// Trust & Security Report
Anchor Labs Inc.
Online graphic design tool (getstencil.com) for creating social media graphics, blog headers, and ads; browser extensions for Chrome and Firefox; WordPress plugin. NOTE: service is being permanently shut down on July 10, 2026.
Certifications held
0
Maturity
Startup
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: getstencil.comNo public evidence. No trust center page exists (getstencil.com/security returns 404, getstencil.com/trust returns 404). No mention of SOC 2 on the privacy policy, EU GDPR page, or Terms of Use.
source: getstencil.comNo public evidence. Not referenced on any vendor-domain page reviewed.
source: getstencil.comVendor maintains a separate EU data protection page and states it was 'initially prepared in order to be compliant with the General Data Protection Regulation (GDPR) rules.' However, the main privacy policy was last updated December 18, 2019 and no DPA is publicly available. Posture is self-declared and unaudited.
source: getstencil.comNo public evidence and not applicable — product is a graphic design tool that does not handle protected health information.
source: getstencil.comPayment processing is delegated to Stripe and PayPal per the EU privacy page. No PCI DSS claim made by vendor. Credit card data is not stored on Stencil servers per the privacy policy: 'After a transaction, your private information (credit cards, financials, etc.) will not be stored on our servers.'
source: getstencil.comNot applicable — Stencil is not an AI product. No AI features are described on the vendor site.
source: getstencil.comNo public evidence and not applicable for a small Canadian graphic design startup.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not explicitly stated. Third-party services include Amazon AWS (implied US/global). EU GDPR page references over 30 sub-processors including Google Analytics, Stripe, PayPal, and Mailgun without specifying storage regions.
Not applicable. Stencil is a non-AI graphic design tool. No AI model training or inference features are described anywhere on the vendor site.
// Security controls
Encryption in transit
SSL/TLS (SSL certificates mentioned); PGP encryption protocols also referenced in EU privacy page
getstencil.comAccess controls
Role-based administrator permissions limiting data exposure; restricted database and server access
getstencil.comData breach response
EU GDPR page describes a breach protocol: disable access, change credentials, notify users, investigate, and implement preventative changes. No SLA or notification timeframe stated.
getstencil.comBug bounty
Bug Bounty link appears in site footer, but target URL was not captured in evidence; no program details confirmed
getstencil.com// Products & data scope
data: User account data (name, email, IP), uploaded images, fonts, logos; social account tokens if social sharing is used; payment data routed through Stripe/PayPal
Core product. Service ending July 10, 2026.
data: Same as web app; operates in-browser
Service ending July 10, 2026.
data: Same as web app
Service ending July 10, 2026.
data: Same as web app; integrates with WordPress editorial workflow
Service ending July 10, 2026.
// What to watch
- SERVICE SHUTDOWN: Stencil homepage displays 'Stencil service ends on July 10' (2026). The service will be permanently discontinued 11 days from assessment date. AIFOXX should not list this vendor as an active tool.
- OUTDATED PRIVACY POLICY: Main privacy policy was last updated December 18, 2019 (over 6 years ago). The EU GDPR sub-page was not date-stamped in captured content.
- NO SECURITY CERTIFICATIONS: No SOC 2, ISO 27001, HIPAA, PCI DSS, or any other formal certification is held or claimed. No trust center exists.
- NO DPA: No Data Processing Agreement is publicly available. GDPR compliance is self-declared with no audit or DPA offering.
- VAGUE SECURITY CLAIMS: EU GDPR page references 'PGP encryption protocols' alongside SSL, which is an unusual and unverified claim for a web SaaS product. No third-party audit to substantiate.
- LARGE SUB-PROCESSOR LIST: Over 30 sub-processors listed including advertising and analytics services, with no data residency commitments stated.
- STARTUP ENTITY: Legal entity is Anchor Labs Inc., a small Ontario (Canada) corporation with no public financial disclosures or audited security posture.
// At a glance
Pricing model
Freemium; monthly and yearly subscription tiers (exact pricing not captured). 7-day money-back guarantee. Prices denominated in USD.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Anchor Labs Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
getstencil.com