PhotoRobot Security Measures Summary

This document serves as the PhotoRobot Security Measures Summary. It summarizes the technical and organizational safeguards applied within PhotoRobot Cloud, and supports compliance with PhotoRobot’s contractual obligations under the DPA and SLA. 

‍

‍

Encryption

• In transit: TLS 1.2+ enforced on all endpoints
• At rest: AES-256, GCP-managed encryption keys
• Key handling: fully managed by Google Cloud KMS

‍

‍

Identity & Access Management

• SSO: Google Identity Provider (OIDC)
• Password policy: Enforced by Google Account
• Roles: Production, Backstage, Retoucher
• Session handling: Automatic expiration and re-authentication

‍

‍

Network Security

• No publicly exposed databases or storage
• API endpoints require authenticated access
• Hardened perimeter via GCP infrastructure

‍

‍

Application Security

• Secure SDLC practices (review, versioning, dependency updates)
• No customer passwords stored
• Regular vulnerability checks and patching

‍

‍

Logging & Monitoring

• GCP Cloud Logging (audit logs, access logs)
• Exception tracking and operational metrics
• Alerting on critical anomalies

‍

‍

Backups & Recovery

• Automated daily backups of core data
• Restore testing performed periodically
• Single-region DR with defined recovery steps

‍

‍

Vendor & Third Party

• Only Google Cloud services and Google Vision OCR
• Subprocessors listed at: https://www.photorobot.com/legal/sub-processors

‍

‍

AI Usage

• OCR-only (Google Vision)
• No automation of decisions
• Full human oversight and accountability