// Trust & Security Report
HeadshotPro
AI professional headshot generator (consumer, teams/corporate, and API)
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on headshotpro.com“HeadshotPro maintains administrative, technical, and organizational measures...and operates a SOC 2 Type II program for relevant processes.”
Verify on headshotpro.com“This policy is fully compliant with the European General Data Protection Regulation (GDPR), as well as related laws and regulations in place at Singapore.”
> Show 2 unconfirmed / not-held certifications
source: trust.headshotpro.comNo ISO 27001 claim appears on the trust center, security policy, or any vendor page.
source: trust.headshotpro.comNo HIPAA claim on any vendor page; consumer headshot tool, not a covered-entity / PHI use case.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (Google Cloud Storage us-east-1; Render hosted on AWS). Note: privacy policy references GDPR and Singapore law, a minor inconsistency vs the US hosting stated in the Security Policy.
Default is NO training. MSA states: 'Neither Customer Content nor AI Headshots will be used to train or retrain HeadshotPro's or any third party's generative models without Customer's explicit opt-in consent.' Processing is limited to 'provide, maintain, secure, and support the Service.' Customer is assigned ownership of generated AI Headshots and retains full commercial rights.
// Security controls
Penetration testing
Yes — 'Q1 2025 HeadshotPro Pentest' document available on trust center (request access); controls list confirms 'Penetration testing findings remediated'.
trust.headshotpro.comBug bounty program
None found (no HackerOne or Bugcrowd). Security Policy requires explicit advance written authorization before any pentest/assessment by third parties.
headshotpro.comAuthentication / MFA
Mandatory 2FA and strong password policy across GitHub, Render, GCS, Vercel; MFA required for critical services.
headshotpro.comMonitoring
Sentry application monitoring; access logging to apps and production consoles; audit logs collected.
headshotpro.comData retention / deletion
Input photos deleted after 7 days; AI headshots deleted after 30 days; user can self-delete anytime from account settings.
headshotpro.comSubprocessors / infrastructure
Google Cloud Storage, Render (AWS), Vercel; sub-processor list published.
headshotpro.com// Products & data scope
data: User uploads 1-3+ selfies; photos deleted after 7 days, headshots after 30 days; full commercial rights assigned to user; no model training without opt-in.
One-time paid packages (Basic/Professional/Executive, ~EUR 29-59).
data: Same data handling and deletion policy; multi-tenant with logical separation; DPA + Master Service Agreement available for business buyers.
Used by SMBs through Fortune 500; case studies cite multi-office rollouts. SOC 2 Type 2 + DPA support procurement review.
data: Programmatic headshot generation embedded into partner products; same no-training-by-default and deletion commitments via MSA.
Used by partners to build scalable headshot solutions (e.g., real-estate case study).
// What to watch
- Minor inconsistency: Privacy Policy cites GDPR + Singapore law while Security Policy states US-only hosting (GCS us-east-1, Render/AWS). No EU data-residency option published.
- SOC 2 Type 2 report and Q1 2025 pentest are gated behind 'Request access' on the Oneleet-powered trust center; status is publicly displayed as Compliant but the report itself was not directly inspected.
- No public bug-bounty program; third-party security testing requires prior written authorization.
// At a glance
Pricing model
One-time per-package consumer pricing (no subscription); team discounts up to 60%; separate API access
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on HeadshotPro's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.headshotpro.com