Security Policy

Last Updated: December 3, 2025

1. Overview

InstantHeadshotAI is committed to safeguarding the confidentiality, integrity, and availability of the data entrusted to us. This Security Policy describes the technical and organizational measures we use to protect customer uploads, generated headshots, and related personal information throughout the InstantHeadshotAI platform.

2. Infrastructure & Network Security

  • Production workloads run on managed cloud infrastructure with access controls, network segmentation, and automated patching.
  • All data in transit is protected using TLS 1.2+ encryption. Service-to-service communication is limited to minimum required ports via security groups and firewalls.
  • Storage systems that hold generated files encrypt data at rest using industry-standard encryption (AES-256 or equivalent).

3. Data Handling & Privacy Alignment

We only process user-uploaded photos to generate headshots and deliver the purchased files. Original uploads are removed once generation is complete, and the resulting headshots remain available for up to 30 days unless you delete them earlier from the upload dashboard. We do not use user images or outputs to train our AI models.

4. Access Management

  • Employee and contractor access follows the principle of least privilege. Only team members who require access for operational support receive role-based permissions.
  • Administrative accounts are protected with multi-factor authentication and activity logging.
  • Access reviews are conducted regularly to ensure permissions remain appropriate.

5. Third-Party Providers

We work with vetted third-party providers, including cloud hosting, Stripe for payment processing, and AI inference services such as Google Gemini. Each provider is contractually bound to handle data under confidentiality and security obligations and may only process it to deliver the requested service. Providers are prohibited from using InstantHeadshotAI customer imagery to train their own models.

6. Monitoring & Incident Response

  • We use logging and alerting to monitor the availability and health of key services.
  • Should a security incident occur, we investigate promptly, mitigate impact, and notify affected customers and regulators in line with applicable laws.
  • Post-incident reviews help us strengthen controls and prevent recurrence.

7. Customer Responsibilities

Customers should safeguard their devices, ensure uploaded photos comply with our Terms of Service, and refrain from sharing sensitive or unlawful content. You can delete generated headshots at any time by selecting the thumbnail in the upload interface. Contact us immediately if you suspect unauthorized access to your session links or downloads.

8. Questions & Contact

For security inquiries or to report a vulnerability, email support@instantheadshot.ai. We acknowledge reports within 5 business days and strive to provide status updates as we investigate.