PhotoRobot
Trust Center
Security
PhotoRobot Access Control Policy
PhotoRobot Security - Overview
PhotoRobot Architecture & Data Flow
PhotoRobot Security Measures Summary
PhotoRobot Business Continuity & DR Overview
PhotoRobot AI Governance Summary
PhotoRobot Information Security Policy
PhotoRobot Access Control Policy
PhotoRobot Incident Response Policy
PhotoRobot Backup Policy
PhotoRobot Disaster Recovery Policy
PhotoRobot SDLC Security Policy
PhotoRobot Change Management Policy
PhotoRobot Logging & Monitoring Standard
PhotoRobot Technical and Organizational Measures (TOMs)
Last edited: Dec 29, 2025

PhotoRobot Access Control Policy

This document defines PhotoRobot’s Access Control Policy. It describes how PhotoRobot manages authentication, authorization, and user accounts. The Access Control Policy supports compliance with PhotoRobot’s contractual obligations under the DPA and SLA. 

Authentication

  • SSO via Google Identity (OIDC)
  • No local passwords within PhotoRobot Cloud
  • Password complexity and MFA policies enforced by Google

Authorization (RBAC)

Roles include:

  • Production
  • Backstage
  • Retoucher

Access is granted based on:

  • job responsibilities 
  • principle of least privilege 
  • approval workflow

Provisioning

  • Accounts created through SSO only
  • Access granted manually by an authorized admin
  • All assignments documented

Deprovisioning

  • Access removed immediately upon termination or role change
  • Offboarding checklist enforced
  • Logs kept for auditing

Session Controls

  • Automatic session expiration
  • Idle timeout enforced
  • Re-authentication required after expiry

System Access Reviews

  • Periodic access audits
  • Review of inactive accounts
  • Verification of least-privilege compliance

API Access

  • API keys tied to service accounts
  • Keys rotated regularly
  • Permissions scoped to required resources