Security

Browser-side processing

Validation and rendering run entirely inside your browser via MediaPipe Tasks Vision and our canvas pipeline. Face landmark detection, head-geometry checks, background normalization, and JPEG/PNG/PDF generation all execute locally on your device. Your source photo never leaves the browser during the validation pipeline.

When data does reach our servers

Only at checkout. When you enter an email and proceed to payment, the processed output files and the email you supply are uploaded so we can email them back. The original source photo is not part of that upload by default. Object-storage data is encrypted at rest by the storage provider; downloads use HMAC-signed URLs that expire within your access window.

Retention

• Output files: stored only for the duration of your access window (default 30 days for the digital-plus tier, 7 days for digital HD).
• Order metadata: retained for accounting purposes per applicable law (refunds, chargebacks, tax reporting).
• Email-login codes: 15-minute expiry, hashed at rest with a server-side pepper.

Transport

Every request and every download link runs over TLS. Payment processing is handled by Paddle (when enabled) under PCI-DSS controls; card data never touches our infrastructure.

Authentication

We do not require accounts to validate a photo. To retrieve a past order, we use passwordless email-code verification: a 6-digit code is sent to the email you provided at checkout. The code expires in 15 minutes, allows up to 6 attempts, and is rate-limited to 5 codes per hour. See /sessions to retrieve a past order.

Reporting a vulnerability

Found a security issue? Email support@photogov.appwith the steps to reproduce. We'll respond within 5 business days and credit you in our security log if you'd like.