Security
Privacy-first, R2 with signed URLs, encrypted at rest, secure cloud processing.
Secure cloud processing
Images are processed on secure cloud infrastructure and immediately deleted after removal. We never store, train on, or share your images.
Storage
Files are stored on Cloudflare R2 with time-limited signed URLs. All data is encrypted at rest using AES-256. Objects are automatically deleted after your configured retention period.
Authentication
Sessions are managed with secure, HTTP-only cookies. OAuth flows use PKCE. No passwords are stored -- we use third-party identity providers exclusively.
Infrastructure
Hosted on Railway with automatic TLS. Database connections are encrypted in transit. SOC 2 Type II certification is in progress.
Responsible disclosure
If you discover a security vulnerability, please email [email protected]. We respond within 48 hours and do not pursue legal action against good-faith researchers.