// Trust & Security Report

    Midjourney, Inc. logo

    Midjourney, Inc.

    AI-powered image generation platform with text-to-image models, plus Midjourney Medical (wellness/imaging analysis product in development)

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 10 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    SOC 2 publicly mentioned (claim only). No confirmed SOC 2 report was found.

    source: risclens.com
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of active SOC 2 Type 2 certification available

    source: risclens.com
    ISO 27001
    NOT CONFIRMED

    No public evidence found. ISO 27001 not listed in Credo AI compliance assessment.

    source: credo.ai
    GDPR Compliance
    NOT CONFIRMED

    Claims to follow GDPR practices but no formal Data Processing Agreement (DPA) found in public documentation. Retention policy states data kept only as long as necessary for legal purposes.

    source: docs.midjourney.com
    HIPAA
    NOT CONFIRMED

    Midjourney Medical implements HIPAA-appropriate security practices (encryption in transit/at rest, key management, audit logs) but current product is positioned as direct-to-consumer wellness outside HIPAA's mandatory scope. No HIPAA certification confirmed.

    source: midjourney.com
    PCI DSS
    NOT CONFIRMED

    No public evidence found

    source: credo.ai
    ISO 27017/27018/27701
    NOT CONFIRMED

    No public evidence found

    source: credo.ai
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence found

    source: credo.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence found

    source: credo.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence found

    source: credo.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    United States

    Models trained on publicly available web data, publicly accessible repositories, and internally generated synthetic data. Users can opt-out of training through account settings, though conflicting reports exist on availability and effectiveness of opt-out. Creative prompts are used to train models by default. Stealth mode (privacy feature) available only on Pro/Mega subscription tiers. Privacy is a paid feature; free tier users' creations are public by default.

    // Security controls

    Encryption in Transit

    Claims commercially acceptable means; specific TLS version/ciphers not documented. Industry-standard protocols mentioned but not detailed.

    docs.midjourney.com

    Encryption at Rest

    Claimed but implementation details not publicly specified. Midjourney Medical implements encryption at rest for PHI.

    midjourney.com

    Data Retention

    Personal data retained only as long as necessary for service provision, account management, and legal compliance. Deletion requests processed within 30 days. Generated images persist in galleries even after deletion requests.

    docs.midjourney.com

    Access Controls

    Midjourney Medical implements least-privilege access and audit logs. Main platform specifics not documented publicly.

    midjourney.com

    Responsible Disclosure Program

    No public security.txt, bug bounty program, or formal responsible disclosure policy found.

    risclens.com

    Infrastructure Risk

    Service accessed primarily through Discord, creating reliance on Discord's security infrastructure. Credo AI notes: 'does not offer sequestered access' and 'no virtual private cloud or on-premises deployment options.'

    credo.ai

    // Products & data scope

    Midjourney (Image Generation)Generative AI / Image Generation

    data: User prompts, generated images, usage metadata. Free tier: all content public by default. Pro/Mega tiers: Stealth Mode available for privacy.

    Primary product. Accessed via web or Discord. All data trained on by default unless opted out. No IP indemnity coverage provided by vendor; user liable for copyright infringement claims in generated content.

    Midjourney MedicalHealthcare / AI-Powered Imaging

    data: Body composition scans, health metrics, user PHI (if/when clinical use begins). Currently positioned as direct-to-consumer wellness product.

    In development. Building to HIPAA standards proactively but not yet HIPAA-certified. Implements encryption in transit/at rest, key management, audit logs, and access reviews appropriate for PHI. Current direct-to-consumer positioning sits outside HIPAA's mandatory scope.

    // What to watch

    • Over-claim detected: SOC 2 'publicly mentioned (claim only)' per RiscLens, but no confirmed audit report available. Vendor may market SOC 2 readiness without formal certification.
    • Privacy concerns: Graded D+ (38/100) by terms.law Privacy Watchdog. Specific issues: public-by-default gallery, no true deletion, Discord dependency, prompt training without clear opt-out, privacy as paid feature.
    • AI training ambiguity: Conflicting reports on whether creative prompts are used to train models by default and whether opt-out is available/effective. Multiple sources suggest opt-out exists but implementation unclear.
    • No Data Processing Agreement (DPA) publicly available. Organizations subject to GDPR may lack required controller-processor agreement.
    • No IP indemnity coverage: users bear all risk for copyright infringement claims on generated content, unlike some competitors.
    • Infrastructure risk: Reliance on Discord for core service access creates additional security surface not under Midjourney's direct control.
    • No public responsible disclosure program or security.txt found.
    • Persistent data risk: Generated images stored in galleries and Discord history with no mechanism for permanent secure deletion.
    • Entity clarification: Midjourney Medical may be subsidiary or future product line; verify if separate legal entity for compliance purposes.

    // At a glance

    Pricing model

    Freemium (free tier with public gallery, paid tiers unlock privacy and commercial use)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Midjourney, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    docs.midjourney.com

    > Browse all vendor trust reports