// Trust & Security Report

    Aragon AI, Inc. logo

    Aragon AI, Inc.

    AI headshot and portrait generation (consumer + teams), AI photo editing tools

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II compliant ... Unlike Type I (which evaluates controls at a single point in time), Type II involves a months-long audit. (Audited by Prescient Security via Vanta per Aragon's compliance blog: 'our partners at Vanta and Prescient Security for helping us achieve this milestone.')

    Verify on aragon.ai
    GDPR
    HELD

    Aragon honors GDPR data-subject rights ('You may request access to, rectification of, or erasure of your Personal Data ... request restriction of processing, object to processing, and request data portability.') but does not claim a formal GDPR certification (GDPR has no certification body); they reference a DPA and subprocessor list.

    Verify on aragon.ai
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No ISO 27001 certification is claimed anywhere on the security policy or trust pages; only SOC 2 Type II is listed.

    source: aragon.ai
    HIPAA
    NOT CONFIRMED

    No HIPAA compliance is claimed; the service is a consumer/business headshot generator and does not advertise handling of PHI.

    source: aragon.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (AWS us-east-1); Heroku runs on AWS us-east-1

    Aragon contractually prohibits its AI providers from training on customer face data: 'We contractually prohibit our AI service providers from using face data to train generalized AI models or create pooled face training datasets.' Face data is deleted/anonymized within 30 days after content delivery (or end of subscription for active subscribers). AI inference/training is performed by subprocessors Astria, FAL.ai, and Replicate, all listed as 'AI inference and training' but contractually restricted from generalized training on customer data.

    // Security controls

    Encryption in transit

    TLS 1.2 or higher; all API and application endpoints TLS/SSL only

    aragon.ai

    Encryption at rest

    AES-256

    aragon.ai

    Penetration testing

    Yes - 'Periodic penetration testing is conducted by independent security professionals.'

    aragon.ai

    Bug bounty program

    None found (no HackerOne/Bugcrowd program disclosed). Note: customers are contractually prohibited from running unauthorized pen tests/security assessments.

    aragon.ai

    Vulnerability management

    Continuous automated vulnerability scanning across production; findings triaged and remediated by severity

    aragon.ai

    Access control

    Least-privilege RBAC, MFA enforced on GitHub/AWS/Heroku/Vercel, session timeouts, strong password policy

    aragon.ai

    Incident response

    Formal incident response plan; Sentry monitoring; written post-mortems; written breach notification to affected customers

    aragon.ai

    Hosting / infrastructure

    AWS, Heroku, Vercel; multi-tenant datastores with logical separation; automated backups + tested DR

    aragon.ai

    Payment security

    No card data stored; processing via Stripe, Paddle, RevenueCat

    aragon.ai

    // Products & data scope

    AI Headshots (Individuals)Consumer AI headshot generator

    data: User uploads 5+ selfies; face data processed by AI subprocessors (Astria/FAL.ai/Replicate) and deleted/anonymized within 30 days of delivery (or end of subscription)

    Core consumer product. Photos marketed as private; no generalized model training on face data.

    Headshots for TeamsB2B / business headshot generator

    data: Business customer manages End User access; same encryption + retention controls; governed by Customer Service Agreement and DPA

    Team/business tier with admin-managed accounts; this is the scope the Security Policy and DPA primarily address ('business customers and their end users').

    AI Photo Generators & AI Editor toolsAI image editing/generation utilities

    data: Various tools (clothing changer, background changer, image generator, magic eraser, etc.) operating on uploaded user images under the same privacy/retention policy

    Large suite of supplementary photo tools; same data handling posture as core product.

    // What to watch

    • Highly sensitive data type: biometric face/selfie data. Subject to biometric privacy laws (e.g. Illinois BIPA, Texas CUBI) - directory should note biometric sensitivity.
    • AI inference subprocessors (Astria, FAL.ai, Replicate) are labeled 'AI inference and training', but Aragon contractually prohibits generalized training on customer face data - distinction worth surfacing.
    • No bug bounty program; customers are contractually barred from independent pen testing.
    • US-only data residency (us-east-1); no EU data region option for EU customers despite GDPR rights being honored.

    // At a glance

    Pricing model

    Paid subscription / one-time photo packs (consumer + team tiers); free entry-point tools

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Aragon AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    aragon.ai

    > Browse all vendor trust reports