AI Image Detector
API Key
DocsPricingUse CasesBlog
Get API Key →
Security

Security at every layer

How we protect your images, your keys, and your customers. SOC 2 Type II audited annually. GDPR compliant. Encryption everywhere. Configurable retention up to and including zero.

SOC 2 Type II GDPR HIPAA (Enterprise) AES-256

Encryption

In transit

  • TLS 1.2 minimum, TLS 1.3 preferred
  • HSTS enabled with 12-month max-age
  • Modern cipher suites only (no RC4, 3DES, MD5)
  • Certificate pinning available on Enterprise

At rest

  • AES-256-GCM for stored content
  • Keys managed in AWS KMS or equivalent
  • Automatic key rotation every 90 days
  • Envelope encryption for high-value assets

Data handling and retention

We treat every image as sensitive. The default posture is to retain the minimum required and to delete on a schedule that you can shorten further.

ItemFree / ProEnterprise
Image bytesDiscarded after detectionConfigurable, zero-retention available
Detection results30 daysConfigurable, 0 to 7 years
API request logs30 daysConfigurable + SIEM export
Account audit logs90 days7 years (compliance-grade)
Heatmap PNGs7 daysConfigurable

Enterprise customers can also choose EU regional data residency (Frankfurt) or US-only processing.

Access controls

Role-based access

Owner, Admin, Developer, and Viewer roles in the dashboard. Granular API-key scoping on Pro and above.

SSO and SAML

Google Workspace, Okta, Azure AD, and generic SAML 2.0 on Enterprise. SCIM provisioning available.

IP allowlisting

Restrict API keys to specific IP CIDR ranges. Available on Pro and Enterprise.

MFA enforcement

TOTP required for all admin actions. Enforceable org-wide on Enterprise.

Audit logs

Every dashboard action and API request is logged with actor, IP, and request_id. Exportable as CSV or pushed to your SIEM.

Key rotation API

Programmatic key rotation with overlap window so deploys never break. Hourly rotation supported.

Infrastructure

We run on AWS in multiple regions with isolated VPCs, dedicated GPU clusters on Enterprise, and full network segmentation between customer environments.

  • Primary regions: US East (Virginia), US West (Oregon), EU (Frankfurt), Asia-Pacific (Singapore).
  • Network isolation: private VPCs per environment, no public internet access from inference nodes.
  • Secrets management: AWS Secrets Manager + Vault, no secrets in code or env files.
  • Patch cadence: OS and dependency patches deployed within 24 hours of CVSS 7+ disclosures.
  • Backup and DR: daily encrypted snapshots, cross-region replication, tested quarterly.

Compliance and certifications

SOC 2 Type II

Audited annually by an AICPA-licensed firm. Report available under NDA.

GDPR

EU regional endpoints, DPA template, DSAR workflow, sub-processor list.

CCPA / CPRA

California consumer rights honored. Opt-out and deletion workflows in dashboard.

HIPAA

Business Associate Agreement available on Enterprise for healthcare workloads.

ISO 27001

Roadmap target Q4 2026. Controls already mapped.

PCI DSS

Not applicable — we never see card data. Stripe handles billing.

Sub-processors

We disclose every third-party service that processes customer data. Notice of changes is given 30 days in advance; Enterprise customers may object.

VendorPurposeRegion
AWSInfrastructure, compute, storageUS, EU, APAC
CloudflareCDN, DDoS protection, DNSGlobal
StripeSubscription billing, payment processingUS
DatadogObservability, metrics, alertingUS
SentryError trackingUS
PostHogProduct analytics (self-hosted)US, EU

Related reading

Standards

C2PA & Content Credentials

Cryptographic provenance for media

Updates

Changelog

Every change, including security fixes

Status

Live system status

Real-time uptime and incidents

Incident response

Our on-call rotation is 24/7. P0 incidents trigger Slack + PagerDuty + SMS alerts within 60 seconds and a public status page update within 15 minutes.

  1. Detect. Automated alerting plus customer reports flow into our incident desk.
  2. Triage. Severity assignment (P0 to P3) within 15 minutes by the on-call engineer.
  3. Contain. Affected workloads isolated; rollbacks issued if a recent deploy is implicated.
  4. Communicate. Status page updated; affected customers notified by email; Enterprise via dedicated Slack.
  5. Resolve. Fix shipped; post-resolution monitoring for 24 hours minimum.
  6. Postmortem. Blameless writeup within 5 business days; shared with Enterprise customers.
View status page Report a vulnerability

Vulnerability disclosure

We welcome reports from security researchers. Email security@aiimagedetectorapi.com with details. We commit to:

  • Acknowledge receipt within 24 hours
  • Triage and confirm within 5 business days
  • Ship a fix within 30 days for high severity, 90 days for medium
  • Public credit on our hall of fame (with researcher consent)
  • Safe harbor for good-faith research that follows our policy

PGP key fingerprint available at /.well-known/security.txt.

Continuous testing

  • Annual third-party penetration test by an independent firm. Executive summary available under NDA.
  • Continuous static analysis (Semgrep, CodeQL) on every PR.
  • Dependency scanning (Snyk, Dependabot) with auto-PR remediation.
  • Runtime monitoring for anomalous API patterns and credential abuse.
  • Quarterly tabletop exercises for incident response.

Need security artifacts?

SOC 2 reports, pen test summaries, sub-processor lists, BAA, and DPA templates are available on request.

Contact security team See Enterprise tier