// Trust & Security Report
Midjourney, Inc.
AI-powered image generation platform with text-to-image models, plus Midjourney Medical (wellness/imaging analysis product in development)
Certifications held
0
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 10 unconfirmed / not-held certifications
source: risclens.comSOC 2 publicly mentioned (claim only). No confirmed SOC 2 report was found.
source: risclens.comNo public evidence of active SOC 2 Type 2 certification available
source: credo.aiNo public evidence found. ISO 27001 not listed in Credo AI compliance assessment.
source: docs.midjourney.comClaims to follow GDPR practices but no formal Data Processing Agreement (DPA) found in public documentation. Retention policy states data kept only as long as necessary for legal purposes.
source: midjourney.comMidjourney Medical implements HIPAA-appropriate security practices (encryption in transit/at rest, key management, audit logs) but current product is positioned as direct-to-consumer wellness outside HIPAA's mandatory scope. No HIPAA certification confirmed.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
United States
Models trained on publicly available web data, publicly accessible repositories, and internally generated synthetic data. Users can opt-out of training through account settings, though conflicting reports exist on availability and effectiveness of opt-out. Creative prompts are used to train models by default. Stealth mode (privacy feature) available only on Pro/Mega subscription tiers. Privacy is a paid feature; free tier users' creations are public by default.
// Security controls
Encryption in Transit
Claims commercially acceptable means; specific TLS version/ciphers not documented. Industry-standard protocols mentioned but not detailed.
docs.midjourney.comEncryption at Rest
Claimed but implementation details not publicly specified. Midjourney Medical implements encryption at rest for PHI.
midjourney.comData Retention
Personal data retained only as long as necessary for service provision, account management, and legal compliance. Deletion requests processed within 30 days. Generated images persist in galleries even after deletion requests.
docs.midjourney.comAccess Controls
Midjourney Medical implements least-privilege access and audit logs. Main platform specifics not documented publicly.
midjourney.comResponsible Disclosure Program
No public security.txt, bug bounty program, or formal responsible disclosure policy found.
risclens.comInfrastructure Risk
Service accessed primarily through Discord, creating reliance on Discord's security infrastructure. Credo AI notes: 'does not offer sequestered access' and 'no virtual private cloud or on-premises deployment options.'
credo.ai// Products & data scope
data: User prompts, generated images, usage metadata. Free tier: all content public by default. Pro/Mega tiers: Stealth Mode available for privacy.
Primary product. Accessed via web or Discord. All data trained on by default unless opted out. No IP indemnity coverage provided by vendor; user liable for copyright infringement claims in generated content.
data: Body composition scans, health metrics, user PHI (if/when clinical use begins). Currently positioned as direct-to-consumer wellness product.
In development. Building to HIPAA standards proactively but not yet HIPAA-certified. Implements encryption in transit/at rest, key management, audit logs, and access reviews appropriate for PHI. Current direct-to-consumer positioning sits outside HIPAA's mandatory scope.
// What to watch
- Over-claim detected: SOC 2 'publicly mentioned (claim only)' per RiscLens, but no confirmed audit report available. Vendor may market SOC 2 readiness without formal certification.
- Privacy concerns: Graded D+ (38/100) by terms.law Privacy Watchdog. Specific issues: public-by-default gallery, no true deletion, Discord dependency, prompt training without clear opt-out, privacy as paid feature.
- AI training ambiguity: Conflicting reports on whether creative prompts are used to train models by default and whether opt-out is available/effective. Multiple sources suggest opt-out exists but implementation unclear.
- No Data Processing Agreement (DPA) publicly available. Organizations subject to GDPR may lack required controller-processor agreement.
- No IP indemnity coverage: users bear all risk for copyright infringement claims on generated content, unlike some competitors.
- Infrastructure risk: Reliance on Discord for core service access creates additional security surface not under Midjourney's direct control.
- No public responsible disclosure program or security.txt found.
- Persistent data risk: Generated images stored in galleries and Discord history with no mechanism for permanent secure deletion.
- Entity clarification: Midjourney Medical may be subsidiary or future product line; verify if separate legal entity for compliance purposes.
// At a glance
Pricing model
Freemium (free tier with public gallery, paid tiers unlock privacy and commercial use)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Midjourney, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
docs.midjourney.com