// Trust & Security Report
ECHO INTERNATIONAL HK LIMITED (operating as Tensor.Art)
Consumer-facing AI image/video generation and Stable-Diffusion-family model hosting platform (tensor.art): free credit-based generation, community model marketplace (Checkpoint/LoRA/LyCORIS), templated "AI Tools" workflows (OC Creator, Anime Lab, Photoreal Studio, Smart Edit, etc.), "Forge" custom LoRA/model training, and paid VIP membership tiers (1-day/30-day/90-day credit passes). No distinct enterprise, team, or API product tier was found documented on the vendor's own site.
Certifications held
0
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 9 unconfirmed / not-held certifications
source: tensor.artNo mention of SOC 2 anywhere on Tensor.Art's Privacy Policy or Terms of Service, and no trust/security page exists on tensor.art. A third-party badge-aggregator site (Nudge Security) lists 'SOC 2' for Tensor.Art, but this is not corroborated by any vendor-domain page and conflicts with the vendor's own policies, which make no such claim -> treated as unverified, not vendor-asserted.
source: tensor.artNo mention of ISO 27001 on tensor.art's Privacy Policy, Terms of Service, or any discoverable page. Third-party aggregator claim (Nudge Security) is unverified and not vendor-asserted.
source: tensor.artNo mention of HIPAA; product is a general-purpose consumer image generator with no health-data use case described. No vendor-domain evidence found.
source: tensor.artPrivacy Policy (last updated Oct 12, 2023) does not reference GDPR, EU data-subject rights, a lawful-basis framework, an EU representative, or a Data Processing Agreement. Operator is Hong Kong-based (ECHO INTERNATIONAL HK LIMITED) with no stated EU entity or EU-specific process, despite an apparently global user base.
source: tensor.artNo mention of PCI DSS in the Privacy Policy, Terms of Service, or VIP Membership terms, despite the platform processing paid subscriptions.
source: tensor.artNo public evidence found on any tensor.art page.
source: tensor.artNo public evidence found on any tensor.art page; no AI-governance certification referenced.
source: tensor.artNo public evidence on tensor.art. A third-party aggregator (Nudge Security) lists 'CSA Star Level 1' but this is unverified and not corroborated by the vendor's own site.
source: tensor.artNot applicable / no public evidence; this is a consumer product with no stated US-government customer base. A third-party aggregator lists 'FedRamp' but this is unverified and not vendor-asserted.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not disclosed. No data-center region, residency, or cross-border-transfer commitments stated in the Privacy Policy. Operating entity is Hong Kong-based (ECHO INTERNATIONAL HK LIMITED, RM 1903, 19/F Lee Garden One, 33 Hysan Avenue, Causeway Bay, HK).
Privacy Policy states user activity, uploaded images, and generated-content data are used for 'providing, customizing, and improving' the service, 'measurement, analytics,' and 'conducting research and innovation for social good purposes' - vague language that could encompass model/feature improvement but is never stated explicitly. Separately, the policy references 'data you provide when using our Model Training features,' which appears to describe user-initiated custom LoRA/model training on their own uploads (a product feature), not a statement that Tensor.Art trains its own foundation models on all user content. No opt-out mechanism for any training use is described anywhere on the site.
// Security controls
Encryption in transit / at rest
Not disclosed. Policy states only generic 'physical, electronic, and managerial procedures' to safeguard data; no specifics on TLS or at-rest encryption.
tensor.artData retention
Internally inconsistent: policy states data is 'officially' retained for up to 60 days, but adds that 'in practice, we may store data for a longer period' for unspecified 'annual reporting purposes,' with no fixed maximum stated.
tensor.artThird-party data sharing
Vendor states it will 'never sell' user information, but shares data with content-safety review vendors, risk-control/anti-fraud vendors, advertising partners, and affiliated companies under various conditions described in the policy.
tensor.artMinimum account age
Users must be 18 years or older to create an account, per Terms of Service.
tensor.artVulnerability disclosure / bug bounty
No dedicated security page, vulnerability-disclosure policy, or bug bounty program was found on tensor.art via direct site navigation or search.
tensor.art// Products & data scope
data: Account profile (name, email, settings), generated/uploaded images, activity and interaction metadata, device/browser data
Free credit-based generation; content posting to a public community feed; models/LoRAs browsable and downloadable.
data: Same as free tier plus payment/billing information
Credit-based paid tiers (e.g. 300 daily credits); no evidence of a separate enterprise/team data-handling or contractual framework.
data: User-uploaded training image sets used to create custom LoRA/checkpoint models that are then published to the platform
User-initiated training on the user's own data; no enterprise-grade governance, isolation, or deletion guarantees documented.
// What to watch
- Third-party aggregator site (Nudge Security / security-profiles.nudgesecurity.com) lists SOC 2, ISO 27001, HIPAA, PCI, GDPR, FedRAMP, and CSA STAR Level 1 badges for Tensor.Art, but none of these appear anywhere on tensor.art's own Privacy Policy, Terms of Service, or any discoverable trust/security page. This is likely an inaccurate or template-generated third-party listing and should not be used as proof; treat as an unresolved over-claim risk if it has influenced any prior AIFOXX listing for this vendor.
- Data retention language is internally inconsistent (states 60 days 'officially' but 'may store data for a longer period' with no cap) - a fairness/transparency concern worth surfacing to buyers.
- No explicit statement on whether user content/prompts are used to train Tensor.Art's own models, and no training opt-out described.
- No DPA, no EU representative, and no GDPR-specific language despite an apparently global (including EU-reachable) user base.
// At a glance
Pricing model
Freemium with credit-based VIP subscription tiers (1-day/30-day/90-day passes)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on ECHO INTERNATIONAL HK LIMITED (operating as Tensor.Art)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
tensor.art