// Trust & Security Report
Aragon AI, Inc.
AI headshot and portrait generation (consumer + teams), AI photo editing tools
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on aragon.ai“SOC 2 Type II compliant ... Unlike Type I (which evaluates controls at a single point in time), Type II involves a months-long audit. (Audited by Prescient Security via Vanta per Aragon's compliance blog: 'our partners at Vanta and Prescient Security for helping us achieve this milestone.')”
Verify on aragon.ai“Aragon honors GDPR data-subject rights ('You may request access to, rectification of, or erasure of your Personal Data ... request restriction of processing, object to processing, and request data portability.') but does not claim a formal GDPR certification (GDPR has no certification body); they reference a DPA and subprocessor list.”
> Show 2 unconfirmed / not-held certifications
source: aragon.aiNo ISO 27001 certification is claimed anywhere on the security policy or trust pages; only SOC 2 Type II is listed.
source: aragon.aiNo HIPAA compliance is claimed; the service is a consumer/business headshot generator and does not advertise handling of PHI.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (AWS us-east-1); Heroku runs on AWS us-east-1
Aragon contractually prohibits its AI providers from training on customer face data: 'We contractually prohibit our AI service providers from using face data to train generalized AI models or create pooled face training datasets.' Face data is deleted/anonymized within 30 days after content delivery (or end of subscription for active subscribers). AI inference/training is performed by subprocessors Astria, FAL.ai, and Replicate, all listed as 'AI inference and training' but contractually restricted from generalized training on customer data.
// Security controls
Penetration testing
Yes - 'Periodic penetration testing is conducted by independent security professionals.'
aragon.aiBug bounty program
None found (no HackerOne/Bugcrowd program disclosed). Note: customers are contractually prohibited from running unauthorized pen tests/security assessments.
aragon.aiVulnerability management
Continuous automated vulnerability scanning across production; findings triaged and remediated by severity
aragon.aiAccess control
Least-privilege RBAC, MFA enforced on GitHub/AWS/Heroku/Vercel, session timeouts, strong password policy
aragon.aiIncident response
Formal incident response plan; Sentry monitoring; written post-mortems; written breach notification to affected customers
aragon.aiHosting / infrastructure
AWS, Heroku, Vercel; multi-tenant datastores with logical separation; automated backups + tested DR
aragon.ai// Products & data scope
data: User uploads 5+ selfies; face data processed by AI subprocessors (Astria/FAL.ai/Replicate) and deleted/anonymized within 30 days of delivery (or end of subscription)
Core consumer product. Photos marketed as private; no generalized model training on face data.
data: Business customer manages End User access; same encryption + retention controls; governed by Customer Service Agreement and DPA
Team/business tier with admin-managed accounts; this is the scope the Security Policy and DPA primarily address ('business customers and their end users').
data: Various tools (clothing changer, background changer, image generator, magic eraser, etc.) operating on uploaded user images under the same privacy/retention policy
Large suite of supplementary photo tools; same data handling posture as core product.
// What to watch
- Highly sensitive data type: biometric face/selfie data. Subject to biometric privacy laws (e.g. Illinois BIPA, Texas CUBI) - directory should note biometric sensitivity.
- AI inference subprocessors (Astria, FAL.ai, Replicate) are labeled 'AI inference and training', but Aragon contractually prohibits generalized training on customer face data - distinction worth surfacing.
- No bug bounty program; customers are contractually barred from independent pen testing.
- US-only data residency (us-east-1); no EU data region option for EU customers despite GDPR rights being honored.
// At a glance
Pricing model
Paid subscription / one-time photo packs (consumer + team tiers); free entry-point tools
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Aragon AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
aragon.ai