Imagen security and compliance FAQs

  • Updated

Your data security is our top priority. This guide answers the most common questions about how we protect your photos, data, and business information.

Access control and authentication

How do you control access to your management systems?

We use a Zero Trust network architecture with Twingate to secure all internal systems. This means we verify identity and device before granting access to sensitive systems.

Our access controls include:

  • Role-based access control (RBAC) with access granted strictly by job role
  • Multi-factor authentication (MFA) required for all internal users
  • Complete audit logging of all access and administrative activity
  • Limited access from specific public IP ranges for operational needs only

What authentication method do you use for your web application?

We use a passwordless authentication system for better security:

  • One-time password (OTP) sent to your email address
  • Time-limited session tokens after successful verification
  • No long-term passwords stored in our system
  • All communication encrypted with HTTPS and TLS certificates

This eliminates risks from password reuse, credential theft, and phishing attacks.

System security and updates

How do you keep your operational systems secure?

All company devices (primarily MacBooks) are actively maintained with:

  • Automatic security and system updates enabled
  • Device monitoring through Splashtop Streamer for health checks
  • Built-in macOS protections (XProtect, Gatekeeper, System Integrity Protection)
  • 1Password for secure credential management across the organization
  • External IT partner oversight for compliance verification

Do you use strong passwords and security policies?

Yes. All operational accounts use auto-generated passwords managed through 1Password with:

  • Minimum 10 characters
  • Mix of uppercase, lowercase, numbers, and special characters
  • Multi-factor authentication on all critical services
  • No password reuse across systems
  • Regular access reviews and immediate updates when employees join, change roles, or leave

How do you handle vulnerability management?

We use a multi-layered approach:

  • AWS CloudWatch, Datadog, and Sentry for real-time monitoring and alerts
  • Third-party security firm conducting external penetration testing
  • Automated dependency scanning in our development pipelines
  • Prompt patching of high-severity vulnerabilities with expedited deployment
  • Zero Trust access through Twingate for all internal systems

Physical and remote access security

What physical security measures protect your offices?

Our operational work happens in secured office spaces with:

  • 24/7 building security staff
  • Keypad or keycard-secured entry points
  • Pre-authorized and escorted visitors only
  • Automatic screen locks when devices are idle
  • Clear policies against photographing sensitive information

How do you secure remote access?

Remote access is enabled with strict security controls:

  • Zero Trust network through Twingate for all connections
  • Encrypted remote desktop access via Splashtop Streamer
  • Multi-factor authentication required for all remote sessions
  • Complete session logging and monitoring
  • External IT provider oversight and compliance checks

Data protection and encryption

How is our data encrypted and protected?

All customer data is protected with industry-standard encryption:

  • In transit: HTTPS with TLS 1.2+ for all communication
  • At rest: Industry-standard encryption for all stored data
  • Uploads: Direct to AWS S3 using pre-signed, time-limited URLs
  • Certificates: Trusted Let's Encrypt TLS certificates, regularly renewed

Where is our data stored?

Customer data is stored on Amazon Web Services (AWS) infrastructure in:

  • Primary region: US East (N. Virginia) for main storage and processing
  • Backup region: US West (Oregon) for disaster recovery and redundancy

All data remains within AWS's secure, compliant data centers that meet SOC 2, ISO 27001, and GDPR standards.

Who can access our customer data?

Access to customer data is strictly controlled:

  • Customer ownership: You own all data you provide to us
  • Exception-based access: Our personnel don't access data by default
  • Support-driven access: Only when needed for technical support with your consent
  • Role-based permissions: Access limited to authorized personnel by job function
  • Complete logging: All data access is logged and auditable

You can request data deletion or access logs at any time.

Network security and monitoring

How do you protect against network threats?

We use comprehensive network security measures:

  • AWS Security Groups and Network Access Control Lists as virtual firewalls
  • Private AWS subnets for core services (not publicly accessible)
  • AWS CloudTrail and CloudWatch for infrastructure monitoring and alerts
  • Third-party security partner for continuous threat monitoring
  • Zero Trust access eliminating traditional network trust assumptions

What monitoring and alerting do you have in place?

Our systems are continuously monitored through:

  • Real-time application behavior monitoring (Datadog, Sentry)
  • Infrastructure activity alerts (AWS CloudWatch)
  • Authentication and access logging (Twingate, AWS CloudTrail)
  • 24/7 external security monitoring and incident response
  • Automated anomaly detection and alerting

Compliance and certifications

Do you have security certifications?

While we don't currently hold formal certifications like ISO 27001 or SOC 2, we maintain strong security practices:

  • Regular internal security audits and reviews
  • Third-party penetration testing by professional security firms
  • AWS cloud security best practices implementation
  • Proactive monitoring and rapid incident response

Security is a first-class priority in all our engineering and operational processes.

How do you handle personal information and privacy compliance?

We follow strict data protection practices:

  • Data encryption: All personal information encrypted in transit and at rest
  • Access control: Limited to authorized personnel through RBAC
  • Zero Trust network: Identity-based authentication for all internal access
  • Employee training: Regular privacy and data protection training
  • Vendor compliance: All subprocessors (AWS, MongoDB Atlas) are SOC 2 and GDPR compliant
  • Data Processing Agreements: Clear responsibilities with all service providers

Backup and business continuity

How do you back up our data?

We use automated, redundant backup systems:

  • Application data: MongoDB Atlas with daily snapshots and multi-region replica sets
  • Database data: AWS RDS MySQL with hourly backups
  • Geographic redundancy: Backups stored in both US East and US West regions
  • Encryption: All backups encrypted at rest in secure AWS infrastructure

What's your Business Continuity Plan?

Our plan ensures continued service during disruptions:

  • Redundant infrastructure: Multi-replica Kubernetes deployments on AWS
  • Automated backups: Frequent, encrypted backups with geographic distribution
  • Disaster recovery: US West (Oregon) region for backup and recovery
  • 99.9% uptime SLA: Supported by resilient architecture and monitoring
  • Rolling updates: Minimal downtime deployment processes

Recovery objectives vary by system type, with most major systems restorable within hours.

Service integration and API security

How secure is your API for integration?

Our API is designed with security as a priority:

  • HTTPS only: All communication encrypted with TLS 1.2+
  • API key authentication: Scoped access keys per customer
  • JSON format: Standard request/response format for compatibility
  • AWS protection: Hosted on AWS with CloudFront and Web Application Firewall
  • Rate limiting: Protection against abuse and overuse
  • Public documentation: Regularly updated integration guides

What desktop applications do you provide?

We offer secure desktop apps for macOS and Windows:

  • Designed specifically for photographers and production teams
  • Handle authentication, upload, download, and image management
  • All communication uses secure HTTPS over TLS
  • Integrate with the same secure cloud infrastructure as our web platform

Support and contact

  • Chatbot and live chat with an agent: Click Support at the top of the Imagen app to start a conversation.
  • Help Center: Self-service guides available 24/7 at support.imagen-ai.com
  • Contact form: Submit requests at support.imagen-ai.com/requests/new
  • Response time: Within 24 hours, with urgent issues prioritized.

All support is included at no additional cost. Ask us for specific compliance information if you don’t see what you need. 

Was this article helpful?

Have more questions? Submit a request