// Trust & Security Report

    FaceApp Technology Limited logo

    FaceApp Technology Limited

    Consumer photo and face editing application with AI-powered filters and retouching tools. Flagship product: FaceApp mobile app available on iOS and Android. No enterprise or team-tier variants.

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 7 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No mention of SOC 2 on vendor's public website, privacy policy, or terms of service.

    source: faceapp.com
    SOC 2 Type 2
    NOT CONFIRMED

    No mention of SOC 2 on vendor's public website, privacy policy, or terms of service.

    source: faceapp.com
    ISO 27001
    NOT CONFIRMED

    No mention of ISO 27001 or formal security management system certification on vendor's public website.

    source: faceapp.com
    GDPR
    NOT CONFIRMED

    Privacy policy claims compliance with GDPR mechanisms: 'Standard Contractual Clauses for cross-border transfers' and 'appointed a Data Protection Officer and a UK representative (VeraSafe)'. However, no formal GDPR certification audit or verification is documented. GDPR is a regulation (not a cert), and the vendor claims compliance measures but provides no third-party audit evidence.

    source: faceapp.com
    HIPAA
    NOT CONFIRMED

    Not applicable. FaceApp is a consumer photo editing app with no healthcare-related features or data collection. No mention of HIPAA in terms or privacy documentation.

    source: faceapp.com
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No mention of ISO 27017. While FaceApp processes data on Google Cloud Platform and Amazon Web Services, the vendor does not claim compliance with cloud-specific security standards.

    source: faceapp.com
    PCI DSS
    NOT CONFIRMED

    No mention of PCI DSS. FaceApp handles subscription billing but does not claim PCI compliance on public documentation.

    source: faceapp.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Google Cloud Platform and Amazon Web Services (no specific regional specification provided; international transfers mentioned with Standard Contractual Clauses)

    Privacy policy explicitly states: 'We do not use photographs or videos you provide when you use the Apps for any reason other than to provide you with the editing functionality.' No indication of using customer photos for AI model training or improvement.

    // Security controls

    Encryption in Transit

    Photographs and videos temporarily cached on cloud servers during editing; encrypted using key stored locally on user's mobile device

    faceapp.com

    Encryption at Rest

    Encryption key resides on user's device; vendor states 'we cannot disclose such content' because key is not stored server-side

    faceapp.com

    Data Retention

    Photos and videos automatically deleted within 24-48 hours after last edit. Users can request immediate removal via app settings.

    faceapp.com

    Cloud Infrastructure

    Cloud processing uses Google Cloud Platform and Amazon Web Services; no specific regional details or SLA commitments documented

    faceapp.com

    General Security Posture

    Vendor claims they 'use commercially reasonable security practices to help keep the information collected through our services secure' but explicitly disclaims: 'we cannot guarantee the security of any information you provide.'

    faceapp.com

    Third-Party Security Audits

    No mention of penetration testing, security audits, or third-party verification on public documentation

    faceapp.com

    Data Protection Officer

    Data Protection Officer appointed and contact information available; UK GDPR representative designated (VeraSafe)

    faceapp.com

    // Products & data scope

    FaceAppConsumer Photo Editing

    data: Facial photos and metadata; temporary processing only (24-48 hour retention)

    1 billion+ downloads. Available on iOS and Android. Offers free tier with ads and optional FaceApp Pro subscription. Single-product vendor; no enterprise variants.

    // What to watch

    • No trust center or dedicated security documentation page (404 on /security URL)
    • No formal compliance certifications despite 1B+ user base; claims GDPR compliance mechanisms (DPO, SCC) but no audit evidence
    • Privacy policy uses broad language: 'license to use, reproduce...modify, adapt, create derivative works from' user content; though restricted to providing editing services
    • No third-party security audits, penetration testing results, or SOC 2/ISO certifications documented
    • Data processing on third-party cloud providers (GCP, AWS) but no transparency into those providers' compliance posture in FaceApp's documentation
    • International data transfers claimed but no specific regional details or SLA commitments documented
    • Explicit disclaimer: 'we cannot guarantee the security of any information you provide' is unusually strong liability waiver for a vendor with massive consumer user base

    // At a glance

    Pricing model

    Freemium with optional subscription (FaceApp Pro)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on FaceApp Technology Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    faceapp.com

    > Browse all vendor trust reports