// Trust & Security Report

    Anchor Labs Inc. logo

    Anchor Labs Inc.

    Online graphic design tool (getstencil.com) for creating social media graphics, blog headers, and ads; browser extensions for Chrome and Firefox; WordPress plugin. NOTE: service is being permanently shut down on July 10, 2026.

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 8 unconfirmed / not-held certifications
    SOC 2
    NOT CONFIRMED

    No public evidence. No trust center page exists (getstencil.com/security returns 404, getstencil.com/trust returns 404). No mention of SOC 2 on the privacy policy, EU GDPR page, or Terms of Use.

    source: getstencil.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. Not referenced on any vendor-domain page reviewed.

    source: getstencil.com
    GDPR (posture)
    NOT CONFIRMED

    Vendor maintains a separate EU data protection page and states it was 'initially prepared in order to be compliant with the General Data Protection Regulation (GDPR) rules.' However, the main privacy policy was last updated December 18, 2019 and no DPA is publicly available. Posture is self-declared and unaudited.

    source: getstencil.com
    HIPAA
    NOT CONFIRMED

    No public evidence and not applicable — product is a graphic design tool that does not handle protected health information.

    source: getstencil.com
    PCI DSS
    NOT CONFIRMED

    Payment processing is delegated to Stripe and PayPal per the EU privacy page. No PCI DSS claim made by vendor. Credit card data is not stored on Stencil servers per the privacy policy: 'After a transaction, your private information (credit cards, financials, etc.) will not be stored on our servers.'

    source: getstencil.com
    ISO 42001 (AI Governance)
    NOT CONFIRMED

    Not applicable — Stencil is not an AI product. No AI features are described on the vendor site.

    source: getstencil.com
    CSA STAR
    NOT CONFIRMED

    No public evidence.

    source: getstencil.com
    FedRAMP
    NOT CONFIRMED

    No public evidence and not applicable for a small Canadian graphic design startup.

    source: getstencil.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Not explicitly stated. Third-party services include Amazon AWS (implied US/global). EU GDPR page references over 30 sub-processors including Google Analytics, Stripe, PayPal, and Mailgun without specifying storage regions.

    Not applicable. Stencil is a non-AI graphic design tool. No AI model training or inference features are described anywhere on the vendor site.

    // Security controls

    Encryption in transit

    SSL/TLS (SSL certificates mentioned); PGP encryption protocols also referenced in EU privacy page

    getstencil.com

    Encryption at rest

    Not stated

    getstencil.com

    Access controls

    Role-based administrator permissions limiting data exposure; restricted database and server access

    getstencil.com

    Credential management

    Password and API key rotation mentioned

    getstencil.com

    Data breach response

    EU GDPR page describes a breach protocol: disable access, change credentials, notify users, investigate, and implement preventative changes. No SLA or notification timeframe stated.

    getstencil.com

    Data Protection Officer

    Oliver Nassar (oliver@getstencil.com) identified as DPO

    getstencil.com

    Bug bounty

    Bug Bounty link appears in site footer, but target URL was not captured in evidence; no program details confirmed

    getstencil.com

    Credit card storage

    Not stored on Stencil servers; handled by Stripe and PayPal

    getstencil.com

    // Products & data scope

    Stencil Web AppGraphic Design / Social Media Image Creation

    data: User account data (name, email, IP), uploaded images, fonts, logos; social account tokens if social sharing is used; payment data routed through Stripe/PayPal

    Core product. Service ending July 10, 2026.

    Stencil Chrome ExtensionBrowser Extension

    data: Same as web app; operates in-browser

    Service ending July 10, 2026.

    Stencil Firefox Add-onBrowser Extension

    data: Same as web app

    Service ending July 10, 2026.

    Stencil WordPress PluginCMS Integration

    data: Same as web app; integrates with WordPress editorial workflow

    Service ending July 10, 2026.

    // What to watch

    • SERVICE SHUTDOWN: Stencil homepage displays 'Stencil service ends on July 10' (2026). The service will be permanently discontinued 11 days from assessment date. AIFOXX should not list this vendor as an active tool.
    • OUTDATED PRIVACY POLICY: Main privacy policy was last updated December 18, 2019 (over 6 years ago). The EU GDPR sub-page was not date-stamped in captured content.
    • NO SECURITY CERTIFICATIONS: No SOC 2, ISO 27001, HIPAA, PCI DSS, or any other formal certification is held or claimed. No trust center exists.
    • NO DPA: No Data Processing Agreement is publicly available. GDPR compliance is self-declared with no audit or DPA offering.
    • VAGUE SECURITY CLAIMS: EU GDPR page references 'PGP encryption protocols' alongside SSL, which is an unusual and unverified claim for a web SaaS product. No third-party audit to substantiate.
    • LARGE SUB-PROCESSOR LIST: Over 30 sub-processors listed including advertising and analytics services, with no data residency commitments stated.
    • STARTUP ENTITY: Legal entity is Anchor Labs Inc., a small Ontario (Canada) corporation with no public financial disclosures or audited security posture.

    // At a glance

    Pricing model

    Freemium; monthly and yearly subscription tiers (exact pricing not captured). 7-day money-back guarantee. Prices denominated in USD.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Anchor Labs Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    getstencil.com

    > Browse all vendor trust reports