Request to Join

Trust Center

Last updated: April 8, 2026

Your data, your trust

BrandStudio handles event photos, guest information, and face recognition data. We take that responsibility seriously. This page is the single place to understand how we protect your data.

Security

  • Encryption everywhere: TLS 1.2+ in transit, server-side encryption at rest on Cloudflare R2, Fernet encryption for face embeddings.
  • Authentication: bcrypt password hashing, JWT tokens, optional two-factor authentication with backup codes.
  • Access control: 7-level role hierarchy, company-scoped data isolation, rate limiting on all sensitive endpoints.
  • Infrastructure: Railway (SOC 2 Type II), Cloudflare R2 and CDN, Vercel edge network, Stripe (PCI DSS Level 1) for payments.

Read our full security practices

Privacy

  • Minimal data collection: We collect only what we need to deliver event photos to guests.
  • No selling data: We never sell personal information to third parties.
  • Face recognition is opt-in: Off by default. Guests can opt out. Embeddings are encrypted and deletable anytime.
  • Analytics: We use PostHog for product analytics. The marketing site runs in cookieless mode.
  • Data deletion: Delete your data from the dashboard or email us. We honor all deletion requests.

Read our privacy policy

Compliance

  • SOC 2: Compliance program in progress. Our infrastructure providers (Railway, Cloudflare, Stripe) are SOC 2 certified.
  • GDPR: We support data portability and deletion requests for EU users.
  • BIPA/CCPA: Face recognition data handling follows biometric data protection requirements. Opt-in consent, encrypted storage, company isolation.

Data handling

  • Photo storage: Cloudflare R2 (S3-compatible) with zero egress fees and global edge delivery.
  • Database: PostgreSQL on Railway with encrypted connections and automated backups.
  • Company isolation: Each company's data is strictly separated. No cross-account access.
  • Audit logging: Logins, team changes, data deletion, and face recognition actions are logged.

Reporting vulnerabilities

Found a security issue? Email security@brandstudiohq.com. We acknowledge reports within 48 hours and fix confirmed vulnerabilities as fast as possible.

Questions

Security or privacy questions? Reach us at security@brandstudiohq.com or through our contact form.