GalleryLog inGet Recraft Free
Blog
Announcements
April 4, 2025
min read

Recraft Security, Privacy & Compliance Overview

Recraft is committed to maintaining the highest security, privacy, and compliance standards while delivering exceptional service to users

This comprehensive overview outlines robust security infrastructure, data protection measures, and compliance certifications that safeguard user information across all platforms. This document is a detailed resource for understanding how Recraft protects user data, manages security risks, and ensures business continuity through disaster recovery planning.

We uphold the privacy of our users by fighting against ads, trackers, and other impingements on privacy. We will never profit by monetizing your data; we seek to fulfill our company mission by delivering a great product and service.

Our commitment to privacy and data protection is reflected in this Policy which describes how we collect and process “personal information” that identifies you, like your name or email address. Any other information besides this is “non-personal information”. If we store personal information with non-personal information, we consider the combined data as personal information.

Third-party services that we integrate with the Services are governed under their own respective privacy policies.

Personal Data Definition and Storage


Recraft considers the following information as personal data:

However, Recraft does not store or process payment information directly. All financial transactions are handled securely by third-party sub-processors, including Stripe and Google Play, which manage payment processing and securely store financial details in compliance with industry standards. 

Deleting personal data

If a user requests to delete their personal data, Recraft ensures that all associated data is permanently removed from our systems. By default, we do not count images as personal information, only email, name, and financial data. Currently, there is no mechanism to detect personal information within user inputs. As a result, we cannot automatically identify or remove such data.

SOC 2 Certification

Recraft is SOC 2 certified, ensuring our systems meet the highest security, availability, and confidentiality standards. This certification demonstrates our commitment to safeguarding user data and maintaining a secure infrastructure for all our services. A SOC 2 report is undertaken by an independent auditing firm and is intended to provide you with proof that.


PCI DSS Compliance

Recraft is PCI DSS compliant, ensuring all payment transactions adhere to the highest security standards. We process all payments exclusively through Stripe and Google Pay, a trusted payment provider that meets PCI DSS Level 1 certification—the industry's most stringent level of security. Recraft does not store, process, or have access to any financial customer data, as Stripe securely handles all payment information. This guarantees that all transactions remain encrypted and protected, minimizing security risks for our users.

A list of Recraft’s Subprocessors can be found here.

Physical Security

Recraft does not operate its data centers. Instead, we utilize secure cloud-based solutions from trusted third-party subprocessors to ensure high availability, scalability, and compliance with industry security standards.


Physical Access to Host Servers

Only data center employees have physical access to the host servers. Recraft does not operate its own data centers and relies on trusted third-party cloud providers that enforce strict access controls. No Recraft employees, vendors, or external parties have direct physical access to the infrastructure.

Physical Security, Disaster Recovery, Backup Measures

Recraft operates entirely on secure cloud-based infrastructure, leveraging trusted third-party cloud providers to ensure enterprise-grade security, availability, and disaster resilience. Our security approach includes physical, operational, and data protection measures designed to safeguard user information and maintain uninterrupted service.

Physical Security Policy

Recraft ensures that physical access to its facilities and data is strictly controlled to prevent tampering, theft, damage, or unauthorized access to information assets.


Access Controls

Workstation Security

Data Center Security

Disaster Recovery & Redundancy

Recraft’s Disaster Recovery Plan (DRP) outlines procedures for recovering operations in case of natural disasters, cyber incidents, or system failures. It ensures business continuity and minimizes downtime through structured response phases.

Disaster Recovery Phases

Threat & Risk Assessment

Recraft evaluates potential disruptive threats (natural, political, cyber, internal risks) and maintains a detailed IT Risk Assessment to mitigate vulnerabilities.


Testing & Maintenance

Annual disaster recovery tests are performed, including:

Data Backup & Protection

Recraft ensures the confidentiality, integrity, and availability of data through daily automated backups, safeguarding customer and system data against loss or disaster.


Backup & Retention Policy

Backup & Recovery Procedures

Customer Data:

Source Code:

Systems Security

Are vulnerability assessments regularly performed against the systems?

Yes, Recraft conducts regular vulnerability assessments to identify and mitigate potential security risks. These assessments include automated scanning, penetration testing, and continuous monitoring to ensure system integrity.

Are file permissions set on a need-to-access basis only?

Yes, Recraft enforces role-based access controls (RBAC) and least privilege principles, ensuring that file permissions are granted only to authorized personnel based on job function and necessity.

Privacy/Confidentiality of Data

How does your company protect the privacy of any member and/or account information that may be collected and maintained through this service?

Recraft ensures data privacy and security through multiple layers of protection:

What happens to customer data if service with your company is terminated?

Upon account deletion, all personal information is permanently erased from Recraft’s systems in compliance with data protection policies.

User Account and Password Policy

Recraft employs a passwordless authentication system to enhance security and user convenience.

Allowed Authentication Methods:

This approach ensures a secure and frictionless login experience, reducing vulnerabilities while maintaining strict access controls.

Explore more