Security at imgfast

How we protect your data and what we expect from you

The short version

All connections to imgfast are encrypted (TLS 1.3). Your files are automatically deleted after 24 hours — no exceptions. We don't analyze your images or track your browsing. Payments go through Stripe; we never see your card details. You can delete your data anytime from your dashboard, no email required.

Data protection

Encryption in transit

All data between your browser and our servers is encrypted using TLS 1.3 (HTTPS). No exceptions.

24-hour auto-deletion

All uploaded files are permanently deleted after 24 hours. This is automatic and cannot be disabled.

Password security

Passwords are hashed using bcrypt with salt. We never store passwords in plain text and cannot retrieve them.

Isolated storage

Each job's files are stored in isolated directories with restricted access permissions. Users cannot access other users' files.

Secure sessions

Session tokens are cryptographically secure and expire after inactivity. Sessions are invalidated on logout.

No tracking

We don't use Google Analytics, Meta Pixel, or any third-party tracking. We built our own privacy-respecting analytics.

Platform security

Application security

We protect against common web vulnerabilities:

  • SQL Injection: All database queries use parameterized statements
  • XSS: User input is sanitized and escaped before rendering
  • CSRF: State-changing operations require valid CSRF tokens
  • Rate Limiting: API and upload endpoints are rate-limited per user, IP, and API key
  • File Validation: Uploads are validated for type, size, and format before processing
  • Security Headers: CSP, HSTS, X-Frame-Options, and other headers are enforced

Infrastructure

  • Hosting: Dedicated server in a European datacenter with physical security
  • Firewall: Network access restricted to essential services only
  • Database: PostgreSQL with SSL connections and network isolation
  • Backups: Automated daily backups with secure off-site storage
  • Monitoring: 24/7 monitoring for suspicious activity and performance issues
  • Dependencies: Regularly updated and scanned for known vulnerabilities

Payment security

All payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. We never see, store, or have access to your credit card details. Payment information goes directly to Stripe's servers. We only store your Stripe customer ID and subscription status.

API security

For Pro users with API access:

Authentication

  • API keys are 256-bit cryptographically secure random tokens
  • Keys are hashed before storage (we can't retrieve your key)
  • Keys can be revoked instantly from your dashboard
  • Each key has independent rate limits and usage tracking

Best practices

  • Store API keys in environment variables, never in code
  • Never commit API keys to version control
  • Use separate keys for development and production
  • Rotate keys periodically and revoke compromised keys immediately

Compliance & data rights

We're a Canadian company and comply with PIPEDA (Personal Information Protection and Electronic Documents Act). We also respect the principles of GDPR for EU users.

Delete your data

Delete your conversion history anytime from your dashboard. No email or support ticket required.

Delete your account

Close your account entirely from your dashboard. All your data is permanently removed.

Export your data

Download your account data and conversion history at any time.

Minimal collection

We only collect what's necessary: email, hashed password, and conversion metadata (not your files).

Your responsibilities

Security is a shared responsibility. By using imgfast, you agree to follow these practices:

Account security

  • Use a strong, unique password for your imgfast account
  • Do not share your account credentials with others
  • Log out when using shared or public computers
  • Report suspicious account activity to us immediately

File security

  • Do not upload files containing sensitive personal information (IDs, medical records, etc.)
  • Remember that files are automatically deleted after 24 hours
  • Download your converted files promptly after processing
  • Do not share download links with untrusted parties

API security (Pro users)

  • Keep your API keys confidential and secure
  • Do not expose API keys in client-side code or public repositories
  • Revoke and regenerate keys if you suspect they've been compromised
  • Monitor your API usage for unexpected activity

Incident response

In the unlikely event of a security incident affecting your data:

  • We will investigate and contain the incident immediately
  • Affected users will be notified within 72 hours via email
  • We will implement fixes and preventive measures
  • A post-incident summary will be shared when appropriate

Responsible disclosure

Found a security vulnerability? We appreciate researchers who help keep imgfast secure.

Report a vulnerability security@imgfast.com

What to include:

  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Your contact information

Our commitment:

  • Acknowledge your report within 48 hours
  • Keep you informed of our progress
  • Credit you for the discovery (if desired)
  • No legal action for good-faith research

Last updated: January 2025

Questions about security? Contact us or email security@imgfast.com.