Trust & Security

Built on trust, secured by design

COPPA-compliant by design. Stripe-secured payments. Encrypted in transit and at rest.

StripeCOPPA-compliantTLS 1.3SOC 2 (Coming Soon)

Infrastructure built for security

Every layer of PPS is built on managed, encrypted, compliance-aligned services

Edge-hosted web compute

The PPS web app runs on a global Tier-1 edge network with built-in DDoS protection and a managed Web Application Firewall.

Encrypted object storage

Photos and assets are stored with AES-256 encryption at rest and served only via signed, expiring URLs scoped to authenticated users.

Managed Postgres database

All application data lives in a managed Postgres database, encrypted at rest, with automatic backups and point-in-time recovery.

Global content delivery

Static assets and gallery images are served from a 300+ POP global CDN — fast delivery for parents on mobile networks.

Stripe Payments

Stripe handles all checkout and card processing as a PCI-DSS Level 1 service provider. No card data ever touches PPS servers.

Server-side face matching

Face matching runs server-side via a dedicated AI matching API. Embeddings are computed for matching only — no long-term biometric storage.

Data encryption, top to bottom

Photos and personal data are encrypted at rest and in transit. We use the same primitives the rest of the modern web relies on.

  • TLS 1.3 in transit
    Every request between browser, edge, database, and storage is encrypted.
  • AES-256 at rest
    Photos in object storage and database rows are encrypted on disk.
  • Managed, point-in-time-recoverable backups
    Database backups run automatically with point-in-time recovery so we can restore to any moment in the retention window.

Access control you can audit

Every photo company sees only its own data. Every parent sees only their own child. Enforced at the database layer, not just the app.

  • Industry-standard authentication
    Magic-link sign-in, session management, and identity all handled by a managed auth service.
  • RLS-enforced isolation
    Postgres Row-Level Security policies guarantee photo companies can’t see each other’s data, even via API.
  • Audit logs
    Sensitive admin actions (gallery publishes, refunds, data exports) are logged with timestamp and actor.

Payments, handled by Stripe

Card data never touches our servers

PCI-DSS Level 1 via Stripe

Stripe is certified as a PCI-DSS Level 1 service provider — the highest level. We rely on their certification rather than handling cards ourselves.

No card data on PPS servers

Card numbers, CVVs, and expiration dates go directly to Stripe. We only ever store the Stripe customer and payment-method tokens.

Tokenization by Stripe

Saved payment methods are tokenized by Stripe. Even photo companies and PPS staff cannot see customer card numbers.

Privacy by default

We don’t track parents. We don’t sell data. We don’t run ads.

Magic-link sign-in

Account-based galleries with passwordless magic-link sign-in. Every parent has a real account so they can manage favorites, orders, and access.

COPPA-compliant by design

Children’s photos are never publicly accessible. Parents own their account and control their child’s data.

No tracking pixels, no ads

No Facebook pixel, no third-party ad networks, no behavioral targeting. We don’t monetize parents — photo companies are our customers.

Compliance & standards

Where we stand today, plus what’s next

Active

COPPA

Compliant by design

Children’s photos are never publicly accessible; parents control their child’s data.

Active

PCI-DSS

Via Stripe (Level 1)

Card processing is fully delegated to Stripe’s PCI-DSS Level 1 certified infrastructure.

Coming Soon

SOC 2

Type II

We’re working toward a SOC 2 Type II audit. Not yet audited.

Target

WCAG 2.1 AA

Accessibility

WCAG 2.1 AA accessibility is the target for the parent gallery and storefront.

Your photos are not browseable by strangers

Photos live in encrypted storage and are only ever served to the right parent through signed, expiring URLs. Direct hot-linking does not work.

  • AES-256 encrypted at rest
    Every photo is encrypted on disk in our object storage automatically — there is no unencrypted state.
  • Signed URLs only
    Photo URLs include a short-lived signature. Sharing a URL after it expires returns nothing.
  • RLS + parent_subjects link
    Database policies and the parent_subjects mapping table together enforce that each parent sees only their child’s photos.

AI & face matching, transparently

Here’s exactly how face matching works at PPS — and what we don’t do with biometric data.

How matching works

  • Reference photos are captured by photo company STAFF on a dedicated Android app.
  • A server-side AI matching API compares gallery photos against those references — embeddings only, never raw biometrics.
  • Parents see only matched photos in their child’s gallery, automatically.
  • Parents can also opt to upload a supplemental reference photo as a fallback.

What we don’t do

  • We don’t sell biometric data — ever, to anyone.
  • We don’t train AI models on your photos.
  • We don’t share face embeddings with third parties.
  • We don’t use face matching for advertising or surveillance.

Data retention you control

Photo companies set retention policy for their galleries. Parents can request deletion at any time.

  • Photo company controls retention
    Typically 90 days post-gallery-close, but each photo company sets the policy that fits their workflow.
  • Parent deletion requests
    Parents can email support@prophotosystems.com to request deletion of their account and child’s photos.
  • Backups expire too
    Deletion requests propagate through our database backup retention window so data doesn’t live on indefinitely.

Subprocessors

A current list of subprocessors that help us deliver PPS — including our payments processor (Stripe), database, storage, email, and AI providers — is maintained in our Privacy Policy. Photo companies on a paid plan can request our DPA for the formal subprocessor disclosure.

Frequently asked questions

Is my payment information stored on PPS servers?

No. All card data goes directly to Stripe, a PCI-DSS Level 1 certified payment processor. PPS only stores Stripe customer and payment-method tokens — never card numbers, CVVs, or expiration dates.

Can photographers see my credit card?

No. Card numbers are tokenized by Stripe before they ever reach our system. Photo companies see order amounts and payment status, but never the underlying card information.

How long are photos stored?

Photo retention is controlled by each photo company, typically 90 days after a gallery closes. Each photo company sets the policy that fits their workflow and storage budget.

How does facial recognition work, and what do you do with my child’s face?

Reference photos are captured by photo company staff on a dedicated Android app. A server-side AI matching API compares gallery photos to those references — embeddings only — so parents see only their child. We don’t sell biometric data, train models on your photos, or share embeddings with third parties.

What happens if there’s a data breach?

We follow standard incident response practice: investigate, contain, notify affected users, and disclose as required by applicable law. Photo companies and parents are notified directly if their data is involved.

How do I delete my data?

Email support@prophotosystems.com from the email on your account and we’ll process the deletion. Photos, account information, and associated records are removed; deletions also propagate through our backup retention window.

Found a vulnerability?

Responsible disclosure is welcome. Email our security team and we’ll get back to you.

security@prophotosystems.com

Trust is earned, not assumed

See how PPS protects photo companies, parents, and student data — on every shoot, every day.