Skip to main content

Security

How we protect your data

Security is foundational to ImageLayer. Your brand assets, prompts, and generated media are protected by a combination of product controls, infrastructure safeguards, and operational processes.

Encryption

ImageLayer is served over HTTPS/TLS. Passwords are stored as bcrypt hashes, and API keys are SHA-256 hashed so plaintext keys are not stored on our servers. Our database and object storage providers also encrypt data at rest as part of their managed infrastructure.

Authentication & Access Control

API access is secured with scoped API keys. End-user authentication uses short-lived JWT session tokens generated server-side. Organization-scoped checks are applied across API and dashboard flows, and asset access is delivered through signed or authenticated paths where applicable. Email verification is required before creating API keys or using live API flows.

Abuse Prevention

Registration is protected by Cloudflare Turnstile (invisible CAPTCHA). Disposable email addresses are blocked. Daily IP-based registration limits prevent mass account creation. A unique database constraint on email prevents duplicate registrations. All authentication events are logged for security monitoring.

Infrastructure

Our platform runs on managed cloud infrastructure. File storage uses access-controlled object storage with signed URLs for generated media delivery. Database connections use encrypted channels and limited-privilege credentials.

Data Handling

  • We do not use your prompts or generated assets to train our own models
  • Brand assets are stored in organization-scoped records with access controls
  • Temporary generated media is cleaned up on a rolling TTL, currently targeted at roughly 72 hours
  • Deletion requests are handled through our support process and operational runbooks

API Security

API endpoints are protected by per-endpoint rate limiting with fail-closed behavior — if the rate limiter is unavailable, authentication endpoints deny requests rather than letting them through. Quota enforcement tracks usage at the organization level. All auth events and security-relevant actions are logged in structured format. API keys can be rotated at any time from the Dashboard. Request body size limits and error message sanitization prevent information leakage.

Independent Verification

You can inspect our public-facing configuration with the same third-party tools we use for spot checks. These results change over time, so we link directly to the live reports instead of publishing fixed grades here:

TLS
SSL Labs — TLS configuration and certificate chain analysis
Headers
Mozilla Observatory — HTTP security headers and best practices
Headers
SecurityHeaders.com — Security headers grading
Infra
Hardenize — DNS, email, and TLS comprehensive analysis

External scanners are helpful for transport and header checks, but they are not a substitute for a formal compliance program or independent penetration test.

Report a Vulnerability

If you discover a security vulnerability, please report it responsibly by emailing security@imagelayer.app. We appreciate your help keeping ImageLayer and our users safe.