// Trust & Security Report
Stability AI
Stable Video Diffusion (generative video) within Stability AI's multi-modal model suite (image, video, audio, 3D)
Certifications held
4
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.stability.ai“Compliance / SOC 2 Type 2 / ... Security Frameworks / Stability AI Inc. SOC 2 Type 2 Report”
Verify on stability.ai“Standard contractual clauses (SCCs): We rely on the SCCs as approved by the European Commission under Article 46 GDPR ... that allows companies in the EEA to transfer data outside the EEA.”
> Show 1 unconfirmed / not-held certifications
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not stated
Data region
Processed in the US and on servers outside the EEA/UK/Switzerland; EU/UK/Swiss transfers covered by adequacy decisions and SCCs. EU data controller: Stability AI Ltd (London, UK); non-EU data controller: Stability AI US Services Corporation (Los Angeles, CA).
Trains on customer Inputs and Outputs BY DEFAULT to improve and develop models, with a user opt-out available. Privacy Policy: 'When we use your Inputs and Outputs to train our models, you can opt-out of our use of this personal data for these training purposes.' Terms: 'we may use Inputs and Outputs to improve and develop our Services (but you can opt-out ...).' Opt-out is product-specific: Platform API has a dedicated opt-out (kb.stability.ai), Stable Audio via account page, Stable Assistant via turning off chat history. NOTE: the self-hosted Stable Video Diffusion model runs on the customer's own infrastructure, so this default-train behavior applies to hosted Services (API/Brand Studio/Stable Audio/Assistant), not to self-hosted deployments.
// Security controls
Vulnerability Disclosure Program (VDP)
Runs its own VDP (not HackerOne/Bugcrowd). Contact security@stability.ai. 'For information on testing for or submitting to our VDP ... Stability AI's Vulnerability Disclosure Program'
trust.stability.aiBug bounty platform
No HackerOne or Bugcrowd program found; security handled via in-house Vulnerability Disclosure Program
trust.stability.aiPenetration testing
Performed; '2025 Penetration Test Executive Report' published in trust center and control 'Penetration testing performed' listed
trust.stability.aiEncryption
'Data encryption utilized'; 'Encryption key access restricted'; 'Portable media encrypted'
trust.stability.aiAccess controls
'Unique production database authentication enforced'; 'Unique account authentication enforced'
trust.stability.aiBusiness continuity / DR
'Continuity and Disaster Recovery plans established' and 'tested'; 'Cybersecurity insurance maintained'
trust.stability.aiSubprocessors disclosed
AWS (cloud/HPC), Thorn (CSAM dataset filtering), Cinder (AUP monitoring), OpenRouter/Mistral/DeepInfra (AI Enhance Prompt feature)
trust.stability.ai// Products & data scope
data: Deployed on the customer's own infrastructure under a Self-Hosted License; inputs/outputs stay in the customer environment, so Stability's default model-training use does not apply
Primary product for this slug. 'Deploy Stable Video Diffusion on your own infrastructure.' Licensed via Self-Hosted License / Stability AI License / Community License.
data: Inputs/Outputs processed on Stability infrastructure; trains on data by default with a dedicated API opt-out
Enterprise/developer integration path.
data: User-uploaded content and trained LoRAs; shared LoRAs grant Stability a broad hosting license; trains by default with opt-out
Corporate-domain accounts may be linked to an enterprise admin who can view a user's Inputs/Outputs.
data: Inputs/Outputs used for training by default; opt-out per app (account page / disable chat history)
Separate per-app privacy controls.
// What to watch
- Trains on customer Inputs/Outputs BY DEFAULT for hosted Services; opt-out exists but is per-product and not on by default - notable for privacy-sensitive buyers.
- No ISO 27001 or HIPAA evidence found; SOC 2 Type 2 + SOC 3 are the verified enterprise certs.
- Security handled via in-house Vulnerability Disclosure Program, not a managed HackerOne/Bugcrowd bounty.
- Self-hosted Stable Video Diffusion materially changes the data/compliance posture versus the hosted API/apps - directory should distinguish the two.
// At a glance
Pricing model
Mixed: free/community + open model licenses, paid self-hosted enterprise license, subscriptions and prepaid service credits for hosted apps, usage-based Platform API
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Stability AI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.stability.ai