscalingGenerative AI

    data: Free and paid tiers; free tier content used for training, paid tier can be private

    Includes background remover, image upscaler, precision editing tools.

    Custom Model TrainingGenerative AI

    data: Available in paid plans; user-uploaded training data scope unclear

    Allows users to train custom models on their own images.

    APIDeveloper Tools

    data: For commercial integrations; paid tier with private option

    Official Leonardo.ai SDK and REST API for developers.

    Leonardo for TeamsEnterprise

    data: Enterprise-grade security, private content storage, team collaboration

    Includes SOC 2 compliance, SSO support, private model hosting, team collaboration features.

    // What to watch

    • OVER-CLAIM ALERT: Nudge Security profile claims Leonardo.ai holds ISO 27001, HIPAA, FedRamp, PCI DSS, and CSA STAR Level 1 certifications. These are not documented on Leonardo's official domain (leonardo.ai). Only SOC 2 Type I/II and GDPR are verifiable from vendor documentation. Recommend contacting Leonardo.ai to clarify which of these claims are accurate.
    • ISO 27001 not found: Third-party source (Rankiteo) explicitly states Leonardo.ai is NOT certified under ISO 27001, contradicting Nudge Security claim.
    • HIPAA & FedRamp unlikely: Leonardo.ai is a consumer/creative AI platform, not healthcare-focused. Parent company Canva does not hold HIPAA or FedRamp certifications.
    • PCI DSS scope unclear: No evidence Leonardo.ai processes payment cards directly. Unclear why PCI DSS would be relevant or claimed.
    • CSA STAR not verified: No evidence of CSA STAR Level 1 or CSA STAR AI certification on vendor domain.
    • No dedicated trust center: Unlike enterprise SaaS vendors, Leonardo.ai does not publish a dedicated trust/security center page. Security info is scattered across privacy policy, DPA, and homepage.
    • Data training practices: Free tier content is used for model training and commercial purposes. Users should be aware paid plans offer opt-out via private content feature.
    • Post-acquisition clarity: Acquired by Canva (July 2024). Unclear if Leonardo.ai will eventually inherit or align with Canva's fuller compliance posture (both have SOC 2 Type II; Canva has ISO 27001).

    // At a glance

    Pricing model

    Freemium with tiered paid plans (pay-as-you-go, monthly subscriptions, API pay-per-call)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Leonardo Interactive Pty Ltd (owned by Canva)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    leonardo.ai

    > Browse all vendor trust reports