Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Adobe Firefly (Creative Cloud)

Adobe

CompliantEU: LimitedNo TrainingUndefinedMulti-region

Business Plan Price

~€81/month (CC Pro)

Enterprise Features

IP indemnification, DPA, custom models, Firefly Foundry, partner AI models

Last Updated

March 23, 2026

Adobe Firefly (Creative Cloud) - GDPR & Data Privacy Overview for European Clients

Version: March 2026 - prepared by WAIMAKERS B.V.

1 Purpose

This overview explains how Adobe Firefly generative AI features (available standalone and within Creative Cloud) handle data in relation to GDPR, with a focus on European customers. Adobe Firefly is a commercially safe generative AI platform for creative content creation, offering features like Text to Image, Generative Fill, Generative Expand, and more.

Adobe Inc. (US-based) / Adobe Systems Software Ireland Limited (EU entity) develops and operates Adobe Firefly and Creative Cloud services.

2 Comparison of Adobe Firefly Tiers (EU focus)

Tier Training on User Data IP Indemnification EU Storage DPA Available Compliance Price (approx EUR)
Free Plan ✅ No training ❌ Not included ⚠️ Ireland available ❌ No Basic €0/month (limited credits)
Firefly Premium ✅ No training ❌ Not included ⚠️ Ireland available ❌ No Basic ~€5/month
Creative Cloud Pro ✅ No training ⚠️ Varies by use ⚠️ Ireland available ❌ No (individual) SOC 2, ISO 27001 ~€81/month (restructured 2025; 4,000 generative credits/month)
CC for Teams ✅ No training ✅ Yes (eligible features) ⚠️ Ireland available ✅ Yes SOC 2, ISO 27001 ~€35-85/user/month
CC for Enterprise ✅ No training ✅ Yes (eligible features) ✅ Ireland + custom options ✅ Yes SOC 2, ISO 27001, HIPAA-ready Custom pricing

Notes for Europe

  • No AI training on user content: Adobe's policy is clear across all tiers - user inputs, outputs, and content are never used to train Firefly or other AI models.[1][2]
  • EU data storage: Creative Cloud storage uses AWS data centers in Dublin, Ireland for EU customers, but generative AI processing location is not explicitly documented as EU-only.[3][4]
  • IP indemnification: Teams and Enterprise customers are eligible for IP indemnification on outputs from eligible Firefly features (Text to Image, Generative Fill, Generative Expand, etc.) when used within approved surfaces.[5][6]
  • Generative Credits: Adobe uses a consumption-based "Generative Credits" system to meter AI feature usage across all paid plans.[7][8]
  • Plan restructure (2025): Creative Cloud plans were restructured to CC Pro (~€81/month, 4,000 generative credits/month) and CC Standard (a new lower tier). The previous $60/$70 pricing structure has been updated.[9][10]
  • Partner AI models: Adobe added OpenAI GPT Image, Google Imagen, Google Veo 3, and Flux as partner models available within Creative Cloud. Data handling for these partner models may differ from Firefly; verify with Adobe.
  • Firefly Foundry: Launched for Enterprise - allows organisations to train and deploy custom Firefly models on their own brand assets.
  • Content Credentials & training opt-out: Adobe extended Content Credentials training opt-out across all models, including partner models (OpenAI, Google, Flux).
  • No-training reaffirmed: Adobe reaffirmed in June 2025 terms that user content is never used to train Firefly or partner models.
  • EU AI Act Art. 50 labelling: From August 2026, Adobe must label AI-generated outputs per EU AI Act Article 50. Content Credentials already facilitate this obligation.

3 Is Adobe Firefly GDPR-Compliant?

Short answer: Yes, Adobe Firefly is GDPR-compliant for EU business use, particularly on Teams and Enterprise plans. Individual/Free plans lack enterprise-grade contractual protections (DPA) but maintain the same no-training and security practices.

What applies to all plans:

  • No AI/ML training on user data - Adobe explicitly commits that user inputs, outputs, and content submitted to Firefly are never used to train Adobe's generative AI models or any third-party models.[1][11]
  • Content Credentials - Users can embed Content Credentials in outputs to signal "Do Not Train" preferences to other AI systems (supported by Adobe Firefly and Spawning).[12]
  • Responsible training data - Firefly models are trained exclusively on Adobe Stock images, openly licensed content, and public domain content - not user-generated content.[6][13]
  • Encryption and security - Data in transit and at rest is encrypted; Adobe maintains SOC 2 Type II and ISO 27001 certifications.[14][15]

What's plan-dependent:

  • Free / Premium plans: No DPA, no IP indemnification, limited contractual GDPR protections (suitable for personal use, not recommended for processing EU personal data at scale).
  • Creative Cloud Pro (individual): Includes Firefly features and credits, SOC 2/ISO 27001 compliance, but no formal DPA (borderline for small business use).
  • Teams / Enterprise plans: Full DPA available, IP indemnification, admin controls, enhanced security features, and potential for custom data residency arrangements.[16][17]

Infrastructure limitations (all plans):

  • EU storage confirmed - Creative Cloud storage (files, assets) uses AWS Dublin, Ireland data center for EU customers.[3]
  • Generative processing location unclear - Adobe does not publicly specify where Firefly's generative AI inference occurs (could be multi-region AWS/Azure). Document Cloud confirms EU/NA/APAC regions, but Creative Cloud Firefly-specific processing is undocumented.[4]
  • No explicit EU-only processing guarantee - Unlike competitors (Notion AI, OpenAI) who offer explicit EU data residency for Enterprise, Adobe has not published equivalent documentation for Firefly specifically.

What that means in practice:

  • For personal creative work: Free/Premium plans are fine; no GDPR concerns for non-commercial use.
  • For small business without personal data: Creative Cloud Pro acceptable if not processing EU personal data.
  • For business processing EU personal data or requiring contractual safeguards: Use Teams or Enterprise plans with signed DPA and verify data processing locations with Adobe sales.
  • For highly sensitive data (healthcare, finance): Conduct DPIA; consider Enterprise plan with custom arrangements; confirm HIPAA-ready configurations if needed.[15]

Buyer's note: Adobe Firefly offers strong GDPR protections (no training, DPA for business plans, certifications) but lacks transparency around generative AI processing geography. For EU-regulated workloads, Enterprise customers should request explicit confirmation of processing locations from Adobe.

4 Details by Offering

Free Plan (Firefly Standalone)

  • Generative Credits: Limited monthly credits (typically 25 generative credits/month).[18]
  • Data collection: Account data (email, Adobe ID), generation history (prompts, outputs).
  • Training: No training on user inputs or outputs.[1]
  • Retention: Generation history stored indefinitely until user manually deletes; no documented auto-purge.[19][20]
  • Pricing: Free
  • When to use: Personal experimentation, non-commercial creative projects, learning.
  • When not to use: Commercial projects requiring IP indemnification; business workflows processing EU personal data; any use case requiring DPA.

Firefly Premium / Pro (Standalone)

  • Generative Credits: Increased monthly allowance (Premium: ~100 credits/month; Pro: ~500 credits/month).[21][22]
  • Features: Priority processing, higher resolution outputs, additional features.
  • Training: No training on user data (same policy as Free).[1]
  • Retention: Same as Free plan.
  • Pricing: Premium $4.99/month (€5); Pro $9.99/month (€10)[22]
  • When to use: Freelancers and solo creators needing more capacity; still personal/non-commercial focus.
  • When not to use: Business use requiring legal protections or IP indemnification.

Creative Cloud Pro (Individual)

  • Includes: Full Creative Cloud apps (Photoshop, Illustrator, Premiere Pro, etc.) with integrated Firefly features (Generative Fill in Photoshop, etc.) plus standalone Firefly access, and access to partner models (OpenAI GPT Image, Google Imagen, Flux).[23]
  • Generative Credits: 4,000 generative credits/month included on CC Pro (plan restructured 2025); overage fees apply.[10]
  • Important limitation: Individual license; no admin controls, no DPA, no IP indemnification by default.
  • Compliance: Adobe maintains SOC 2 Type II and ISO 27001 for infrastructure, but contractual protections limited.[14]
  • Pricing: ~€81/month (CC Pro, restructured 2025; verify current pricing with Adobe)[9]
  • When to use: Professional creatives not processing EU personal data; small businesses with low compliance requirements.
  • When not to use: Any business workflow requiring DPA, IP indemnification, or processing EU personal data at scale.

Creative Cloud for Teams

  • Includes: Same apps as Pro, plus admin console, centralised billing, license management, deployment tools.[23]
  • IP Indemnification: Available for eligible Firefly features when used in approved contexts.[5][24]
  • DPA: Data Processing Agreement available upon request.[16]
  • Admin controls: Manage users, track usage, enforce policies.
  • Pricing: Varies by app bundle; typically €35-85/user/month depending on configuration[23]
  • When to use: Small to mid-size teams requiring business-grade legal protections; agencies; marketing departments.
  • When not to use: When explicit EU-only processing is mandatory (verify with Adobe).

Creative Cloud for Enterprise

  • Includes: Everything in Teams, plus:
    • Custom data residency options (coordinate with Adobe)
    • Enhanced security features
    • Advanced admin controls
    • Dedicated support
    • HIPAA-ready configurations available
    • Custom Model training via Firefly Foundry (train and deploy custom models on your brand assets)[25]
    • Access to partner AI models (OpenAI GPT Image, Google Imagen, Google Veo 3, Flux)
    • Content Credentials training opt-out across all models
  • IP Indemnification: Full coverage for eligible Firefly features.[24]
  • DPA & Standard Contractual Clauses: Available; Adobe certified to EU-U.S. Privacy Shield (now supplemented with SCCs post-Schrems II).[17]
  • Compliance: SOC 2 Type II, ISO 27001, HIPAA-ready, GDPR-compliant with DPA.[15][14]
  • EU AI Act: From August 2026, AI-generated content will require labelling per EU AI Act Article 50. Adobe's Content Credentials are positioned to fulfill this requirement.
  • Pricing: Custom pricing; contact Adobe sales
  • When to use: Enterprises processing EU personal data; regulated industries (healthcare, finance); organisations requiring contractual guarantees and custom configurations.
  • When not to use: Small teams without budget for enterprise licensing.

5 Data Processing Flow

[User creates prompt in Firefly (Text to Image, Generative Fill, etc.)]
  ↓
[Prompt + input images sent to Adobe infrastructure]
  ├─ Storage: Creative Cloud Storage (AWS Dublin for EU users)
  ├─ Processing: Firefly generative models (location unspecified)
  │   ├─ Teams/Enterprise: DPA applies, no training on data
  │   └─ Free/Premium/Pro: No training on data, no DPA
  └─ Output generated and returned to user
       ↓
[Generation history stored in user account]
  ├─ User can view, download, or manually delete
  ├─ No documented automatic purge policy
  └─ Content Credentials optionally embedded ("Do Not Train" flag)

*Note: Adobe does NOT use prompts, inputs, or outputs to train Firefly.*
*Storage in EU (Ireland) confirmed; generative processing location not publicly documented.*

6 Recommendations (GDPR-first)

  • For personal creative work, any tier works - Free/Premium/Pro plans are suitable; no GDPR concerns.
  • For freelancers and small businesses not processing personal data, Creative Cloud Pro offers best value with full app suite and Firefly integration.
  • For agencies, marketing teams, and SMEs processing EU personal data, prefer Creative Cloud for Teams with signed DPA and IP indemnification.
  • For enterprises and regulated industries, use Creative Cloud for Enterprise and conduct a DPIA before processing sensitive personal data; request explicit confirmation of generative AI processing locations from Adobe.
  • Do not use Free or Premium standalone plans for commercial work requiring IP protection or legal safeguards.
  • Consider alternatives (Midjourney, Stable Diffusion, or open-source models with self-hosting) if explicit EU-only processing is a hard requirement - Adobe has not documented EU-only generative processing for Firefly.

7 EU Rollout Checklist (Practical)

  1. Choose the right tier - Teams or Enterprise if processing EU personal data; Pro acceptable for solo creative work without personal data.
  2. Request and sign DPA - For Teams/Enterprise customers, obtain Data Processing Agreement from Adobe (available via account team or support).[16]
  3. Verify data processing locations - Contact Adobe sales to confirm where Firefly generative processing occurs for your account (AWS/Azure regions); request EU-specific processing if required.
  4. Configure admin controls - For Teams/Enterprise, set up admin console, manage user access, enforce security policies.
  5. Conduct DPIA if needed - For high-risk processing (sensitive personal data, large scale), complete Data Protection Impact Assessment per GDPR Article 35.
  6. Train users on acceptable use - Educate team on Adobe Generative AI User Guidelines; remind users not to input sensitive personal data unnecessarily.[1]
  7. Enable Content Credentials - Use Content Credentials to embed "Do Not Train" preferences in outputs if redistributing creative work.[12]
  8. Monitor generative credit usage - Track consumption via admin console (Teams/Enterprise) to manage costs and ensure compliance with usage policies.[18]
  9. Review IP indemnification scope - Understand which Firefly features and export contexts are covered by Adobe's IP indemnification (see Product Description).[5]
  10. Document vendor relationship - Maintain records of DPA, processing locations, and compliance certifications (SOC 2, ISO 27001) for audit purposes.

8 Procurement Quick Answers (EU)

Does Adobe train AI models on our creative work?

No. Adobe has a clear "No AI/ML Training" policy - user inputs, prompts, and outputs are never used to train Firefly or any other Adobe AI models.[1][2] Firefly is trained exclusively on Adobe Stock, licensed content, and public domain material.

What is Adobe's EU data residency offering?

Adobe Creative Cloud storage uses AWS data centers in Dublin, Ireland for EU customers.[3] However, Adobe has not publicly documented where Firefly's generative AI inference processing occurs. Document Cloud offers explicit EU/NA/APAC region options,[4] but Creative Cloud Firefly-specific processing location is unspecified. Enterprise customers should request clarification from Adobe sales.

Do we need a Data Processing Agreement (DPA)?

Yes, if you are processing EU personal data using Firefly (e.g., generating images of identifiable people, processing customer data). DPAs are available for Teams and Enterprise customers.[16][17] Free, Premium, and individual Pro plans do not include DPAs.

What compliance certifications does Adobe hold?

Adobe maintains SOC 2 Type II and ISO 27001 certifications.[14] HIPAA-ready configurations are available for Enterprise customers.[15] Adobe is committed to GDPR compliance and offers Standard Contractual Clauses for data transfers.[17]

What is IP indemnification and do we get it?

IP indemnification means Adobe will defend you if a third party claims your Firefly-generated content infringes their intellectual property. This is available for Teams and Enterprise customers using eligible Firefly features (Text to Image, Generative Fill, Generative Expand, etc.) within approved surfaces.[5][24] Free, Premium, and individual Pro plans are not covered.

How long does Adobe retain our generation history?

Generation history (prompts and outputs) is stored in your Adobe account indefinitely until you manually delete it.[19][20] Adobe has not published an automatic purge policy. Users can bulk-delete generation history via the Firefly web interface.

What happens if we exceed our generative credits?

You can purchase additional credits or upgrade your plan. Overage pricing varies by plan.[7][8] Enterprise customers can negotiate custom credit allocations.

Can we use Firefly outputs commercially?

Yes, with the right license. Teams and Enterprise customers with IP indemnification can use outputs commercially with confidence.[24] Free and Premium users should review Adobe's General Terms of Use for commercial use restrictions.

9 Notes & Caveats

  • Generative processing location unknown: Adobe has not published documentation specifying where Firefly's generative AI inference occurs (AWS/Azure region). This may be a blocker for organisations with strict EU-only processing requirements. Enterprise customers should request written confirmation.
  • No zero-retention option: Unlike some competitors (OpenAI, Anthropic offer zero-retention for Enterprise), Adobe stores generation history indefinitely until manual deletion. There is no "ephemeral mode" or auto-purge.
  • Generative Credits complexity: Adobe's consumption model can be confusing - different features consume different credit amounts, and Enterprise negotiations may include custom credit pools. Budget accordingly.
  • Beta features excluded from IP indemnification: Only generally available (GA) Firefly features qualify for IP indemnification. Beta features (e.g., new models) are explicitly excluded until GA.[5]
  • Third-party model integration: Adobe has integrated partner models (OpenAI GPT Image, Google Imagen, Google Veo 3, Flux) into Creative Cloud.[26] Data handling for partner models may differ from Firefly's own processing; verify terms with Adobe. Content Credentials training opt-out applies across all models.
  • Firefly Foundry: Enterprise customers can now train custom models on their brand assets using Firefly Foundry. Custom model data handling requires separate review.
  • EU AI Act Art. 50 compliance: From August 2026, AI-generated content must be labeled under EU AI Act Article 50. Adobe's Content Credentials system is positioned to satisfy this requirement.
  • Plan restructure: CC Pro (~€81/month, 4,000 credits) and CC Standard (new lower tier) are the primary individual plans. Verify current pricing with Adobe before purchasing.

10 Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Adobe Firefly in production environments - especially when images of identifiable individuals, proprietary designs, or confidential information are processed. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

References

  • https://adobe.com/legal/licenses-terms/adobe-gen-ai-user-guidelines.html - Adobe Generative AI User Guidelines (No AI/ML Training Policy)
  • https://wwwimages2.adobe.com/content/dam/cc/en/legal/servicetou/adobe-generative-ai-product-specific-terms-en-us-20250617.pdf - Adobe Generative AI Product Specific Terms
  • https://helpx.adobe.com/africa/legal/product-descriptions/adobe-firefly.html - Adobe Firefly IP Indemnification Product Description
  • https://business.adobe.com/in/products/firefly-business/firefly-ai-approach.html - Adobe Firefly Business Approach
  • https://www.adobe.com/acrobat/business/trust-center/general-data-protection-regulation.html - Adobe Document Cloud and GDPR
  • https://helpx.adobe.com/sign/admin/assets/gdpr-overview.html - Adobe GDPR Compliance Requirements

Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Adobe Firefly in production environments - especially when personal data or proprietary creative content are processed. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy