Skip to main content

Security

How we protect your data

Security is foundational to ImageLayer. Your brand assets, prompts, and generated images are protected by industry-standard practices at every layer.

Encryption

All data in transit is encrypted with TLS 1.3. Data at rest — including brand assets, generated images, and database records — is encrypted using AES-256. Passwords are hashed with bcrypt using per-user salts. API keys are SHA-256 hashed — plaintext keys are never stored on our servers.

Authentication & Access Control

API access is secured with scoped API keys. End-user authentication uses short-lived JWT session tokens generated server-side. The dashboard enforces role-based access with organization-level isolation — every API request is scoped to the authenticated organization, preventing cross-tenant data access (IDOR protection). Email verification is required before API key creation.

Abuse Prevention

Registration is protected by Cloudflare Turnstile (invisible CAPTCHA). Disposable email addresses are blocked. Daily IP-based registration limits prevent mass account creation. A unique database constraint on email prevents duplicate registrations. All authentication events are logged for security monitoring.

Infrastructure

Our platform runs on isolated infrastructure with network-level segmentation. File storage uses Cloudflare R2 with signed URLs — assets are never publicly accessible. Database connections use encrypted channels with limited-privilege credentials.

Data Handling

  • We do not use your prompts or generated images to train AI models
  • Brand assets are stored in isolated, per-organization storage buckets
  • Generated images expire automatically after 72 hours
  • Account deletion removes all associated data within 30 days

API Security

API endpoints are protected by per-endpoint rate limiting with fail-closed behavior — if the rate limiter is unavailable, authentication endpoints deny requests rather than letting them through. Quota enforcement tracks usage at the organization level. All auth events and security-relevant actions are logged in structured format. API keys can be rotated at any time from the Dashboard. Request body size limits and error message sanitization prevent information leakage.

Independent Verification

We regularly verify our security posture using industry-standard tools. You can run these same checks yourself to validate our claims:

TLS
SSL Labs A+ — TLS configuration and certificate chain analysis
Headers
Mozilla Observatory A+ — HTTP security headers and best practices
Headers
SecurityHeaders.com A+ — Security headers grading
Infra
Hardenize — DNS, email, and TLS comprehensive analysis
Compliance
ImmuniWeb — GDPR and PCI DSS compliance assessment

Last audit: March 2026 · All dependency scans are automated on every deployment.

Report a Vulnerability

If you discover a security vulnerability, please report it responsibly by emailing security@imagelayer.app. We appreciate your help keeping ImageLayer and our users safe.