// Trust & Security Report
Piktochart Sdn. Bhd.
Browser-based visual design SaaS (infographics, reports, presentations, social graphics) with an integrated Piktochart AI generation layer; plans range from a free consumer tier through Business and an Enterprise tier (SSO, MSA, security review) plus Education/Nonprofit/Campus pricing.
Certifications held
1
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on piktochart.com“Privacy Policy states Piktochart's practices are shaped by "the Children's Online Privacy Protection Act (COPPA), Family Educational Rights and Privacy Act (FERPA), and the European Union's General Data Protection Regulation (GDPR)" and separately discloses "we may transfer your personal data to organizations based in countries that have not been granted an adequacy decision." This is a self-declared compliance posture, not a third-party GDPR certification (no such certification scheme exists).”
> Show 8 unconfirmed / not-held certifications
source: piktochart.comNo public evidence. No SOC 2 report, badge, or mention appears on piktochart.com, support.piktochart.com, the Privacy Policy, Terms of Use, or the Enterprise page.
source: piktochart.comNo public evidence. Not mentioned on any piktochart.com/support.piktochart.com page reviewed.
source: piktochart.comNo public evidence of any ISO 27000-family certification beyond the base 27001 (also unheld).
source: piktochart.comNo public evidence. No AI-governance certification referenced anywhere on the vendor's own domain.
source: piktochart.comNo public evidence of CSA STAR registration or attestation.
source: piktochart.comNo public evidence. Not listed among the frameworks the Privacy Policy names (which are COPPA, FERPA, and GDPR only); no BAA is offered anywhere on the site.
source: support.piktochart.com"Piktochart does not store credit card details internally" and relies on third-party payment gateways to process payments — PCI DSS scope belongs to the payment processor, not Piktochart directly.
source: piktochart.comNo public evidence. No government/FedRAMP authorization referenced anywhere on the vendor's domain.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
AWS, United States (per support KB: "Our server provider is Amazon Web Services located in the USA"). No data-residency options (e.g. EU-only hosting) are documented publicly.
Opt-out by default, not opt-in. Privacy Policy: "By default, all Content you create and/or upload to Piktochart is automatically included in our AI training program. You can opt-out of this program at any time by emailing ai-privacy@piktochart.com." It also warns "Images already used in AI training may remain in trained models (cannot be 'untrained')." A separate support KB article on Piktochart AI states "We do not collect any personal information for the use of Piktochart AI" and that "all your submitted inputs are aggregated and anonymized" for the generative-AI feature itself — this is a narrower claim about AI-feature inputs, not a contradiction of the broader content-training policy, but the two statements describe different data flows (uploaded/created visuals vs. AI-prompt inputs) and a buyer should have the vendor clarify the distinction in writing.
// Security controls
Encryption at rest
"We encrypt all of your data stored on servers." No specifics on algorithm/key management disclosed publicly.
support.piktochart.comInternal data access controls
"No one but Piktochart's team of developers has access to the data (and even then, only when a user requests assistance and we have explicit permission to access the account)."
support.piktochart.comPayment data handling
Piktochart does not store credit card details internally; payments are processed via third-party payment gateways.
support.piktochart.comAuthentication
Two-factor authentication (2FA) available; magic-link / passwordless login used to simplify and secure sign-in.
support.piktochart.comEnterprise SSO
SAML-based SSO offered on the Enterprise plan only, alongside a vendor security review and MSA (Master Service Agreement) support.
piktochart.comContractual security disclaimer
Terms of Use state Piktochart "MAKES NO CLAIMS OR PROMISES ... INCLUDING WITHOUT LIMITATION THE SECURITY OF YOUR CONTENT AND DATA." Standard SaaS ToS boilerplate, but notable given the absence of any formal security certification to offset it.
piktochart.com// Products & data scope
data: User-uploaded images and created visuals stored on AWS (US); by default included in AI training unless the user opts out.
Consumer/SMB self-serve tiers, 2FA and social login available; no SSO.
data: Submitted prompts/inputs are aggregated and anonymized per vendor's AI-feature KB article; separately, uploaded/created content feeds the broader opt-out AI training program.
Uses third-party AI providers per the Terms of Use ("may be transmitted to and processed by such AI Features, including third-party providers thereof"); the specific third-party providers are not named publicly.
data: Same underlying AWS-hosted storage as other tiers; adds SAML SSO, SLA, MSA support, and a vendor-led security review process for the buyer.
The security review and MSA are negotiated per customer, not a published certification — useful as a due-diligence path but not a substitute for SOC 2/ISO 27001.
// What to watch
- No SOC 2, ISO 27001, HIPAA, PCI DSS, ISO 42001, CSA STAR, or FedRAMP evidence found anywhere on piktochart.com or support.piktochart.com — vendor has no formal third-party security certification.
- No dedicated trust/security center exists; security posture is documented only in a short support KB article and the Privacy Policy/Terms of Use.
- AI training is opt-out by default (not opt-in), and the vendor states already-trained data 'cannot be untrained' once included — a material point for privacy-sensitive buyers.
- Privacy Policy discloses international data transfers to countries without an EU adequacy decision, which is a GDPR risk factor for EU customers to review before signing.
- Terms of Use contain a broad disclaimer of any security guarantee for customer content/data — typical SaaS boilerplate, but notable given no offsetting certification exists.
- A human reviewer should reload these pages directly in a browser to do a final visual confirmation before publishing.
// At a glance
Pricing model
Freemium subscription (Free, Pro, Business, Education, Nonprofit, Campus, and custom-quoted Enterprise tiers)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Piktochart Sdn. Bhd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
piktochart.com