// Trust & Security Report

    ECHO INTERNATIONAL HK LIMITED (operating as Tensor.Art) logo

    ECHO INTERNATIONAL HK LIMITED (operating as Tensor.Art)

    Consumer-facing AI image/video generation and Stable-Diffusion-family model hosting platform (tensor.art): free credit-based generation, community model marketplace (Checkpoint/LoRA/LyCORIS), templated "AI Tools" workflows (OC Creator, Anime Lab, Photoreal Studio, Smart Edit, etc.), "Forge" custom LoRA/model training, and paid VIP membership tiers (1-day/30-day/90-day credit passes). No distinct enterprise, team, or API product tier was found documented on the vendor's own site.

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 9 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No mention of SOC 2 anywhere on Tensor.Art's Privacy Policy or Terms of Service, and no trust/security page exists on tensor.art. A third-party badge-aggregator site (Nudge Security) lists 'SOC 2' for Tensor.Art, but this is not corroborated by any vendor-domain page and conflicts with the vendor's own policies, which make no such claim -> treated as unverified, not vendor-asserted.

    source: tensor.art
    ISO 27001
    NOT CONFIRMED

    No mention of ISO 27001 on tensor.art's Privacy Policy, Terms of Service, or any discoverable page. Third-party aggregator claim (Nudge Security) is unverified and not vendor-asserted.

    source: tensor.art
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA; product is a general-purpose consumer image generator with no health-data use case described. No vendor-domain evidence found.

    source: tensor.art
    GDPR (compliance claim)
    NOT CONFIRMED

    Privacy Policy (last updated Oct 12, 2023) does not reference GDPR, EU data-subject rights, a lawful-basis framework, an EU representative, or a Data Processing Agreement. Operator is Hong Kong-based (ECHO INTERNATIONAL HK LIMITED) with no stated EU entity or EU-specific process, despite an apparently global user base.

    source: tensor.art
    PCI DSS
    NOT CONFIRMED

    No mention of PCI DSS in the Privacy Policy, Terms of Service, or VIP Membership terms, despite the platform processing paid subscriptions.

    source: tensor.art
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence found on any tensor.art page.

    source: tensor.art
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence found on any tensor.art page; no AI-governance certification referenced.

    source: tensor.art
    CSA STAR
    NOT CONFIRMED

    No public evidence on tensor.art. A third-party aggregator (Nudge Security) lists 'CSA Star Level 1' but this is unverified and not corroborated by the vendor's own site.

    source: tensor.art
    FedRAMP
    NOT CONFIRMED

    Not applicable / no public evidence; this is a consumer product with no stated US-government customer base. A third-party aggregator lists 'FedRamp' but this is unverified and not vendor-asserted.

    source: tensor.art

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Not disclosed. No data-center region, residency, or cross-border-transfer commitments stated in the Privacy Policy. Operating entity is Hong Kong-based (ECHO INTERNATIONAL HK LIMITED, RM 1903, 19/F Lee Garden One, 33 Hysan Avenue, Causeway Bay, HK).

    Privacy Policy states user activity, uploaded images, and generated-content data are used for 'providing, customizing, and improving' the service, 'measurement, analytics,' and 'conducting research and innovation for social good purposes' - vague language that could encompass model/feature improvement but is never stated explicitly. Separately, the policy references 'data you provide when using our Model Training features,' which appears to describe user-initiated custom LoRA/model training on their own uploads (a product feature), not a statement that Tensor.Art trains its own foundation models on all user content. No opt-out mechanism for any training use is described anywhere on the site.

    // Security controls

    Encryption in transit / at rest

    Not disclosed. Policy states only generic 'physical, electronic, and managerial procedures' to safeguard data; no specifics on TLS or at-rest encryption.

    tensor.art

    Data retention

    Internally inconsistent: policy states data is 'officially' retained for up to 60 days, but adds that 'in practice, we may store data for a longer period' for unspecified 'annual reporting purposes,' with no fixed maximum stated.

    tensor.art

    Third-party data sharing

    Vendor states it will 'never sell' user information, but shares data with content-safety review vendors, risk-control/anti-fraud vendors, advertising partners, and affiliated companies under various conditions described in the policy.

    tensor.art

    Minimum account age

    Users must be 18 years or older to create an account, per Terms of Service.

    tensor.art

    Vulnerability disclosure / bug bounty

    No dedicated security page, vulnerability-disclosure policy, or bug bounty program was found on tensor.art via direct site navigation or search.

    tensor.art

    // Products & data scope

    Tensor.Art free tier (web/app)Consumer AI image/video generation & community platform

    data: Account profile (name, email, settings), generated/uploaded images, activity and interaction metadata, device/browser data

    Free credit-based generation; content posting to a public community feed; models/LoRAs browsable and downloadable.

    Tensor.Art VIP Membership (1-day / 30-day / 90-day)Consumer subscription

    data: Same as free tier plus payment/billing information

    Credit-based paid tiers (e.g. 300 daily credits); no evidence of a separate enterprise/team data-handling or contractual framework.

    Forge / AI Tools / custom model trainingCreator tooling

    data: User-uploaded training image sets used to create custom LoRA/checkpoint models that are then published to the platform

    User-initiated training on the user's own data; no enterprise-grade governance, isolation, or deletion guarantees documented.

    // What to watch

    • Third-party aggregator site (Nudge Security / security-profiles.nudgesecurity.com) lists SOC 2, ISO 27001, HIPAA, PCI, GDPR, FedRAMP, and CSA STAR Level 1 badges for Tensor.Art, but none of these appear anywhere on tensor.art's own Privacy Policy, Terms of Service, or any discoverable trust/security page. This is likely an inaccurate or template-generated third-party listing and should not be used as proof; treat as an unresolved over-claim risk if it has influenced any prior AIFOXX listing for this vendor.
    • Data retention language is internally inconsistent (states 60 days 'officially' but 'may store data for a longer period' with no cap) - a fairness/transparency concern worth surfacing to buyers.
    • No explicit statement on whether user content/prompts are used to train Tensor.Art's own models, and no training opt-out described.
    • No DPA, no EU representative, and no GDPR-specific language despite an apparently global (including EU-reachable) user base.

    // At a glance

    Pricing model

    Freemium with credit-based VIP subscription tiers (1-day/30-day/90-day passes)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on ECHO INTERNATIONAL HK LIMITED (operating as Tensor.Art)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    tensor.art

    > Browse all vendor trust reports