Security

Infrastructure

We build on providers with strong security track records:

• Application and database: Railway (US data centers, SOC 2 Type II certified). Our PostgreSQL database uses encrypted connections.
• Photo storage: Cloudflare R2 with server-side encryption and a global edge network for fast delivery. S3-compatible, enterprise-grade.
• Frontend: Vercel with automatic HTTPS and edge caching.
• Payments: Stripe handles all payment processing. They're PCI DSS Level 1 certified — the highest level. We never see or store credit card numbers.
• CDN and DDoS protection: Cloudflare sits in front of everything, blocking malicious traffic before it reaches us.

Data encryption

In transit

Every connection to BrandStudio uses HTTPS with TLS 1.2 or higher. We enforce HSTS headers so browsers always use encrypted connections. WebSocket connections (for real-time features like live capture) use WSS, the encrypted version of WebSocket.

At rest

Photos are encrypted on Cloudflare R2's servers. Face recognition embeddings get an extra layer of encryption using Fernet (AES-128-CBC with HMAC-SHA256) before they're stored. API keys and third-party credentials in our database are also encrypted.

Passwords

Passwords are hashed with bcrypt using a cost factor of 12. We never store, log, or transmit your password in plain text. Even our team can't see your password.

Access controls

We take a layered approach to who can access what:

• Role-based permissions: 7 roles from Owner down to Assistant, each with specific permissions. Team members can have different roles on different events.
• JWT authentication: Stateless tokens with configurable expiration keep sessions secure.
• Two-factor authentication: TOTP-based 2FA with backup codes is available for all accounts.
• Rate limiting: All sensitive endpoints have rate limits to prevent brute-force attacks and abuse.
• Company isolation: Data is scoped to your company. One company's data is never accessible to another.

Face recognition security

Face recognition handles sensitive biometric-like data, so we treat it with extra care:

• Opt-in only: Face recognition is off by default. You explicitly turn it on per event.
• Guest opt-out: Guests can opt out of face matching at any time.
• Not reversible: Face embeddings are mathematical representations, not images. You can't reconstruct someone's face from an embedding.
• Encrypted storage: All embeddings are encrypted at rest with Fernet encryption before being stored in our database.
• Company isolation: Face data is strictly isolated per company. No cross-account access.
• Deletable anytime: Delete face data from your dashboard or email us. We wipe it completely.
• Limited purpose: We only use face data to match photos to guests at your events. Nothing else.

Audit logging

We log important actions so you (and we) can see what happened and when:

• Logins, logouts, and password changes
• Team member invitations, role changes, and removals
• Event creation, photo deletion, and settings changes
• Face recognition being enabled, processed, or deleted

Incident response

If a security incident occurs, here's what we do:

• Identify and contain the issue as fast as possible
• Assess what data was affected
• Notify affected users promptly with clear details about what happened and what we're doing about it
• Fix the root cause and document what we learned

We believe in transparency. If something goes wrong, you'll hear about it from us directly — not from a news article.

Reporting vulnerabilities

If you find a security vulnerability, please report it to security@brandstudiohq.com. We'll acknowledge your report within 48 hours and work to fix confirmed issues as quickly as possible.

We ask that you give us a reasonable window to address the issue before disclosing it publicly. We appreciate security researchers who help us keep the platform safe.

Questions

Security questions or concerns? Email security@brandstudiohq.com. We take every inquiry seriously.