// Trust & Security Report
Leonardo Interactive Pty Ltd (owned by Canva)
Generative AI platform for creating, editing, and animating images and videos using AI models. Features include image generation, video generation, image upscaling, background removal, custom model training, and real-time canvas editing. Serves individual creators and enterprise teams.
Certifications held
3
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on leonardo.ai“Leonardo.ai is fully SOC 2 Type I and Type II accredited, demonstrating our commitment to the highest standards of security, availability, and data integrity.”
Verify on leonardo.ai“Leonardo.ai is fully SOC 2 Type I and Type II accredited, demonstrating our commitment to the highest standards of security, availability, and data integrity.”
Verify on leonardo.ai“Leonardo's Data Processing Addendum implements EU GDPR and UK GDPR obligations: it incorporates the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914 of 4 June 2021, controller-to-processor module) for restricted transfers and designates the European Data Protection Office (EDPO) in Dublin and EDPO UK in London as its EU/UK representatives. Verified on the vendor DPA page; the homepage does not mention GDPR.”
> Show 5 unconfirmed / not-held certifications
source: leonardo.aiNo public evidence of ISO 27001 certification on Leonardo.ai's domain. Third-party sources (Nudge Security) claim compliance, but vendor documentation does not reference this certification. Parent company Canva holds ISO 27001.
source: leonardo.aiNo public evidence of HIPAA compliance. Leonardo.ai is a consumer/enterprise creative AI tool, not a healthcare-focused product. No HIPAA-specific documentation found on vendor domain.
source: leonardo.aiNo public evidence of PCI DSS compliance. Leonardo.ai does not directly process payment card data (payments handled by third parties). No PCI DSS documentation on vendor domain.
source: leonardo.aiNo public evidence of FedRamp authorization. Not found on Leonardo.ai or parent company Canva's documentation. FedRamp is for US government cloud services, outside Leonardo's scope.
source: leonardo.aiNo public evidence of CSA STAR Level 1 certification on vendor domain. CSA STAR requires detailed cloud security certification and governance documentation.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Multiple (uses AWS, Vercel, Google Workspace, Auth0 as infrastructure partners)
Tiered approach: Free tier content is public and used for training AI models and developing new offerings. Paid tier content can be marked private and explicitly NOT used for training. Users on paid plans retain full control over whether content is used for model training.
// Security controls
Encryption at Rest
AES 256 or stronger for customer personal data stored on Leonardo's servers
leonardo.aiPenetration Testing
Annual third-party penetration testing of application and infrastructure
leonardo.aiEmployee Security Training
Information security awareness training required at employment start and annually thereafter
leonardo.aiData Deletion
Automated process for deleting customer personal data on request within 30 days
leonardo.aiInternational Data Transfers
EU Model Clauses and UK International Data Transfer Addendum for transfers outside Europe
leonardo.ai// Products & data scope
data: Free and paid tiers; free tier content used for training, paid tier can be private
Supports multiple models including Nano Banana (Google), GPT models, and Leonardo's proprietary models. Available as web app and mobile app.
data: Free and paid tiers; free tier content used for training, paid tier can be private
Supports Veo 3 (Google) and Kling Video 3.0. Can generate video from text prompts or animate images.
data: Free and paid tiers; free tier content used for training, paid tier can be private
Includes background remover, image upscaler, precision editing tools.
data: Available in paid plans; user-uploaded training data scope unclear
Allows users to train custom models on their own images.
data: For commercial integrations; paid tier with private option
Official Leonardo.ai SDK and REST API for developers.
data: Enterprise-grade security, private content storage, team collaboration
Includes SOC 2 compliance, SSO support, private model hosting, team collaboration features.
// What to watch
- OVER-CLAIM ALERT: Nudge Security profile claims Leonardo.ai holds ISO 27001, HIPAA, FedRamp, PCI DSS, and CSA STAR Level 1 certifications. These are not documented on Leonardo's official domain (leonardo.ai). Only SOC 2 Type I/II and GDPR are verifiable from vendor documentation. Recommend contacting Leonardo.ai to clarify which of these claims are accurate.
- ISO 27001 not found: Third-party source (Rankiteo) explicitly states Leonardo.ai is NOT certified under ISO 27001, contradicting Nudge Security claim.
- HIPAA & FedRamp unlikely: Leonardo.ai is a consumer/creative AI platform, not healthcare-focused. Parent company Canva does not hold HIPAA or FedRamp certifications.
- PCI DSS scope unclear: No evidence Leonardo.ai processes payment cards directly. Unclear why PCI DSS would be relevant or claimed.
- CSA STAR not verified: No evidence of CSA STAR Level 1 or CSA STAR AI certification on vendor domain.
- No dedicated trust center: Unlike enterprise SaaS vendors, Leonardo.ai does not publish a dedicated trust/security center page. Security info is scattered across privacy policy, DPA, and homepage.
- Data training practices: Free tier content is used for model training and commercial purposes. Users should be aware paid plans offer opt-out via private content feature.
- Post-acquisition clarity: Acquired by Canva (July 2024). Unclear if Leonardo.ai will eventually inherit or align with Canva's fuller compliance posture (both have SOC 2 Type II; Canva has ISO 27001).
// At a glance
Pricing model
Freemium with tiered paid plans (pay-as-you-go, monthly subscriptions, API pay-per-call)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Leonardo Interactive Pty Ltd (owned by Canva)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
leonardo.ai