// Trust & Security Report
PicsArt, Inc.
PicsArt Create Editor — an AI-powered creative platform for photo editing, design, image generation, and video creation serving 130M+ creators with 140+ AI models across free, premium, and enterprise tiers.
Certifications held
4
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on picsart.io“Picsart performs an annual SSAE 18 SOC 2 Type 2 audit to ensure third party oversight of our services.”
Verify on picsart.io“ISO/IEC 27001:2022 — International standard for information security management systems. Certificate available upon request.”
Verify on picsart.io“Trust center lists 'EU GDPR' as a compliance standard; Privacy Policy grants EU/UK residents rights to access, correction, deletion, restriction, and portability of their data.”
Verify on picsart.io“Compliant with California Consumer Privacy Act and California Privacy Rights Act”
> Show 7 unconfirmed / not-held certifications
source: picsart.ioNo public evidence of HIPAA compliance; not listed in trust center or compliance documentation.
source: picsart.ioNo public evidence of PCI DSS certification in trust center or security documentation.
source: picsart.ioNot mentioned; only ISO 27001 is documented in trust center.
source: picsart.ioNot mentioned in public trust center or compliance documentation.
source: picsart.ioNot mentioned; only ISO 27001 is documented.
source: picsart.ioNo public evidence of ISO 42001 AI governance certification.
source: picsart.ioNo public evidence of Cloud Security Alliance STAR certification.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Not documented on vendor domain. Trust center states data centers are selected by geographic location where SOC 2 audited/compliant options are available, but no specific AWS regions or countries are named. Privacy Policy notes personal data may be transferred internationally. Contact vendor for region options.
Privacy Policy does not explicitly state whether customer-generated content is used for AI model training. Terms of Use grants PicsArt 'a worldwide, non-exclusive, royalty-free, sublicensable and transferable license to use your Content...for any purpose in connection with the Service and our business,' which could encompass training but is not explicitly stated. One third-party source indicated users can opt out through account settings, but this is not verified in official PicsArt documentation. RECOMMENDATION: Clarify with vendor directly on AI training opt-out policies.
// Security controls
Data Isolation
Logical separation of each customer's service data from other customers' data
picsart.ioNetwork Security
Enterprise-grade firewall, IDS/IPS systems, network segmentation, and DDoS protection via third-party mitigation
picsart.comVulnerability Management
Third-party annual penetration testing for applications and all critical services; automated and manual application and infrastructure security testing to identify and patch vulnerabilities. No specific remediation SLA published on vendor domain.
picsart.comVulnerability Disclosure Program
Active VDP on HackerOne with rewards for ethical researchers
hackerone.comPhysical Security
SOC 2 audited data centers with RFID badges, biometrics, video surveillance, motion detection, access logging
picsart.ioDevice Security
Hardened company devices, full-disk encryption, MDM with remote wiping capability
picsart.ioChange Management
Formal change control with authorization, version control, automated QA, manual code review before production
picsart.com// Products & data scope
data: Customer photos, generated images, design files, biometric data (face geometry when applying face effects). Free and Premium tiers store data in shared infrastructure; Enterprise may negotiate dedicated resources.
Core offering. Includes 140+ AI models (image generation, video, photo editing, portrait animation, background removal, frame expansion). Commercial use license available on Pro plan. 130M+ active creators.
data: Developer usage data, generated content from API calls
Offers 140+ models via API. 'One install, 140+ models, straight in your code.' Pricing and data handling terms vary by plan.
data: Enterprise customer data. Specific data residency regions not documented on vendor domain.
Dedicated support, compliance documentation (SOC 2 Type 2, ISO 27001). No specific data residency regions named publicly on the trust center or privacy policy. Recommend contacting sales for specific data handling and residency requirements.
// What to watch
- AI TRAINING AMBIGUITY: Privacy Policy does not explicitly state whether user-generated content is used for AI model training. Terms of Use grants PicsArt broad content usage rights but does not specifically mention training. Third-party source indicated opt-out exists via account settings; vendor documentation does not confirm. Risk: Unclear data usage for model improvement.
- NO HIPAA COMPLIANCE: Not listed in trust center or security documentation. Despite being used for image/video generation with biometric data collection (face geometry), PicsArt does not offer HIPAA compliance or Business Associate Agreements (BAAs). Healthcare providers requiring HIPAA compliance should verify separately.
- BIOMETRIC DATA COLLECTION WITHOUT EXPLICIT GOVERNANCE: Privacy Policy states 'When you use Picsart tools to apply effects to, or generate images of, your face, Picsart scans your face geometry.' No dedicated biometric governance policy, AI bias assessment, or retention timeline for facial data documented. Relevant for AI governance concerns.
- DATA RESIDENCY NOT DOCUMENTED: No specific data residency regions are named on the vendor trust center or privacy policy. The trust center only states data centers are selected by geographic location where SOC 2 audited options are available. Enterprise customers requiring regional data residency should request written confirmation and a formal data processing agreement (DPA) from the vendor.
- NO ISO 27017/27018/27701 CERTIFICATIONS: Only ISO 27001 listed, not cloud-specific (27017), PII-in-cloud-specific (27018), or privacy-focused (27701) extensions.
- NO ISO 42001 / AI GOVERNANCE FRAMEWORK PUBLISHED: No public documentation of AI governance, model governance, bias assessment, or responsible AI framework despite 140+ AI models offered.
- COMMERCIAL USE AMBIGUITY FOR AI CONTENT: Terms state 'Picsart can't guarantee you will be able to claim copyright ownership...or that the images will not infringe third party IP rights.' Users assume copyright/IP risk for AI-generated content.
- INCIDENT RESPONSE PLAN NOT DOCUMENTED: Security policy emphasizes prevention and vulnerability management but does not detail formal incident response procedures.
// At a glance
Pricing model
Freemium with paid tiers (Premium/Pro) and Enterprise; subscription and credits-based usage
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on PicsArt, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
picsart.io