// Trust & Security Report

    WINROAD HOLDINGS LIMITED logo

    WINROAD HOLDINGS LIMITED

    AI-powered image and video editing platform with background removal, upscaling, face cutout, and AI generation tools; free and paid tiers plus API

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 5 unconfirmed / not-held certifications
    SOC 2 Type 1/2
    NOT CONFIRMED

    No public evidence of SOC 2 certification on vendor's website or trust documentation

    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on vendor's website or trust documentation

    GDPR Compliance
    NOT CONFIRMED

    While privacy policy references GDPR and DPA, the referenced DPA URL (https://www.cutout.pro/dpa) returns HTTP 404, indicating no accessible formal compliance documentation

    source: cutout.pro
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA compliance in privacy policy, terms, or any vendor documentation

    source: cutout.pro
    ISO 27017/27018
    NOT CONFIRMED

    No public evidence of cloud-specific ISO certifications

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Hong Kong (primary office); uses Amazon Web Services for some processing (region not specified)

    Privacy policy limits use of uploaded content to the requested processing only: 'only use them to perform requested image or video processing' (section 1) and 'We do not use the photos you provide for any reason other than to provide you with the portrait editing functionality' (section 2). These on-domain statements support that customer content is not used for the vendor's own model training. Separately, Terms of Use section 3.8 prohibits customers from using the platform for 'Research/development of artificial intelligence (in particular generation of training data)', which governs customer conduct rather than the vendor's practices. No dedicated AI-training disclosure exists beyond these statements.

    // Security controls

    Data Encryption in Transit

    SSL/TLS encryption claimed for data transfer

    cutout.pro

    Data Deletion Policy

    Images/videos claimed to be deleted automatically after processing; face data cached for 24-48 hours on AWS then deleted

    cutout.pro

    Availability SLA

    98% uptime guarantee (calculated over one year)

    cutout.pro

    Password Hashing

    MD5 hashing with salt (weak by modern standards; February 2024 breach exposed hashed passwords as relatively easy to crack)

    bleepingcomputer.com

    Server Logs Retention

    Server logs stored for no longer than 3 months

    cutout.pro

    Third-party Cloud Provider

    Uses Amazon Web Services (AWS) for image/video processing; only selected photos uploaded for editing

    cutout.pro

    // Products & data scope

    Web Platform (cutout.pro)Image & Video Editing

    data: Uploads images/videos for background removal, upscaling, retouching, face cutout, AI generation

    Free and paid subscription tiers; credits-based billing; images deleted after processing but cached temporarily on AWS

    Mobile AppsImage & Video Editing

    data: Same as web platform, available on iOS and Android

    Available via App Store and Google Play

    APIDeveloper API

    data: Programmatic access to image/video processing; unlimited integration into customer websites/apps

    Terms prohibit reselling API to third parties; available on pricing page

    Shopify PluginE-commerce Integration

    data: Background removal and image editing for e-commerce product photos

    Integrates with Shopify stores

    // What to watch

    • CRITICAL: Confirmed data breach February 2024 exposing 41.4 million records (20M unique emails, API keys, salted MD5 hashes, personal data). Verified independently by Have I Been Pwned and BleepingComputer.
    • CRITICAL: Earlier confirmed data breach in 2023 (Elasticsearch server exposed 9GB of customer data without authentication).
    • CRITICAL: Company provided no formal incident response or acknowledgment of breaches; initially denied breach occurred despite overwhelming evidence.
    • LOW: Trustpilot account is unclaimed (company has never claimed ownership) with rating of 1.7/5 stars (June 2026), a reputational signal of customer dissatisfaction rather than a security control finding.
    • HIGH: No SOC 2, ISO 27001, HIPAA, or GDPR compliance certifications available; no dedicated trust center or security documentation.
    • HIGH: DPA URL referenced in Terms of Use (section 9.1: www.cutout.pro/dpa) returns HTTP 404 — claims to have DPA but document is inaccessible.
    • HIGH: Weak password hashing algorithm (MD5 with salt) — experts flagged as 'relatively easy to crack by modern standards'.
    • MEDIUM: Breach appeared on BreachForums and Telegram; attacker claimed ongoing system access at time of breach.
    • MEDIUM: Uses third-party cloud provider (AWS) for face data processing; cached for 24-48 hours — no information on AWS region or compliance.
    • MEDIUM: Terms of Use (section 3.8) explicitly prohibits customer use of platform for AI research/training data generation, but no statement on whether vendor uses customer data for its own model training.
    • LOW: Privacy policy and terms are available and address basic data handling, but lack enterprise-grade security documentation or transparency around past incidents.

    // At a glance

    Pricing model

    Freemium (free tier with credits/limits) + Subscription (monthly credits) + Pay-per-use credit purchase via PayPal or Stripe

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on WINROAD HOLDINGS LIMITED's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    cutout.pro

    > Browse all vendor trust reports