This comprehensive overview outlines robust security infrastructure, data protection measures, and compliance certifications that safeguard user information across all platforms. This document is a detailed resource for understanding how Recraft protects user data, manages security risks, and ensures business continuity through disaster recovery planning.

‍

We uphold the privacy of our users by fighting against ads, trackers, and other impingements on privacy. We will never profit by monetizing your data; we seek to fulfill our company mission by delivering a great product and service.

Our commitment to privacy and data protection is reflected in this Policy which describes how we collect and process “personal information” that identifies you, like your name or email address. Any other information besides this is “non-personal information”. If we store personal information with non-personal information, we consider the combined data as personal information.

Third-party services that we integrate with the Services are governed under their own respective privacy policies.

‍

Personal Data Definition and Storage

Recraft considers the following information as personal data:

• Email address
• Full name
• Billing and payment details (e.g., credit card information, banking details)
  
  

However, Recraft does not store or process payment information directly. All financial transactions are handled securely by third-party sub-processors, including Stripe and Google Play, which manage payment processing and securely store financial details in compliance with industry standards. 

‍

Deleting personal data

If a user requests to delete their personal data, Recraft ensures that all associated data is permanently removed from our systems. By default, we do not count images as personal information, only email, name, and financial data. Currently, there is no mechanism to detect personal information within user inputs. As a result, we cannot automatically identify or remove such data.

‍

SOC 2 Certification

Recraft is SOC 2 certified, ensuring our systems meet the highest security, availability, and confidentiality standards. This certification demonstrates our commitment to safeguarding user data and maintaining a secure infrastructure for all our services. A SOC 2 report is undertaken by an independent auditing firm and is intended to provide you with proof that.

PCI DSS Compliance

Recraft is PCI DSS compliant, ensuring all payment transactions adhere to the highest security standards. We process all payments exclusively through Stripe and Google Pay, a trusted payment provider that meets PCI DSS Level 1 certification—the industry's most stringent level of security. Recraft does not store, process, or have access to any financial customer data, as Stripe securely handles all payment information. This guarantees that all transactions remain encrypted and protected, minimizing security risks for our users.

A list of Recraft’s Subprocessors can be found here.

Physical Security

Recraft does not operate its data centers. Instead, we utilize secure cloud-based solutions from trusted third-party subprocessors to ensure high availability, scalability, and compliance with industry security standards.

Physical Access to Host Servers

Only data center employees have physical access to the host servers. Recraft does not operate its own data centers and relies on trusted third-party cloud providers that enforce strict access controls. No Recraft employees, vendors, or external parties have direct physical access to the infrastructure.
‍

‍

Physical Security, Disaster Recovery, Backup Measures
‍

Recraft operates entirely on secure cloud-based infrastructure, leveraging trusted third-party cloud providers to ensure enterprise-grade security, availability, and disaster resilience. Our security approach includes physical, operational, and data protection measures designed to safeguard user information and maintain uninterrupted service.
‍

Physical Security Policy
‍

Recraft ensures that physical access to its facilities and data is strictly controlled to prevent tampering, theft, damage, or unauthorized access to information assets.

Access Controls
‍

• Restricted Access: Only authorized personnel have physical access to Recraft’s facilities.
• Visitor Management: On-site visitors and vendors must be escorted by a Recraft employee at all times.
• Smart Locks & Badge Readers: Access is monitored, and keys/badges are revoked upon termination.

Workstation Security
‍

• Only authorized personnel may access company workstations.
• Workstations must be locked or logged out when unattended.
• Sensitive information must be stored on secured cloud storage, not locally.
• Screen lock policies and encryption are enforced to prevent unauthorized access.

Data Center Security
‍

• Recraft does not operate its own data centers. Instead, physical security is ensured by cloud infrastructure providers.
• These providers implement strict security controls, including biometric access, 24/7 surveillance, and advanced threat protection.

‍

Disaster Recovery & Redundancy

‍

Recraft’s Disaster Recovery Plan (DRP) outlines procedures for recovering operations in case of natural disasters, cyber incidents, or system failures. It ensures business continuity and minimizes downtime through structured response phases.

‍

Disaster Recovery Phases
‍

• Notification/Activation: Damage is assessed, and recovery procedures are initiated by the CEO or Chief of Staff.
• Recovery: Systems are restored at an alternate cloud site using automated scripts, followed by security and functionality testing.
• Reconstitution: Full operations are restored within 24 hours at the original or a new site. DNS updates and security patches are applied.
• Postmortem: A root cause analysis is conducted within 5 business days, ensuring improvements in infrastructure, monitoring, and response procedures.
  ‍

Threat & Risk Assessment
‍

Recraft evaluates potential disruptive threats (natural, political, cyber, internal risks) and maintains a detailed IT Risk Assessment to mitigate vulnerabilities.

Testing & Maintenance
‍

Annual disaster recovery tests are performed, including:

• Tabletop exercises to validate response coordination.
• Technical recovery drills ensuring systems can be restored in an alternate environment.

‍

Data Backup & Protection
‍

Recraft ensures the confidentiality, integrity, and availability of data through daily automated backups, safeguarding customer and system data against loss or disaster.

Backup & Retention Policy
‍

• Backups comply with legal, contractual, and business requirements.
• Data is classified based on Recraft’s Data Classification Policy.
• All critical business data is stored in a company-controlled repository.
• Security documentation and audit trails are retained for at least seven years unless otherwise specified.

‍

Backup & Recovery Procedures
‍

Customer Data:

• Stored securely in Azure Postgres databases with 99.9999+% durability.
• Daily automated backups replicated across separate regions within the same country (e.g., US East → US West).
• End-to-end encryption protects all backup data.
• Backup processes are monitored and validated quarterly to ensure successful recovery.
  
  

Source Code:

• Stored in GitHub repositories with daily backups to Recraft’s Azure account.
• In case of a GitHub failure, backups in Azure allow full restoration.

‍

Systems Security
‍

Are vulnerability assessments regularly performed against the systems?

Yes, Recraft conducts regular vulnerability assessments to identify and mitigate potential security risks. These assessments include automated scanning, penetration testing, and continuous monitoring to ensure system integrity.
‍

Are file permissions set on a need-to-access basis only?
‍

Yes, Recraft enforces role-based access controls (RBAC) and least privilege principles, ensuring that file permissions are granted only to authorized personnel based on job function and necessity.

‍

‍

Privacy/Confidentiality of Data
‍

How does your company protect the privacy of any member and/or account information that may be collected and maintained through this service?

Recraft ensures data privacy and security through multiple layers of protection:

• Encryption: All data is encrypted in transit and at rest using industry-standard encryption protocols.
• Access Control: A Role-Based Access Control (RBAC) model is enforced to restrict access based on user roles and business needs.
• Monitoring & Compliance: Continuous security monitoring, vulnerability assessments, and adherence to industry security frameworks (e.g., SOC 2) further enhance data protection.
  
  

What happens to customer data if service with your company is terminated?

Upon account deletion, all personal information is permanently erased from Recraft’s systems in compliance with data protection policies.

‍

User Account and Password Policy
‍

Recraft employs a passwordless authentication system to enhance security and user convenience.
‍

Allowed Authentication Methods:

‍‍

• Email-based one-time codes (OTP) for secure login
• Social logins via Google, Discord, and Apple for seamless access
• Passwords are not used, eliminating risks associated with password theft, brute-force attacks, and credential leaks

‍

This approach ensures a secure and frictionless login experience, reducing vulnerabilities while maintaining strict access controls.

‍