// Trust & Security Report
Canva Austria GmbH (operating remove.bg; formerly Kaleido AI GmbH, acquired by Canva in 2021)
AI background removal and background-generation tool: consumer web app, mobile app (Android), Photoshop/Figma/Zapier integrations, Bulk Editing (up to 500 images/min), a developer API, and an Enterprise high-volume tier with EU-only processing. Sibling Canva Austria brands are Kaleido, Unscreen and Designify.
Certifications held
4
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on remove.bg“remove.bg's own blog states: "You can find all documents, self assessments and compliance in remove.bg's Security Portal" linking to https://trust.canva.com/?product=removebg. That portal (operated by parent Canva) confirms org-wide SOC 2 Type 2 status. remove.bg's own page does not itself name 'SOC 2' verbatim, only points to the portal for compliance documents.”
Verify on remove.bg“Same as above: remove.bg's security blog post directs to its designated Security Portal (trust.canva.com, product=removebg) for 'all documents, self assessments and compliance'; that Canva-operated portal lists ISO/IEC 27001 as a held certification org-wide. remove.bg's own domain text does not itself spell out 'ISO 27001'.”
Verify on trust.canva.com“Canva's trust portal lists PCI DSS as held; this covers Canva's shared payment/billing infrastructure that remove.bg subscriptions run through, not remove.bg's image-processing pipeline specifically.”
Verify on remove.bg“"In compliance with GDPR, remove.bg is fully committed to the protection of your personal information" and "A Data Processing Agreement, in line with Article 28 of the GDPR" is in place. Enterprise page: "GDPR compliant: Your data is yours. All images are processed in the EU."”
> Show 5 unconfirmed / not-held certifications
source: trust.canva.comNo public evidence on remove.bg's domain or Canva's trust portal of ISO 42001 certification.
source: trust.canva.comNo public evidence found on remove.bg or Canva domains.
source: remove.bgNo public evidence of HIPAA compliance or a BAA offering on remove.bg's site or Canva's trust portal; remove.bg is a general-purpose photo tool, not marketed for PHI.
source: trust.canva.comNot listed on Canva's trust portal and not mentioned on remove.bg's domain: no public evidence.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Enterprise tier: EU-only processing ("All images are processed in the EU"). Standard/free tier region not explicitly stated on remove.bg's domain; Canva's broader group policy references processing across US, Australia, Singapore, EU, UK, Philippines and NZ.
remove.bg's own privacy policy states: "We may also analyze your activity, content, media uploads and related data in your account to provide and customize the Service, and to train our algorithms, models and AI products." No remove.bg-specific opt-out language was found on remove.bg's own domain. Parent Canva's group-wide privacy policy (a separate, Canva Pty Ltd-controlled document, not confirmed to literally govern remove.bg) states Free/Pro accounts have AI training on by default with an opt-out toggle, while Teams/Business/Enterprise/Education content is never used for AI training. remove.bg's Enterprise page promises EU-only processing but does not explicitly restate the no-training guarantee in remove.bg-specific language, so this is treated as an unconfirmed extension rather than direct proof. Flagged for review.
// Security controls
Encryption in transit
API accessible solely via HTTPS; "data transfers occur over encrypted and secure channels".
remove.bgData retention
Uploaded images are deleted typically within 60 minutes of processing; no retrieval of any past data after 90 days.
remove.bgAccess control
Multi-factor authentication (MFA) enforced across critical systems; access centrally managed via secure identity platforms; Mobile Device Management (MDM) on devices touching internal systems.
remove.bgSecurity testing standard
References industry-recognised standards such as the OWASP Web Security Testing Guide.
remove.bgUptime / availability
99.99% uptime achieved in 2024 (self-reported, not independently audited in evidence gathered).
remove.bgData Processing Agreement
DPA offered in line with Article 28 GDPR for personal-data processing.
remove.bg// Products & data scope
data: Single-image uploads processed and auto-deleted (~60 min); AI training on by default per group policy with an opt-out toggle (Canva account settings), not independently confirmed on remove.bg domain.
Free tier with credit-based paid plans; no explicit region guarantee found for this tier.
data: Processes up to 500 images/minute; same retention posture as consumer tier.
Aimed at photographers/e-commerce sellers.
data: HTTPS-only; images processed and deleted per stated retention window.
Integrates with Photoshop, Figma, Zapier, CLI tools.
data: GDPR compliant; all images processed in the EU; dedicated Customer Success Manager; flexible API/credit/rate limits.
Only tier with an explicit EU-only data-region commitment found on remove.bg's own domain.
// What to watch
- Identity/scope nuance: SOC 2 Type II and ISO 27001 are held by parent Canva Austria GmbH's org-wide security program, referenced via remove.bg's own blog which designates the Canva Trust Portal (trust.canva.com/?product=removebg) as 'remove.bg's Security Portal.' remove.bg's own domain text never states 'SOC 2' or 'ISO 27001' verbatim; the audit boundary confirming remove.bg's specific infrastructure is inside the certified scope could not be independently verified (SafeBase portal did not expose product-scoped certificate detail via automated fetch). Treat as a Canva-program certification extended to remove.bg, not a remove.bg-specific audit, until confirmed by the vendor.
- AI-training opt-out mechanism for remove.bg specifically is not documented on remove.bg's own domain; the tiered opt-out (Free/Pro trains by default, Team/Business/Enterprise never trains) is documented only in Canva's separate, Canva Pty Ltd-controlled group privacy policy, whose applicability to the Canva Austria GmbH-controlled remove.bg product is not explicitly confirmed in evidence gathered. This is a legacy-brand-page vs. current-group-AI-policy contradiction risk and should be confirmed directly with the vendor before publishing an opt-out claim.
- Two different data-controller statements exist across Canva properties: remove.bg's own privacy policy names 'Canva Austria GmbH, through its brands Kaleido, remove.bg, Unscreen or Designify' as controller, while canva.com's main privacy policy names 'Canva Pty Ltd' as controller for GDPR purposes. Do not conflate the two entities' certification or policy scopes when listing remove.bg.
// At a glance
Pricing model
Freemium (limited free previews) plus pay-as-you-go credits, subscription plans, and custom Enterprise contracts.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Canva Austria GmbH (operating remove.bg; formerly Kaleido AI GmbH, acquired by Canva in 2021)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.canva.com