// Trust & Security Report
Cedar Lake Ventures, Inc.
Vectorizer.AI (AI raster-to-vector image conversion). Operated alongside sibling product Vector Magic by the same legal entity (privacy contact is privacy@vectormagic.com).
Certifications held
2
Maturity
Startup
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on vectorizer.ai“We will not store or collect your payment card details. That information is provided directly to our third-party payment processors ... These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council. (PCI-DSS compliance is held by Stripe/PayPal/Braintree, NOT by the vendor itself.)”
Verify on vectorizer.ai“If you are a resident of the European Economic Area (EEA), the European Union has declared that you have certain data protection rights ... You can exercise all the aforementioned rights by emailing us at privacy@vectormagic.com. We shall address your request within 30 days of its receipt. The policy also documents the GDPR legal basis for each data category. (This is a stated GDPR posture, not a third-party certification.)”
> Show 3 unconfirmed / not-held certifications
source: vectorizer.aiNo SOC 2 claim appears anywhere on the vendor's site (no trust center, no security page beyond the Privacy Policy 'Security' section). The Privacy Policy only states industry-standard measures, not an audited attestation.
source: vectorizer.aiNo ISO 27001 claim found on the vendor's domain or in web search of the vendor/parent entity.
source: vectorizer.aiNo HIPAA references; service is a general-purpose image vectorizer not intended for PHI.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not stated
Data region
Not explicitly stated. Privacy Policy 'Transfer of Data' clause says data 'may be transferred to and maintained on computers located outside of your ... jurisdiction.' The only named subprocessors are email and analytics providers (Amazon Web Services Simple Email Service, Google G Suite, Google Analytics) plus payment processors (Stripe, PayPal/Braintree); the policy does not name the image-processing infrastructure or its location. US-based processing is inferred from the US legal entity, not confirmed by a stated data-residency commitment. No region selection offered.
Two distinct directions. (1) USERS are strictly prohibited from training on the vendor's outputs: 'No training, fine-tuning, evaluation, benchmarking, red-teaming, or dataset construction for any AI or ML system' and 'you may not use the output of our service for training machine learning models ... We view this as a form of reverse engineering.' (2) The VENDOR reserves the right to use customer-uploaded images to improve its own models: the Privacy Policy states for Image Processing Records, 'From time to time, we may also use them to improve the image processing algorithms that underlie the services we offer,' and the homepage FAQ says 'Our terms of service just grant us the rights we need to deliver the service to you, and to improve our products.' The Terms grant a 'worldwide, non-exclusive, perpetual, irrevocable, royalty-free ... license to use, modify, reproduce ... and otherwise fully exploit the Private User Submissions as needed to provide you with the Service.' Vendor states it 'won't share your images with third parties unless you explicitly authorize us to do so.' Their core deep-learning model was trained on a 'proprietary dataset,' not stated to be customer uploads.
// Security controls
Access controls
Stated - 'we implement data security organizational access controls' and 'industry standard technical and organizational measures'
vectorizer.aiData retention
CONFLICTING. Homepage FAQ: 'we retain uploaded images and results for 24 hours, and permanently delete them shortly thereafter.' Privacy Policy: 'Records not associated with an account are deleted or anonymized within a year of creation. Image processing records associated with an account are retained indefinitely.'
vectorizer.aiBug bounty program
None found (no HackerOne/Bugcrowd, no security.txt / responsible-disclosure page)
vectorizer.aiPayment security
Vendor does not store card data; handled by Stripe and PayPal/Braintree (PCI-DSS compliant processors)
vectorizer.ai// Products & data scope
data: User uploads raster images (PNG/JPG/GIF/BMP/WebP, max 3MP / 30MB). Account requires email + password; IP and timestamps logged for fraud prevention. Uploaded images stored on vendor servers; account-associated image records retained indefinitely per Privacy Policy.
EUR 8.99/month unlimited web images. No API access. Vendor reserves the right to use uploads to improve its algorithms.
data: Programmatic image submission. Credit-based: 1 credit = 1 API image. Same upload/processing data flow and license grant as web app. API keys are 'personal, confidential, and non-transferable.'
Tiers 50 credits (EUR 8.99) up to 100,000 credits (EUR 4,499); per-image EUR 0.180 down to EUR 0.045. 'Need more credits?' implies informal custom/enterprise volume arrangements. No formal enterprise compliance tier advertised.
data: Separate product operated by Cedar Lake Ventures with its own privacy policy; shares the privacy@vectormagic.com contact. Not assessed here.
Indicates a small multi-product image-tooling company rather than a single-tool startup.
// What to watch
- Conflicting data-retention statements: homepage says 24-hour deletion; Privacy Policy says account-linked image records are 'retained indefinitely' and non-account records deleted/anonymized within a year. A reviewer should clarify which governs.
- Vendor reserves the right to use customer-uploaded images to 'improve the image processing algorithms' (model improvement on customer data by default), despite barring users from training on its outputs.
- Broad IP license over uploads: 'worldwide, non-exclusive, perpetual, irrevocable, royalty-free ... sublicensable and transferable license to ... fully exploit the Private User Submissions.'
- No SOC 2 / ISO 27001 / trust center / bug bounty / pen-test disclosure. Encryption-at-rest and subprocessor list (beyond AWS, Google, Stripe, PayPal) not documented.
- No DPA offered or referenced; not suitable for regulated/confidential or PHI data without a negotiated agreement.
- Privacy Policy effective date is 2018 (older), while Terms were refreshed Oct 23, 2025 - some asymmetry between the two documents.
// At a glance
Pricing model
Subscription (web, EUR 8.99/mo unlimited) + usage-based API credits (EUR 8.99 to EUR 4,499/mo tiers, credits roll over up to 5x). Non-refundable; remaining credits forfeited on cancellation.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Cedar Lake Ventures, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
vectorizer.ai