// Trust & Security Report
WINROAD HOLDINGS LIMITED
AI-powered image and video editing platform with background removal, upscaling, face cutout, and AI generation tools; free and paid tiers plus API
Certifications held
0
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 5 unconfirmed / not-held certifications
No public evidence of SOC 2 certification on vendor's website or trust documentation
No public evidence of ISO 27001 certification on vendor's website or trust documentation
source: cutout.proWhile privacy policy references GDPR and DPA, the referenced DPA URL (https://www.cutout.pro/dpa) returns HTTP 404, indicating no accessible formal compliance documentation
source: cutout.proNo mention of HIPAA compliance in privacy policy, terms, or any vendor documentation
No public evidence of cloud-specific ISO certifications
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Hong Kong (primary office); uses Amazon Web Services for some processing (region not specified)
Privacy policy limits use of uploaded content to the requested processing only: 'only use them to perform requested image or video processing' (section 1) and 'We do not use the photos you provide for any reason other than to provide you with the portrait editing functionality' (section 2). These on-domain statements support that customer content is not used for the vendor's own model training. Separately, Terms of Use section 3.8 prohibits customers from using the platform for 'Research/development of artificial intelligence (in particular generation of training data)', which governs customer conduct rather than the vendor's practices. No dedicated AI-training disclosure exists beyond these statements.
// Security controls
Data Deletion Policy
Images/videos claimed to be deleted automatically after processing; face data cached for 24-48 hours on AWS then deleted
cutout.proPassword Hashing
MD5 hashing with salt (weak by modern standards; February 2024 breach exposed hashed passwords as relatively easy to crack)
bleepingcomputer.comThird-party Cloud Provider
Uses Amazon Web Services (AWS) for image/video processing; only selected photos uploaded for editing
cutout.pro// Products & data scope
data: Uploads images/videos for background removal, upscaling, retouching, face cutout, AI generation
Free and paid subscription tiers; credits-based billing; images deleted after processing but cached temporarily on AWS
data: Same as web platform, available on iOS and Android
Available via App Store and Google Play
data: Programmatic access to image/video processing; unlimited integration into customer websites/apps
Terms prohibit reselling API to third parties; available on pricing page
data: Background removal and image editing for e-commerce product photos
Integrates with Shopify stores
// What to watch
- CRITICAL: Confirmed data breach February 2024 exposing 41.4 million records (20M unique emails, API keys, salted MD5 hashes, personal data). Verified independently by Have I Been Pwned and BleepingComputer.
- CRITICAL: Earlier confirmed data breach in 2023 (Elasticsearch server exposed 9GB of customer data without authentication).
- CRITICAL: Company provided no formal incident response or acknowledgment of breaches; initially denied breach occurred despite overwhelming evidence.
- LOW: Trustpilot account is unclaimed (company has never claimed ownership) with rating of 1.7/5 stars (June 2026), a reputational signal of customer dissatisfaction rather than a security control finding.
- HIGH: No SOC 2, ISO 27001, HIPAA, or GDPR compliance certifications available; no dedicated trust center or security documentation.
- HIGH: DPA URL referenced in Terms of Use (section 9.1: www.cutout.pro/dpa) returns HTTP 404 — claims to have DPA but document is inaccessible.
- HIGH: Weak password hashing algorithm (MD5 with salt) — experts flagged as 'relatively easy to crack by modern standards'.
- MEDIUM: Breach appeared on BreachForums and Telegram; attacker claimed ongoing system access at time of breach.
- MEDIUM: Uses third-party cloud provider (AWS) for face data processing; cached for 24-48 hours — no information on AWS region or compliance.
- MEDIUM: Terms of Use (section 3.8) explicitly prohibits customer use of platform for AI research/training data generation, but no statement on whether vendor uses customer data for its own model training.
- LOW: Privacy policy and terms are available and address basic data handling, but lack enterprise-grade security documentation or transparency around past incidents.
// At a glance
Pricing model
Freemium (free tier with credits/limits) + Subscription (monthly credits) + Pay-per-use credit purchase via PayPal or Stripe
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on WINROAD HOLDINGS LIMITED's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
cutout.pro