PhotoRobot Information Security Policy

This Information Security Policy defines the principles, responsibilities, and controls implemented by PhotoRobot to protect systems, data, and customer information.

‍

‍

Objectives

• Ensure confidentiality, integrity, and availability of all systems and data
• Define clear roles and responsibilities for information security
• Maintain compliance with GDPR and industry best practices
• Provide governance for risk management and continuous improvement

‍

‍

Scope

Covers:

• PhotoRobot Cloud platform
• Infrastructure hosted on Google Cloud Platform
• Supporting systems and internal processes
• Employees, contractors, and third parties

‍

‍

Roles & Responsibilities

• CTO / Engineering Lead: Overall accountability for platform security
• DevOps: Implements and maintains cloud security controls
• Developers: Follow secure coding and SDLC standards
• Support team: Handles incidents and customer notifications

‍

‍

Security Principles

• Least privilege 
• Need-to-know access 
• Segregation of duties 
• Zero-trust approach 
• Security-by-design

‍

‍

Technical Safeguards

• Encryption (TLS, AES-256)
• SSO authentication via Google Identity
• Fine-grained RBAC roles
• GCP Cloud Logging & Monitoring
• Automated infrastructure patching
• Daily backups with restore capability

‍

‍

Organizational Safeguards

• onboarding & offboarding procedures 
• device security expectations 
• confidentiality obligations
• mandatory security awareness

‍

‍

Risk Management

• Risks assessed periodically
• Controls updated based on findings
• Security events documented and reviewed

‍

‍

Compliance

• GDPR compliant processing
• DPA available for customers
• Subprocessors listed publicly

‍

‍

Continuous Improvement

• Regular reviews of controls
• Upgrades to cloud security configurations
• Monitoring emerging threats