// Trust & Security Report
InstantX Team / Xiaohongshu Inc (research project, not a hosted commercial vendor)
InstantID is an open-source research code release (zero-shot identity-preserving image generation, arXiv:2401.07519) published by the InstantX research team, with contributors affiliated to Xiaohongshu Inc and Peking University. It is not a hosted SaaS product; it ships as code + model checkpoints on GitHub/Hugging Face that users download and run themselves (locally, on their own infra, or via third-party inference platforms such as Replicate/fal.ai/Hugging Face Spaces that independently host it).
Certifications held
0
Maturity
Unknown
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 7 unconfirmed / not-held certifications
source: instantid.github.iono public evidence - InstantID has no company trust center, security page, or hosted service; project pages (instantid.github.io, github.com/instantX-research/InstantID) contain no compliance claims
source: instantid.github.iono public evidence - no privacy policy or data-processing statement is published for the InstantID project itself
source: instantid.github.ionot applicable - project has no payment processing or hosted service
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
not applicable - no InstantID-operated hosting; data location depends entirely on where a given user or third-party platform chooses to run the open-source code
InstantID does not collect or process any customer/user data as a service - there is no InstantID-operated endpoint that ingests user images. The project distributes code (Apache License 2.0) plus pre-trained checkpoints; per the repository README the face-recognition (InsightFace) models and the released checkpoints are restricted to non-commercial research use, which is a licensing constraint, not a data-training-on-your-inputs concern. Anyone using InstantID runs it on their own infrastructure or via a third-party host (e.g. Replicate, Hugging Face Spaces, fal.ai), each of which has its own independent data-handling and training policy that AIFOXX must not attribute to 'InstantID'.
// Security controls
Encryption in transit
not applicable - no InstantID-hosted service exists to encrypt traffic to
instantid.github.ioHosting model
Self-hosted / bring-your-own-infrastructure. Code and checkpoints are downloaded from GitHub and Hugging Face and executed by the user; no vendor-operated production environment.
github.com// Products & data scope
data: None held by the project itself; any face/image data is processed entirely on the infrastructure the end user or a third-party host chooses
Code is Apache 2.0 (commercial use of the code permitted); the bundled InsightFace face-recognition models and released checkpoints are restricted to non-commercial research use per their own upstream license - a licensing caveat, not a security/compliance one.
// What to watch
- InstantID is a research code/model release, not a company with a hosted product - it has no trust center, privacy policy, or security program of its own. Standard vendor-cert fields (SOC 2/ISO/GDPR/HIPAA) do not meaningfully apply and are graded false only to reflect 'no public evidence', not an active gap in an otherwise mature vendor.
- Identity/conflation risk: contributors list Xiaohongshu Inc affiliation, but Xiaohongshu Inc's own consumer-app privacy policy (agree.xiaohongshu.com) is UNRELATED to the InstantID project and must not be cited as InstantID's privacy policy.
- Commercial-use nuance: the InstantID code itself is Apache 2.0 (commercial-use OK), but the bundled InsightFace face models and released checkpoints are restricted to non-commercial research use per upstream license - this is a licensing/IP flag, not a security cert, but should be surfaced to users evaluating commercial deployment.
- If AIFOXX's listing for 'instantid' actually refers to a specific third-party hosted wrapper/API (e.g.
// At a glance
Pricing model
Free / open source (no vendor-run paid tiers); costs depend entirely on where a user chooses to run it
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on InstantX Team / Xiaohongshu Inc (research project, not a hosted commercial vendor)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-05. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
instantid.github.io