// Trust & Security Report

    WOMBO Studios Inc. logo

    WOMBO Studios Inc.

    WOMBO Dream is an AI-powered text-to-image and text-to-video generator with 100+ artistic styles, powered by Stable Diffusion. Consumer-focused entertainment product with 200M+ downloads.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR Compliance
    HELD

    Privacy policy states verbatim: 'Depending on your jurisdiction, you may have rights to: Access or receive a copy of your personal information. Correct inaccurate or incomplete data. Delete certain data ("right to be forgotten"). Restrict or object to certain processing. Withdraw consent for marketing or non-essential cookies. Receive your data in a portable format. Lodge a complaint with a supervisory authority.' Cross-border transfers rely on 'Standard Contractual Clauses, adequacy decisions, or your explicit consent.' Note: the policy documents GDPR-style data subject rights but does not name GDPR explicitly, and there is no third-party GDPR attestation (GDPR compliance is self-declared).

    Verify on w.ai
    > Show 6 unconfirmed / not-held certifications
    SOC 2 (Type 1 or 2)
    NOT CONFIRMED

    No public evidence on vendor domain. Nudge Security security profile lists 'SOC 2 Compliant' but explicitly notes 'other security documentation links (security page, bug bounty program, vulnerability disclosure) were not populated in this profile.' Claims unverified.

    source: dream.ai
    ISO 27001
    NOT CONFIRMED

    No public evidence on vendor domain. Nudge Security lists claim but without independent verification. WOMBO's privacy policy at w.ai/privacy-policy makes no mention of ISO 27001 certification.

    source: w.ai
    HIPAA Compliance
    NOT CONFIRMED

    No public evidence on vendor domain. WOMBO Dream is a consumer AI art generator, not a covered entity under HIPAA (no healthcare services). Nudge Security claim unverified and likely inapplicable.

    source: dream.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence on vendor domain. WOMBO Dream is a consumer product with no indication of federal contracting status. Nudge Security claim unverified.

    source: dream.ai
    PCI DSS Compliance
    NOT CONFIRMED

    No public evidence on vendor domain. Privacy policy does not mention PCI compliance. Nudge Security claim unverified.

    source: w.ai
    CSA STAR Level 1
    NOT CONFIRMED

    No public evidence on vendor domain. No mention in privacy policy or any WOMBO-owned web properties. Nudge Security claim unverified.

    source: dream.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Operations span US, Canada, EEA, UK, Singapore. Privacy policy states reliance on 'Standard Contractual Clauses, adequacy decisions, or your explicit consent' for cross-border transfers.

    Privacy policy states verbatim: 'We do not sell your personal information for money, nor do we allow third-party model providers to train on your raw content without your explicit permission.' It also states 'we only train or fine-tune models on anonymized or aggregated data unless you opt-in.' No explicit opt-out mechanism is published, and these claims are self-declared with no independent audit.

    // Security controls

    Encryption in transit

    No public evidence. The privacy policy's Data Security section provides no substantive detail and does not mention encryption, TLS, or secure connections. WOMBO publishes no security page documenting encryption practices.

    w.ai

    Data retention

    CEO states 'all user data is deleted after 24 hours.' Privacy policy states retention 'only as long as necessary to fulfill the purposes.'

    en.wikipedia.org

    Third-party sharing

    Shares data with service providers (hosting, analytics, support), AWS, Netlify, Google Workspace, Google Analytics, and payment processors.

    security-profiles.nudgesecurity.com

    Biometric data handling

    Facial feature data temporarily shared with AWS to enable photo animation. Google Play store declares 'No data shared with third parties' but this contradicts documented AWS sharing for biometric processing.

    play.google.com

    Authentication

    Supports Okta, Google Login, Microsoft Login, and SSO capabilities.

    security-profiles.nudgesecurity.com

    // Products & data scope

    WOMBO DreamAI Art & Video Generator

    data: Text prompts, generated images/videos, optional user account data (email, user ID), device identifiers, crash logs, app interaction data

    Consumer-focused product. 200M+ downloads as of 2024. Text-to-image powered by Stable Diffusion. Optional biometric input for deepfake/avatar features. Available on iOS, Android, and web.

    WOMBO Me (legacy)AI Avatar Generator

    data: User photos (optional selfies)

    Launched 2023, generates avatars from single selfies with professional and imaginative avatar packs

    w.aiDistributed Computing Platform

    data: Compute network participation data, optional account information

    Separate from Dream consumer product. Described as 'decentralized AI supercomputer.' Privacy policy at w.ai/privacy-policy governs both w.ai and WOMBO Dream services.

    // What to watch

    • OVER-CLAIM ALERT: Nudge Security lists 7 major certifications (SOC 2, ISO 27001, HIPAA, FedRamp, PCI, CSA STAR Level 1, GDPR-compliant) but NONE are independently verified on WOMBO's official domains (dream.ai or w.ai). Nudge Security's own profile states 'other security documentation links (security page, bug bounty program, vulnerability disclosure) were not populated in this profile,' suggesting claims are unverified or self-reported. This is a critical discrepancy.
    • HOST vs VENDOR CERT CONFUSION: AWS data centers used for biometric processing are SOC 2 certified (AWS's cert, not WOMBO's). Biometric data sharing with AWS does not grant WOMBO certification.
    • NO TRUST CENTER: dream.ai has no published trust center, security page, or compliance documentation. 404s on /trust-center, /compliance, /legal/privacy attempts.
    • CONTRADICTORY DATA SHARING CLAIMS: Google Play store declares 'No data shared with third parties' but documented evidence shows sharing with AWS for biometric processing.
    • ACTIVE LITIGATION: Class action lawsuit filed August 2024 alleging illegal biometric data collection and sharing without Illinois BIPA consent. Lawsuit ongoing as of November 2025. This is a material legal/compliance risk.
    • PRIVACY POLICY SCOPE UNCERTAINTY: Privacy policy at w.ai/privacy-policy governs both w.ai (distributed compute) and WOMBO Dream (consumer art tool). Unclear if all privacy terms apply equally to both products.
    • NO FORMAL AUDIT REPORTS: No SOC 2 reports, ISO 27001 certificates, or other audit documentation published or discoverable.
    • INCOMPLETE AI TRAINING TRANSPARENCY: Privacy policy claims 'anonymized or aggregated data' for training, but no detailed explanation of anonymization methods or independent audit of compliance.

    // At a glance

    Pricing model

    Freemium with premium subscription tier. Premium offers priority processing, ad removal, higher quality outputs.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on WOMBO Studios Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    w.ai

    > Browse all vendor trust reports