AI Headshots
Talk to salesGet headshots →
Updated May 13, 2026

Security

Your photos are personal. Your face is unique. AI Headshots treats both accordingly. This page covers how we protect what you trust us with.

Data security

  • Encryption at rest. Uploaded photos and trained AI models are encrypted on disk with AES-256.
  • Encryption in transit. Every connection to aiheadshots.ai and app.aiheadshots.ai uses TLS 1.3 minimum. Strict HSTS enforced.
  • Isolated AI models. Your trained model is stored on isolated infrastructure tied to your account. No cross-tenant access.
  • Regular vulnerability scanning. Automated dependency and infrastructure scans plus quarterly manual review.

Payment security

Card data is processed by Stripe, which is PCI DSS Level 1 certified. We never store full card numbers, CVVs, or magnetic-stripe data on our servers. Stripe's tokenization handles the entire billing surface.

Account security

  • Hashed credentials. Passwords stored as bcrypt hashes — never reversible, never logged.
  • Rate-limited login. Repeated failed attempts trigger lockout to defeat credential stuffing.
  • Session security. Auth cookies are httpOnly + SameSite=Lax + Secure.
  • Enterprise SSO available. Okta and Google Workspace SSO available on annual contracts of 100+ seats.

Your photo data

  • Used only for your model. Your uploaded selfies train YOUR private AI model. They are never used to train our base model or any third-party model.
  • Never sold or shared. We don't sell your data, we don't share it with partners, we don't expose it to third-party AI labs.
  • You can delete at any time. Both your raw photos and your trained AI model can be deleted from your account settings. Removed from active systems within seven days, from backups within thirty.
  • Enterprise data retention controls. Default 30-day retention; custom windows available on enterprise contracts.

Operational security

  • Principle of least privilege. Internal access to customer data is restricted to a minimum set of named operators, audited monthly.
  • Secure software lifecycle. Code review on every change, dependency scanning, secret scanning, branch protection.
  • Backup + disaster recovery. Daily encrypted backups, region-redundant. Tested quarterly.
  • Hosting infrastructure. Vercel + Neon Postgres + Stripe — all SOC 2 / ISO 27001 attested vendors.

Compliance roadmap

  • SOC 2 Type II: in progress (target Q4 2026)
  • GDPR: compliant — see Privacy Policy
  • CCPA: compliant
  • HIPAA: not currently a covered entity; do not upload PHI

Report a vulnerability

Found a security issue? Email contact@thestudiopod.com with the subject line “Security Report.” We acknowledge within 24 hours and triage within 72.

We don't currently run a paid bug bounty but we publicly thank researchers who responsibly disclose, with their permission.