Data Security

HeadshotPro is built for organizations that cannot afford to compromise on data protection. Every photo uploaded, every headshot generated, and every account credential is handled under a layered security architecture — from transport-level encryption through to access-controlled cloud infrastructure. This page explains what that looks like in practice.

Headshot Pro Photography Pte. Ltd. operates entirely on cloud infrastructure. There are no physical servers or hardware to secure, which eliminates an entire class of physical access risk and enables a consistent, auditable security posture.

How it works

1. All data in transit is encrypted. Every request between your device and HeadshotPro's servers travels over HTTPS. All data transmissions are encrypted in transit — no unencrypted channels exist.

2. All data at rest is encrypted. Sensitive data stored on HeadshotPro's servers is encrypted using AES-256 encryption standards. This includes user account data, uploaded photos, and generated headshots.

3. Photos are automatically deleted after gallery generation. Input photos (the originals you upload) are automatically deleted 30 days after your gallery is generated. You can request earlier deletion at any time. Generated headshots remain available for the duration of your account.

4. Your photos are never used to train AI models. Customer content and generated headshots are not used to train or retrain HeadshotPro's or any third party's generative models without your explicit opt-in consent.

5. Infrastructure access requires multi-factor authentication. All HeadshotPro team members accessing production systems are required to use 2FA and strong passwords. Role-based access controls with least-privilege principles apply throughout.

6. Application activity is monitored continuously. All access to HeadshotPro applications and production consoles is logged. Automated security scanning runs on a 24-hour cycle, covering dependency vulnerabilities, file integrity, and suspicious request patterns.

7. Attack patterns are detected and blocked at the application layer. HeadshotPro actively monitors for and blocks common security threats. Requests matching known attack patterns are blocked immediately and logged.

8. Rate limiting is enforced per IP and per account. Requests to sensitive areas are rate-limited by both IP address and authenticated email, preventing brute-force and enumeration attacks.

9. Backups are automated and tested. Automated hourly backups run with point-in-time recovery. Backup restoration is tested at least quarterly. Recovery time objective (RTO) is 2 hours; recovery point objective (RPO) is 1 hour.

10. Payment data never touches HeadshotPro's servers directly. All payment transactions are processed through Stripe. HeadshotPro does not store full payment card data.

Good to know

• HeadshotPro's security policy is effective as of March 12, 2025 and covers all organizational and technical safeguards.
• Primary customer data is hosted in Western Europe via Cloudflare R2, with Google Cloud Storage retained as a secondary failover store. Customer data is stored in multi-tenant environments with strict logical separation enforced by application-level privacy controls.
• HeadshotPro operates a SOC 2 Type II program for relevant processes, as documented in the Data Processing Agreement.
• Security incidents affecting customer data trigger a notification to the customer within 72 hours of confirmation, including a description of the incident, categories of data affected, and remediation steps. When the incident qualifies as a Personal Data Breach under the GDPR, the stricter 48-hour SLA in the Data Processing Agreement applies.
• Third-party penetration testing is conducted regularly. Customers who want to perform their own security assessments must request explicit written authorization from HeadshotPro in advance.
• All subprocessors that access customer data are contractually bound to data protection obligations no less protective than HeadshotPro's own. The full list of subprocessors is available at headshotpro.com/legal/sub-processors.

Related

• Compliance and Privacy