// Trust & Security Report

    HeadshotPro logo

    HeadshotPro

    AI professional headshot generator (consumer, teams/corporate, and API)

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2 Type 2 — Compliant

    Verify on trust.headshotpro.com
    SOC 2 Type 2 (corroborated in Master Service Agreement)
    HELD

    HeadshotPro maintains administrative, technical, and organizational measures...and operates a SOC 2 Type II program for relevant processes.

    Verify on headshotpro.com
    GDPR (regulatory compliance posture, not a certification)
    HELD

    This policy is fully compliant with the European General Data Protection Regulation (GDPR), as well as related laws and regulations in place at Singapore.

    Verify on headshotpro.com
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No ISO 27001 claim appears on the trust center, security policy, or any vendor page.

    source: trust.headshotpro.com
    HIPAA
    NOT CONFIRMED

    No HIPAA claim on any vendor page; consumer headshot tool, not a covered-entity / PHI use case.

    source: trust.headshotpro.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (Google Cloud Storage us-east-1; Render hosted on AWS). Note: privacy policy references GDPR and Singapore law, a minor inconsistency vs the US hosting stated in the Security Policy.

    Default is NO training. MSA states: 'Neither Customer Content nor AI Headshots will be used to train or retrain HeadshotPro's or any third party's generative models without Customer's explicit opt-in consent.' Processing is limited to 'provide, maintain, secure, and support the Service.' Customer is assigned ownership of generated AI Headshots and retains full commercial rights.

    // Security controls

    Encryption at rest

    AES-256 for sensitive data

    headshotpro.com

    Encryption in transit

    100% HTTPS; TLS/SSL with 256-bit encryption

    headshotpro.com

    Penetration testing

    Yes — 'Q1 2025 HeadshotPro Pentest' document available on trust center (request access); controls list confirms 'Penetration testing findings remediated'.

    trust.headshotpro.com

    Bug bounty program

    None found (no HackerOne or Bugcrowd). Security Policy requires explicit advance written authorization before any pentest/assessment by third parties.

    headshotpro.com

    Authentication / MFA

    Mandatory 2FA and strong password policy across GitHub, Render, GCS, Vercel; MFA required for critical services.

    headshotpro.com

    Web Application Firewall + VPN

    WAF used; VPN used (per trust center controls)

    trust.headshotpro.com

    Monitoring

    Sentry application monitoring; access logging to apps and production consoles; audit logs collected.

    headshotpro.com

    Data retention / deletion

    Input photos deleted after 7 days; AI headshots deleted after 30 days; user can self-delete anytime from account settings.

    headshotpro.com

    Payment processing

    Handled by Stripe (no card data stored by vendor).

    headshotpro.com

    Subprocessors / infrastructure

    Google Cloud Storage, Render (AWS), Vercel; sub-processor list published.

    headshotpro.com

    // Products & data scope

    HeadshotPro IndividualConsumer AI headshot generation

    data: User uploads 1-3+ selfies; photos deleted after 7 days, headshots after 30 days; full commercial rights assigned to user; no model training without opt-in.

    One-time paid packages (Basic/Professional/Executive, ~EUR 29-59).

    HeadshotPro for Teams / CorporateTeam / enterprise headshots

    data: Same data handling and deletion policy; multi-tenant with logical separation; DPA + Master Service Agreement available for business buyers.

    Used by SMBs through Fortune 500; case studies cite multi-office rollouts. SOC 2 Type 2 + DPA support procurement review.

    HeadshotPro APIDeveloper API

    data: Programmatic headshot generation embedded into partner products; same no-training-by-default and deletion commitments via MSA.

    Used by partners to build scalable headshot solutions (e.g., real-estate case study).

    // What to watch

    • Minor inconsistency: Privacy Policy cites GDPR + Singapore law while Security Policy states US-only hosting (GCS us-east-1, Render/AWS). No EU data-residency option published.
    • SOC 2 Type 2 report and Q1 2025 pentest are gated behind 'Request access' on the Oneleet-powered trust center; status is publicly displayed as Compliant but the report itself was not directly inspected.
    • No public bug-bounty program; third-party security testing requires prior written authorization.

    // At a glance

    Pricing model

    One-time per-package consumer pricing (no subscription); team discounts up to 60%; separate API access

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on HeadshotPro's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.headshotpro.com

    > Browse all vendor trust reports