// Trust & Security Report

    Canva Austria GmbH (operating remove.bg; formerly Kaleido AI GmbH, acquired by Canva in 2021) logo

    Canva Austria GmbH (operating remove.bg; formerly Kaleido AI GmbH, acquired by Canva in 2021)

    AI background removal and background-generation tool: consumer web app, mobile app (Android), Photoshop/Figma/Zapier integrations, Bulk Editing (up to 500 images/min), a developer API, and an Enterprise high-volume tier with EU-only processing. Sibling Canva Austria brands are Kaleido, Unscreen and Designify.

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    remove.bg's own blog states: "You can find all documents, self assessments and compliance in remove.bg's Security Portal" linking to https://trust.canva.com/?product=removebg. That portal (operated by parent Canva) confirms org-wide SOC 2 Type 2 status. remove.bg's own page does not itself name 'SOC 2' verbatim, only points to the portal for compliance documents.

    Verify on remove.bg
    ISO/IEC 27001
    HELD

    Same as above: remove.bg's security blog post directs to its designated Security Portal (trust.canva.com, product=removebg) for 'all documents, self assessments and compliance'; that Canva-operated portal lists ISO/IEC 27001 as a held certification org-wide. remove.bg's own domain text does not itself spell out 'ISO 27001'.

    Verify on remove.bg
    PCI DSS
    HELD

    Canva's trust portal lists PCI DSS as held; this covers Canva's shared payment/billing infrastructure that remove.bg subscriptions run through, not remove.bg's image-processing pipeline specifically.

    Verify on trust.canva.com
    GDPR (posture, not a certification)
    HELD

    "In compliance with GDPR, remove.bg is fully committed to the protection of your personal information" and "A Data Processing Agreement, in line with Article 28 of the GDPR" is in place. Enterprise page: "GDPR compliant: Your data is yours. All images are processed in the EU."

    Verify on remove.bg
    > Show 5 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence on remove.bg's domain or Canva's trust portal of ISO 42001 certification.

    source: trust.canva.com
    CSA STAR / CSA STAR AI
    NOT CONFIRMED

    No public evidence found on remove.bg or Canva domains.

    source: trust.canva.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or a BAA offering on remove.bg's site or Canva's trust portal; remove.bg is a general-purpose photo tool, not marketed for PHI.

    source: remove.bg
    ISO 27017 / ISO 27018 (cloud security / PII in cloud)
    NOT CONFIRMED

    Not listed on Canva's trust portal and not mentioned on remove.bg's domain: no public evidence.

    source: trust.canva.com
    FedRAMP
    NOT CONFIRMED

    No public evidence; not a US-government-focused product.

    source: trust.canva.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Enterprise tier: EU-only processing ("All images are processed in the EU"). Standard/free tier region not explicitly stated on remove.bg's domain; Canva's broader group policy references processing across US, Australia, Singapore, EU, UK, Philippines and NZ.

    remove.bg's own privacy policy states: "We may also analyze your activity, content, media uploads and related data in your account to provide and customize the Service, and to train our algorithms, models and AI products." No remove.bg-specific opt-out language was found on remove.bg's own domain. Parent Canva's group-wide privacy policy (a separate, Canva Pty Ltd-controlled document, not confirmed to literally govern remove.bg) states Free/Pro accounts have AI training on by default with an opt-out toggle, while Teams/Business/Enterprise/Education content is never used for AI training. remove.bg's Enterprise page promises EU-only processing but does not explicitly restate the no-training guarantee in remove.bg-specific language, so this is treated as an unconfirmed extension rather than direct proof. Flagged for review.

    // Security controls

    Encryption in transit

    API accessible solely via HTTPS; "data transfers occur over encrypted and secure channels".

    remove.bg

    Data retention

    Uploaded images are deleted typically within 60 minutes of processing; no retrieval of any past data after 90 days.

    remove.bg

    Access control

    Multi-factor authentication (MFA) enforced across critical systems; access centrally managed via secure identity platforms; Mobile Device Management (MDM) on devices touching internal systems.

    remove.bg

    Security testing standard

    References industry-recognised standards such as the OWASP Web Security Testing Guide.

    remove.bg

    Uptime / availability

    99.99% uptime achieved in 2024 (self-reported, not independently audited in evidence gathered).

    remove.bg

    Data Processing Agreement

    DPA offered in line with Article 28 GDPR for personal-data processing.

    remove.bg

    // Products & data scope

    remove.bg Web (consumer/free)Consumer image editing tool

    data: Single-image uploads processed and auto-deleted (~60 min); AI training on by default per group policy with an opt-out toggle (Canva account settings), not independently confirmed on remove.bg domain.

    Free tier with credit-based paid plans; no explicit region guarantee found for this tier.

    remove.bg Bulk EditingProsumer batch image processing

    data: Processes up to 500 images/minute; same retention posture as consumer tier.

    Aimed at photographers/e-commerce sellers.

    remove.bg API (Developer)Background-removal API

    data: HTTPS-only; images processed and deleted per stated retention window.

    Integrates with Photoshop, Figma, Zapier, CLI tools.

    remove.bg Enterprise / High-volume solutionsEnterprise API / bulk contract tier

    data: GDPR compliant; all images processed in the EU; dedicated Customer Success Manager; flexible API/credit/rate limits.

    Only tier with an explicit EU-only data-region commitment found on remove.bg's own domain.

    // What to watch

    • Identity/scope nuance: SOC 2 Type II and ISO 27001 are held by parent Canva Austria GmbH's org-wide security program, referenced via remove.bg's own blog which designates the Canva Trust Portal (trust.canva.com/?product=removebg) as 'remove.bg's Security Portal.' remove.bg's own domain text never states 'SOC 2' or 'ISO 27001' verbatim; the audit boundary confirming remove.bg's specific infrastructure is inside the certified scope could not be independently verified (SafeBase portal did not expose product-scoped certificate detail via automated fetch). Treat as a Canva-program certification extended to remove.bg, not a remove.bg-specific audit, until confirmed by the vendor.
    • AI-training opt-out mechanism for remove.bg specifically is not documented on remove.bg's own domain; the tiered opt-out (Free/Pro trains by default, Team/Business/Enterprise never trains) is documented only in Canva's separate, Canva Pty Ltd-controlled group privacy policy, whose applicability to the Canva Austria GmbH-controlled remove.bg product is not explicitly confirmed in evidence gathered. This is a legacy-brand-page vs. current-group-AI-policy contradiction risk and should be confirmed directly with the vendor before publishing an opt-out claim.
    • Two different data-controller statements exist across Canva properties: remove.bg's own privacy policy names 'Canva Austria GmbH, through its brands Kaleido, remove.bg, Unscreen or Designify' as controller, while canva.com's main privacy policy names 'Canva Pty Ltd' as controller for GDPR purposes. Do not conflate the two entities' certification or policy scopes when listing remove.bg.

    // At a glance

    Pricing model

    Freemium (limited free previews) plus pay-as-you-go credits, subscription plans, and custom Enterprise contracts.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Canva Austria GmbH (operating remove.bg; formerly Kaleido AI GmbH, acquired by Canva in 2021)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.canva.com

    > Browse all vendor trust reports