// Trust & Security Report

    Recraft Inc. logo

    Recraft Inc.

    AI-native design platform (Recraft Studio) for image, vector, and mockup generation, plus a developer-facing generation API (image, vector, editing, background removal, inpainting/outpainting, batch/async jobs); plans span Free (community-visible outputs) through paid Basic/Pro subscriptions to an API tier, with a separate Enterprise offering referenced in site navigation

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Recraft is SOC 2 Type 2 certified, validating the ongoing effectiveness of our security and data-handling controls.

    Verify on recraft.ai
    AIUC-1 (AI Underwriting Company)
    HELD

    Recraft is the first AI image generation company to earn AIUC-1 certification, an independent standard for testing AI behavior in production.

    Verify on trust.recraft.com
    GDPR (regulatory alignment, not a certification)
    HELD

    EEA, UK, and Swiss users have additional rights, including: (i) the right to request correction or erasure of personal information; (ii) the right to object to processing your personal information; (iii) the right to ... transfer or receive a copy of the personal information in a usable and portable format.

    Verify on recraft.ai
    CCPA
    HELD

    Recraft applies GDPR rights to all users of its products, regardless of location ... CCPA listed in the trust center compliance section.

    Verify on trust.recraft.com
    > Show 5 unconfirmed / not-held certifications
    ISO/IEC 27001
    NOT CONFIRMED

    No public evidence: the vendor's own compliance and certifications page and trust center list SOC 2 Type 2 and AIUC-1 but do not mention ISO 27001 anywhere.

    source: recraft.ai
    HIPAA
    NOT CONFIRMED

    No public evidence: HIPAA is not mentioned in Recraft's privacy policy, trust center, or compliance/certifications page. Recraft does not describe itself as a HIPAA-covered entity or business associate anywhere on recraft.ai.

    source: recraft.ai
    PCI DSS
    NOT CONFIRMED

    Recraft does not store, process, or have access to any financial customer data, as Stripe securely handles all payment information ... both of which [Stripe, Google Pay] hold PCI DSS Level 1 certification. A vendor blog post separately describes the platform as 'PCI DSS compliant,' but the vendor's own security page confirms Recraft itself never touches cardholder data, so the PCI DSS scope belongs to its payment processors (Stripe/Google Pay), not to Recraft directly.

    source: recraft.ai
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence: not listed on the trust center or compliance page. Recraft's closest AI-specific assurance is the third-party AIUC-1 certification, which is a distinct standard from ISO 42001.

    source: recraft.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization anywhere on recraft.ai or the trust center.

    source: trust.recraft.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Not formally published as a single region; subprocessor list shows infrastructure primarily in the United States and EU (Ireland, Germany, Belgium, UK, Canada also listed), with the privacy policy noting data 'may be stored in computers in countries outside of your home country.' Some optional third-party model providers accessible via the platform (e.g., via Runware) extend to additional countries including Israel and China.

    Privacy policy states: 'We shall not use and shall not permit our third-party AI service providers ... to train, fine-tune, or otherwise improve any machine learning or artificial intelligence models using your AI Input or AI Output ... unless you have affirmatively authorized and configured the Services to permit such use.' Users can opt out of use by Recraft's own proprietary models in account settings. The trust-and-security data protection page separately states 'Assets generated with Recraft are not allowed to be used to train external AI models.' Free-plan images are made public in a community gallery and owned by Recraft, but the policy does not explicitly say free-tier images are used for model training, so this remains a documented but not fully resolved distinction between paid (private) and free (public gallery) tiers.

    // Security controls

    Encryption in transit and at rest

    Industry-standard encryption applied to data at rest and in transit

    recraft.ai

    Access control

    Role-Based Access Control (RBAC) with least-privilege principles restricting file access by job necessity

    recraft.ai

    Vulnerability management

    Regular automated vulnerability scanning and penetration testing

    recraft.ai

    Authentication

    Passwordless authentication via email one-time codes (OTP) and social logins

    recraft.ai

    Backups / durability

    Customer data stored in Azure Postgres databases with 99.9999+% durability; daily automated backups replicated across separate regions

    recraft.ai

    Data deletion

    All personal information is permanently erased from Recraft's systems upon account deletion

    recraft.ai

    Subprocessors

    Published subprocessor list covering cloud infrastructure (AWS, Microsoft, Google, Nebius), hosting/CDN (Vercel, Webflow, Cloudflare), and data processing vendors (Stripe, Salesforce, Zendesk, OpenAI, Anthropic, Mailchimp, Brevo, Twilio/SendGrid)

    recraft.ai

    // Products & data scope

    FreeConsumer / individual

    data: Generated images owned by Recraft and publicly visible in the community gallery

    No commercial rights on generated assets while on this plan

    Basic / Pro (paid subscriptions)Individual / small team

    data: Private assets; full ownership and commercial rights for images generated while subscribed

    Credit-based usage with top-up purchases available

    APIDeveloper / programmatic

    data: Same underlying security and subprocessor program as the consumer product

    Programmatic access to image/vector generation, editing, background removal, inpainting, outpainting, batch and async jobs

    EnterpriseEnterprise

    data: Referenced in site navigation ('Enterprise') but no dedicated enterprise security page, custom-contract terms, or SSO details were found publicly

    Could not verify enterprise-specific security controls (e.g., SSO/SAML) beyond what's published for the general trust center; treat enterprise claims as unverified until confirmed directly with the vendor

    // What to watch

    • The public trust center is hosted on a different domain (trust.recraft.com, via SafeBase) than the main product site (recraft.ai). Content was cross-checked against recraft.ai's own compliance page and blog posts (AIUC-1 claim, SOC 2 Type 2 claim) and is consistent, but AIFOXX should periodically re-verify that trust.recraft.com is still an official Recraft-controlled property, not a lookalike or unmaintained legacy domain.
    • A vendor blog post describes the platform itself as 'PCI DSS compliant' while the vendor's own security page clarifies Recraft never stores, processes, or has access to cardholder data (handled entirely by Stripe/Google Pay). This is a mild over-claim in marketing copy; PCI DSS is graded held=false for Recraft directly since the certification belongs to its payment processors, not to Recraft.
    • SOC 2 Type II effective/report date could not be independently confirmed beyond the vendor's own blog post (stated December 18, 2025 per trust center summary, blog post dated January 15, 2026); no named third-party auditor was found in public vendor content.
    • No dedicated Enterprise security/SSO page was found; enterprise-tier security posture (SSO, custom DPA terms, dedicated infrastructure) is unverified beyond the general trust center and should be confirmed directly with Recraft sales before listing Enterprise-specific claims.
    • Optional third-party AI model routing (e.g. via Runware, per subprocessor list) can extend processing to additional countries including Israel and China depending on user-selected models; this is a data-flow nuance buyers with residency requirements should be aware of, not a certification issue.

    // At a glance

    Pricing model

    Freemium consumer subscriptions (Basic/Pro) plus a separate credit-based API tier and an Enterprise offering (terms not publicly detailed)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Recraft Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.recraft.com

    > Browse all vendor trust reports