// Trust & Security Report
Photoroom, Inc.
AI-powered product photography and image-editing platform for e-commerce: consumer/creator apps (iOS, Android, web) with Background Remover, AI Product Photography, Brand Kit, Batch Edit and Video Templates; a developer Image API; and an Enterprise tier (custom AI models, dedicated capacity, Marketplace Sync, SLA-backed uptime).
Certifications held
2
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.photoroom.com“Compliance overview / Current compliance status across frameworks / SOC 2 Type 2 / Compliant”
Verify on photoroom.com“GDPR compliant / Your data is handled with transparency, encryption, and strict access controls.”
> Show 6 unconfirmed / not-held certifications
source: trust.photoroom.comNo public evidence. Photoroom's own Trust Center 'Compliance overview' lists only SOC 2 Type 2 as a compliant framework; ISO 27001 is not listed anywhere on trust.photoroom.com, the homepage security section, or the privacy policy. A third-party vendor-risk aggregator (Nudge Security) displays an 'ISO 27001 Compliant' badge, but that page's own 'Security Page' and evidence links are broken/empty (#), so it is not treated as proof.
source: photoroom.comNo public evidence. HIPAA is not mentioned on trust.photoroom.com, the homepage security section, or the privacy policy (https://www.photoroom.com/legal/privacy), which contains 'no mentions of SOC 2, ISO 27001, or HIPAA compliance certifications.' A third-party aggregator (Nudge Security) claims 'HIPAA Compliant' with no supporting evidence link; not accepted as proof. Photoroom is not marketed as a healthcare/BAA-capable product.
source: trust.photoroom.comNo public evidence on any Photoroom-owned domain. Payment handling is not described as in-house on the trust center; no PCI attestation is referenced.
source: photoroom.comNo certification evidence. Homepage lists 'Responsible AI: Regular audits to reduce bias, ensure fairness, and maintain transparency' as a marketing statement, not a certification, and ISO 42001 is not named anywhere on the vendor's domains.
source: trust.photoroom.comNo public evidence on any Photoroom-owned domain; not applicable to this consumer/SMB e-commerce product line. Unsubstantiated third-party badge (Nudge Security) rejected as proof.
source: trust.photoroom.comNo public evidence on any Photoroom-owned domain. Unsubstantiated third-party badge (Nudge Security, 'CSA Star Level 1') rejected as proof (no linked registry entry or evidence).
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
EU-based company (France); data may be transferred outside the EEA to third-party processors, with Photoroom stating transfers use 'appropriate guarantees ... in accordance with the provisions of the GDPR.' Infrastructure runs on GCP, AWS, and Cloudflare (no single fixed region guaranteed at the plan level per public documentation).
By default Photoroom uses uploaded images to improve/train its AI models: 'By using Photoroom, you acknowledge that Photoroom processes and uses the images you upload to improve, train and develop Photoroom's products, services and models.' Users can opt out via an account setting ('Improve the model for everyone'), but the opt-out 'shall not have retroactive effect on processing activities already carried out.' Images processed through the API are explicitly excluded: 'our model improvement does not apply to the images processed through our Application Programming Interface (API).' No separate written commitment was found confirming whether Enterprise-tier web/app usage (as opposed to API usage) is automatically excluded from training, or requires the same manual opt-out as free/Pro consumer accounts, which is a gap enterprise buyers should ask about directly.
// Security controls
Encryption in transit
Confirmed via Trust Center control: 'Data encrypted in-transit.'
trust.photoroom.comAccess control
Access granting process, account inventory, regular access reviews, and enforced password management policy, per Trust Center controls list.
trust.photoroom.comBackups / disaster recovery
Automated backups, tested disaster recovery plans, and an established business continuity policy, per Trust Center controls list.
trust.photoroom.comVulnerability management
Penetration testing performed within the last 12 months with findings remediated; automated vulnerability scanning and patch management, per Trust Center controls list.
trust.photoroom.comEndpoint security
Anti-malware, device encryption, firewalls, and MDM on end-user devices, per Trust Center controls list.
trust.photoroom.comInfrastructure hosting
Built on GCP, AWS, and Cloudflare, described as providing redundancy and fault tolerance.
photoroom.comIncident response / monitoring
Audit log management, established incident response policy, and network/infrastructure monitoring, per Trust Center controls list.
trust.photoroom.com// Products & data scope
data: Uploaded images used by default to train Photoroom's AI models; user-level opt-out available (non-retroactive) in account settings.
80M+ users cited for Background Remover; targeted at individuals and small sellers.
data: Same default training posture as consumer tier unless the opt-out is set; batch operations run via web app or API.
Adds Brand Kit, Marketplace Sync, bulk background removal/resizing.
data: Explicitly excluded from AI training by policy: 'our model improvement does not apply to the images processed through our Application Programming Interface (API).'
Positioned for automated, high-volume image production without queue infrastructure on the customer side.
data: Custom AI models trained on the customer's own catalog/brand rules (per contract); dedicated capacity and custom endpoints; SOC 2 Type 2 and contractual SLA terms marketed specifically to this tier.
Homepage ties the SOC 2 Type 2 badge to the Enterprise pitch, though the Trust Center presents SOC 2 Type 2 as a company-wide compliance status, not an Enterprise-only attestation. Enterprise buyers should confirm via sales whether a signed DPA, full SOC 2 report (NDA), and training opt-out are included in the contract by default.
// What to watch
- Third-party aggregator over-claim: security-profiles.nudgesecurity.com lists Photoroom as HIPAA, PCI, ISO 27001, FedRAMP, and CSA STAR Level 1 'Compliant', but none of these are substantiated on the vendor's own Trust Center or privacy policy, and the aggregator's own evidence links for those badges are broken/empty. These claims were rejected and must not be surfaced on AIFOXX without independent vendor confirmation.
- AI trains on customer images by default for the consumer/Pro/Business web-and-app tiers (opt-out available but not retroactive); only the API tier is contractually excluded from training. Buyers uploading sensitive/proprietary product imagery on Free/Pro/Business plans should be flagged to check their account training setting.
- SOC 2 Type 2 is confirmed at the company level via the Trust Center, but Photoroom's own marketing associates the badge specifically with the Enterprise plan on the homepage ('Custom models, dedicated capacity, custom endpoints, and SLA-backed uptime. SOC 2 Type 2.') -- listing should clarify SOC 2 applies company-wide per the Trust Center, not as an Enterprise-exclusive feature.
- Trust Center (trust.photoroom.com) is JavaScript-rendered and could not be re-fetched live during this review; findings rely on a prior crawl capture of that page plus the homepage security section and privacy policy, all cross-checked and consistent with each other.
- No dedicated, publicly linked Data Processing Agreement (DPA) document was found; privacy policy covers GDPR rights and EEA transfer safeguards but a standalone DPA likely requires direct request from sales/support.
// At a glance
Pricing model
Freemium (Free/Pro consumer subscription) + usage-based API pricing + custom Enterprise contracts
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Photoroom, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.photoroom.com