// Trust & Security Report

    InstantX Team / Xiaohongshu Inc (research project, not a hosted commercial vendor) logo

    InstantX Team / Xiaohongshu Inc (research project, not a hosted commercial vendor)

    InstantID is an open-source research code release (zero-shot identity-preserving image generation, arXiv:2401.07519) published by the InstantX research team, with contributors affiliated to Xiaohongshu Inc and Peking University. It is not a hosted SaaS product; it ships as code + model checkpoints on GitHub/Hugging Face that users download and run themselves (locally, on their own infra, or via third-party inference platforms such as Replicate/fal.ai/Hugging Face Spaces that independently host it).

    Certifications held

    0

    Maturity

    Unknown

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    no public evidence - InstantID has no company trust center, security page, or hosted service; project pages (instantid.github.io, github.com/instantX-research/InstantID) contain no compliance claims

    source: instantid.github.io
    ISO 27001
    NOT CONFIRMED

    no public evidence

    source: instantid.github.io
    GDPR
    NOT CONFIRMED

    no public evidence - no privacy policy or data-processing statement is published for the InstantID project itself

    source: instantid.github.io
    HIPAA
    NOT CONFIRMED

    no public evidence

    source: instantid.github.io
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    no public evidence

    source: instantid.github.io
    CSA STAR
    NOT CONFIRMED

    no public evidence

    source: instantid.github.io
    PCI DSS
    NOT CONFIRMED

    not applicable - project has no payment processing or hosted service

    source: instantid.github.io

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    not applicable - no InstantID-operated hosting; data location depends entirely on where a given user or third-party platform chooses to run the open-source code

    InstantID does not collect or process any customer/user data as a service - there is no InstantID-operated endpoint that ingests user images. The project distributes code (Apache License 2.0) plus pre-trained checkpoints; per the repository README the face-recognition (InsightFace) models and the released checkpoints are restricted to non-commercial research use, which is a licensing constraint, not a data-training-on-your-inputs concern. Anyone using InstantID runs it on their own infrastructure or via a third-party host (e.g. Replicate, Hugging Face Spaces, fal.ai), each of which has its own independent data-handling and training policy that AIFOXX must not attribute to 'InstantID'.

    // Security controls

    Encryption in transit

    not applicable - no InstantID-hosted service exists to encrypt traffic to

    instantid.github.io

    Hosting model

    Self-hosted / bring-your-own-infrastructure. Code and checkpoints are downloaded from GitHub and Hugging Face and executed by the user; no vendor-operated production environment.

    github.com

    Vulnerability disclosure / security.md

    None found in the repository or project site

    github.com

    // Products & data scope

    InstantID (research code + checkpoints)Open-source identity-preserving image generation model

    data: None held by the project itself; any face/image data is processed entirely on the infrastructure the end user or a third-party host chooses

    Code is Apache 2.0 (commercial use of the code permitted); the bundled InsightFace face-recognition models and released checkpoints are restricted to non-commercial research use per their own upstream license - a licensing caveat, not a security/compliance one.

    // What to watch

    • InstantID is a research code/model release, not a company with a hosted product - it has no trust center, privacy policy, or security program of its own. Standard vendor-cert fields (SOC 2/ISO/GDPR/HIPAA) do not meaningfully apply and are graded false only to reflect 'no public evidence', not an active gap in an otherwise mature vendor.
    • Identity/conflation risk: contributors list Xiaohongshu Inc affiliation, but Xiaohongshu Inc's own consumer-app privacy policy (agree.xiaohongshu.com) is UNRELATED to the InstantID project and must not be cited as InstantID's privacy policy.
    • Commercial-use nuance: the InstantID code itself is Apache 2.0 (commercial-use OK), but the bundled InsightFace face models and released checkpoints are restricted to non-commercial research use per upstream license - this is a licensing/IP flag, not a security cert, but should be surfaced to users evaluating commercial deployment.
    • If AIFOXX's listing for 'instantid' actually refers to a specific third-party hosted wrapper/API (e.g.

    // At a glance

    Pricing model

    Free / open source (no vendor-run paid tiers); costs depend entirely on where a user chooses to run it

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on InstantX Team / Xiaohongshu Inc (research project, not a hosted commercial vendor)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-05. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    instantid.github.io

    > Browse all vendor trust reports