// Trust & Security Report
Recraft Inc.
AI-native design platform (Recraft Studio) for image, vector, and mockup generation, plus a developer-facing generation API (image, vector, editing, background removal, inpainting/outpainting, batch/async jobs); plans span Free (community-visible outputs) through paid Basic/Pro subscriptions to an API tier, with a separate Enterprise offering referenced in site navigation
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on recraft.ai“Recraft is SOC 2 Type 2 certified, validating the ongoing effectiveness of our security and data-handling controls.”
Verify on trust.recraft.com“Recraft is the first AI image generation company to earn AIUC-1 certification, an independent standard for testing AI behavior in production.”
Verify on recraft.ai“EEA, UK, and Swiss users have additional rights, including: (i) the right to request correction or erasure of personal information; (ii) the right to object to processing your personal information; (iii) the right to ... transfer or receive a copy of the personal information in a usable and portable format.”
Verify on trust.recraft.com“Recraft applies GDPR rights to all users of its products, regardless of location ... CCPA listed in the trust center compliance section.”
> Show 5 unconfirmed / not-held certifications
source: recraft.aiNo public evidence: the vendor's own compliance and certifications page and trust center list SOC 2 Type 2 and AIUC-1 but do not mention ISO 27001 anywhere.
source: recraft.aiNo public evidence: HIPAA is not mentioned in Recraft's privacy policy, trust center, or compliance/certifications page. Recraft does not describe itself as a HIPAA-covered entity or business associate anywhere on recraft.ai.
source: recraft.aiRecraft does not store, process, or have access to any financial customer data, as Stripe securely handles all payment information ... both of which [Stripe, Google Pay] hold PCI DSS Level 1 certification. A vendor blog post separately describes the platform as 'PCI DSS compliant,' but the vendor's own security page confirms Recraft itself never touches cardholder data, so the PCI DSS scope belongs to its payment processors (Stripe/Google Pay), not to Recraft directly.
source: recraft.aiNo public evidence: not listed on the trust center or compliance page. Recraft's closest AI-specific assurance is the third-party AIUC-1 certification, which is a distinct standard from ISO 42001.
source: trust.recraft.comNo public evidence of FedRAMP authorization anywhere on recraft.ai or the trust center.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Not formally published as a single region; subprocessor list shows infrastructure primarily in the United States and EU (Ireland, Germany, Belgium, UK, Canada also listed), with the privacy policy noting data 'may be stored in computers in countries outside of your home country.' Some optional third-party model providers accessible via the platform (e.g., via Runware) extend to additional countries including Israel and China.
Privacy policy states: 'We shall not use and shall not permit our third-party AI service providers ... to train, fine-tune, or otherwise improve any machine learning or artificial intelligence models using your AI Input or AI Output ... unless you have affirmatively authorized and configured the Services to permit such use.' Users can opt out of use by Recraft's own proprietary models in account settings. The trust-and-security data protection page separately states 'Assets generated with Recraft are not allowed to be used to train external AI models.' Free-plan images are made public in a community gallery and owned by Recraft, but the policy does not explicitly say free-tier images are used for model training, so this remains a documented but not fully resolved distinction between paid (private) and free (public gallery) tiers.
// Security controls
Encryption in transit and at rest
Industry-standard encryption applied to data at rest and in transit
recraft.aiAccess control
Role-Based Access Control (RBAC) with least-privilege principles restricting file access by job necessity
recraft.aiAuthentication
Passwordless authentication via email one-time codes (OTP) and social logins
recraft.aiBackups / durability
Customer data stored in Azure Postgres databases with 99.9999+% durability; daily automated backups replicated across separate regions
recraft.aiData deletion
All personal information is permanently erased from Recraft's systems upon account deletion
recraft.aiSubprocessors
Published subprocessor list covering cloud infrastructure (AWS, Microsoft, Google, Nebius), hosting/CDN (Vercel, Webflow, Cloudflare), and data processing vendors (Stripe, Salesforce, Zendesk, OpenAI, Anthropic, Mailchimp, Brevo, Twilio/SendGrid)
recraft.ai// Products & data scope
data: Generated images owned by Recraft and publicly visible in the community gallery
No commercial rights on generated assets while on this plan
data: Private assets; full ownership and commercial rights for images generated while subscribed
Credit-based usage with top-up purchases available
data: Same underlying security and subprocessor program as the consumer product
Programmatic access to image/vector generation, editing, background removal, inpainting, outpainting, batch and async jobs
data: Referenced in site navigation ('Enterprise') but no dedicated enterprise security page, custom-contract terms, or SSO details were found publicly
Could not verify enterprise-specific security controls (e.g., SSO/SAML) beyond what's published for the general trust center; treat enterprise claims as unverified until confirmed directly with the vendor
// What to watch
- The public trust center is hosted on a different domain (trust.recraft.com, via SafeBase) than the main product site (recraft.ai). Content was cross-checked against recraft.ai's own compliance page and blog posts (AIUC-1 claim, SOC 2 Type 2 claim) and is consistent, but AIFOXX should periodically re-verify that trust.recraft.com is still an official Recraft-controlled property, not a lookalike or unmaintained legacy domain.
- A vendor blog post describes the platform itself as 'PCI DSS compliant' while the vendor's own security page clarifies Recraft never stores, processes, or has access to cardholder data (handled entirely by Stripe/Google Pay). This is a mild over-claim in marketing copy; PCI DSS is graded held=false for Recraft directly since the certification belongs to its payment processors, not to Recraft.
- SOC 2 Type II effective/report date could not be independently confirmed beyond the vendor's own blog post (stated December 18, 2025 per trust center summary, blog post dated January 15, 2026); no named third-party auditor was found in public vendor content.
- No dedicated Enterprise security/SSO page was found; enterprise-tier security posture (SSO, custom DPA terms, dedicated infrastructure) is unverified beyond the general trust center and should be confirmed directly with Recraft sales before listing Enterprise-specific claims.
- Optional third-party AI model routing (e.g. via Runware, per subprocessor list) can extend processing to additional countries including Israel and China depending on user-selected models; this is a data-flow nuance buyers with residency requirements should be aware of, not a certification issue.
// At a glance
Pricing model
Freemium consumer subscriptions (Basic/Pro) plus a separate credit-based API tier and an Enterprise offering (terms not publicly detailed)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Recraft Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.recraft.com