Security and Compliance Overview
Consolidated reference for HeadshotPro's hosting locations, data residency, encryption, compliance frameworks, and security questionnaire answers.
Security and Compliance Overview
This page consolidates HeadshotPro's most-asked security and compliance answers — hosting locations, data residency, encryption, retention, compliance frameworks, and breach response — in one place. It is intended to be linked directly when responding to vendor security reviews, procurement questionnaires, or due-diligence requests. For deeper detail on any topic, follow the links in the Related section.
At a glance
| Operating entity | Headshot Pro Photography Pte. Ltd. (Singapore) |
| Role under GDPR | Data Processor |
| Primary data location | Western Europe (EEA) |
| Application servers | Oregon, US West |
| Encryption in transit | TLS / 256-bit |
| Encryption at rest | AES-256 |
| Input photo retention | 30 days after gallery generation |
| Account deletion SLA | 14 days |
| Breach notification SLA | 48 hours for Personal Data Breaches (per DPA); 72 hours for other Security Incidents (per MSA) |
| Compliance frameworks | GDPR, UK GDPR, CCPA, Singapore PDPA, SOC 2 Type II program |
Operating entity
HeadshotPro is operated by Headshot Pro Photography Pte. Ltd., incorporated in Singapore. The platform runs entirely on cloud infrastructure — there are no physical servers or on-premise hardware.
Under the GDPR, HeadshotPro acts as a data processor. The organization purchasing the service is the data controller. HeadshotPro processes personal data only on documented instructions from the customer and never for its own purposes (no marketing, advertising, or profiling without explicit written consent).
Infrastructure and data hosting
| Layer | Provider | Region |
|---|---|---|
| Primary object storage (customer photos, generated headshots) | Cloudflare R2 | Western Europe (WEUR) |
| Failover object storage | Google Cloud Storage | us-east-1 (United States) |
| Application servers | Render (AWS-backed) | Oregon, US West |
| Frontend hosting | Vercel | Global edge |
| Payment processing | Stripe | (no full card data stored) |
| Application monitoring | Sentry | — |
Primary customer content — uploaded photos and generated headshots — is stored in the European Economic Area via Cloudflare R2. Application servers run in Oregon (US West) on Render, with Google Cloud Storage in us-east-1 as a secondary failover storage tier.
Data residency and customer regions
HeadshotPro serves customers globally, with material volumes originating from the EEA, the United Kingdom, Switzerland, the United States, Singapore, and the broader APAC region.
Because primary storage now sits in the EEA, customer data from European data subjects is not routinely transferred outside the EEA. Application-layer processing on US-hosted servers and any failover writes to GCS constitute the residual cross-border processing, covered by the transfer mechanisms below.
Cross-border data transfers
For transfers of personal data from the EEA, the UK, or Switzerland to countries without an adequacy decision, HeadshotPro relies on:
- EU Commission Standard Contractual Clauses (Module Two: Controller to Processor, Decision 2021/914) for EEA → US transfers
- ICO International Data Transfer Addendum (B1.0) for UK → US transfers
Supervisory authorities: Data Protection Commission of Ireland (EU matters); UK Information Commissioner's Office (UK matters).
EU Article 27 representative: Prighter (iuro Rechtsanwälte GmbH, Schellinggasse 3, 1010 Vienna, Austria; support@prighter.com).
Encryption
- In transit: All requests between user devices and HeadshotPro servers travel over HTTPS. TLS / 256-bit encryption. No unencrypted channels exist.
- At rest: Sensitive data stored on HeadshotPro infrastructure is encrypted with AES-256. Covers user account data, uploaded photos, and generated headshots.
Photo retention and deletion
- Input photos (the originals you upload) are automatically deleted 30 days after gallery generation. Earlier deletion can be requested at any time via support.
- Generated headshots remain available for the duration of the active account and are exportable within 30 days of account termination.
- Account deletion triggers full PII erasure within 14 days of confirmation.
AI training
Customer photos and generated headshots are processed solely to deliver the service. HeadshotPro does not use customer content to train or retrain its own or any third-party generative models without explicit opt-in consent.
Note: Photographs are processed as image data, not biometric data under GDPR Article 9(1). Photos are not processed for the purpose of uniquely identifying a natural person.
Access controls
- Multi-factor authentication required for all team members accessing production systems
- Role-based access controls with least-privilege enforcement
- All production console access is logged
- Production systems accessed via GitHub, Cloudflare, Render, Google Cloud Storage, and Vercel — each gated by 2FA and strong passwords
Application security
- Continuous automated security scanning on a 24-hour cycle (dependency vulnerabilities, file integrity, suspicious request patterns)
- Active blocking at the application layer for common attack patterns (SQL injection, XSS, path traversal)
- Rate limiting enforced per IP and per authenticated email to prevent brute-force and enumeration
- Input sanitization on all customer-provided data
Backups and disaster recovery
- Hourly automated backups with point-in-time recovery
- Recovery Time Objective (RTO): 2 hours
- Recovery Point Objective (RPO): 1 hour
- Restoration tests: at least quarterly
- Backup retention: 1 year, then securely deleted
Incident response and breach notification
HeadshotPro operates a two-tier notification framework:
- Personal Data Breach (DPA §8.1): customer notified without undue delay and within 48 hours of becoming aware, so the customer can fulfil its own Article 33 GDPR obligations. Notice includes nature of the breach, categories and approximate number of data subjects affected, likely consequences, and remediation steps.
- Security Incident affecting Customer Personal Data (MSA): customer notified without undue delay and within 72 hours of confirmation, including description, categories of affected data, and remediation.
A Personal Data Breach is a specific subset of Security Incidents — the stricter 48-hour SLA applies whenever the incident qualifies as a Personal Data Breach under the GDPR.
Government and law enforcement access requests are reviewed; the customer is notified in advance where legally permitted; HeadshotPro challenges unlawful or disproportionate requests and discloses only the minimum necessary.
Compliance frameworks
- GDPR (EU 2016/679)
- UK GDPR
- CCPA (California Consumer Privacy Act)
- Singapore PDPA (Personal Data Protection Act)
- SOC 2 Type II program operated for relevant processes (documented in the DPA)
Subprocessors
All subprocessors that access customer data are contractually bound to data protection obligations no less protective than HeadshotPro's own. The full current list is published at headshotpro.com/legal/sub-processors.
Data Processing Agreement (DPA)
Enterprise customers can enter into a separately executed DPA covering processing roles, subprocessor authorizations, SCC modules, audit rights, and breach notification obligations. Request via legal@headshotpro.com.
Penetration testing
- Third-party penetration testing is conducted regularly.
- Customers performing their own security assessments must request explicit written authorization in advance.
Data subject rights
HeadshotPro supports and helps customers respond to data subject rights requests, including: access, rectification, erasure, restriction, portability, and objection to processing for direct marketing. Requests: support@headshotpro.com.
Good to know
- Data retention periods: financial records 7 years; customer data for the duration of the relationship plus 30 days; security logs 1–5 years; backups 1 year.
- The privacy policy was last reviewed March 12, 2025. Material policy changes require at least two weeks' advance notice.
- Customer data is never shared with advertising networks or sold to third parties for advertising purposes.
- HeadshotPro does not store full payment card data — all card transactions are processed through Stripe.
Related
- Data Security — deeper detail on encryption, infrastructure, monitoring, and photo handling
- Compliance and Privacy — full GDPR processing roles, retention policies, and data subject rights