1. Our Security Approach
Security is built into how we design and operate the Service. We follow the principle of least privilege, keep sensitive operations on the server, and continuously review our practices. While no online service can be guaranteed completely secure, we take reasonable and industry-standard measures to protect your information.
- Security considered throughout the product
- Principle of least privilege applied
- Sensitive operations kept server-side
- Practices reviewed on an ongoing basis
2. Server-Side Sensitive Operations
Model API keys, upload handling, credit checks, and protected account operations are executed on the server rather than exposed in browser code. This reduces the attack surface and prevents sensitive credentials or logic from being accessible to end users or third parties.
- Server-side model API calls
- API keys never exposed to the browser
- Authenticated upload handling
- Credit checks before generation begins
3. Encryption and Data Protection
All data in transit is encrypted using HTTPS/TLS. Account passwords are never stored in plain text; they are hashed using bcrypt. Uploaded images are kept in object storage with access restricted to authenticated requests, and session tokens are managed server-side with expiry.
- HTTPS/TLS encryption for data in transit
- Bcrypt-hashed password storage
- Object storage with authenticated access only
- Server-side session tokens with expiry
4. Access Control
Administrative pages require an admin role and are protected with noindex and security headers. User-specific pages and generated assets are kept out of public SEO crawl paths, so private workflows are not exposed to search engines or unauthenticated visitors.
- Role-based access for admin areas
- Security headers on protected routes
- Noindex controls for admin pages
- Private profile and asset routes
5. Account Security
We enforce password complexity rules and time-limited sessions to reduce the risk of unauthorized access. You are responsible for keeping your credentials confidential. We recommend using a strong, unique password and signing out on shared devices.
- Enforced password complexity rules
- Time-limited session windows
- Sign out on shared devices
- Report suspicious activity promptly
6. Third-Party Providers
The Service relies on third-party AI model providers (including OpenAI and Google) and cloud infrastructure. We share only the data needed to deliver the requested generation, and these providers maintain their own security and privacy programs. We are not responsible for the security practices of third parties beyond our integration.
- Minimal data shared with providers
- OpenAI and Google process generation requests
- Cloud infrastructure for storage and compute
- Providers maintain their own security programs
7. Operational Safeguards
We use session expiry, credit accounting, task history, and fallback handling to reduce abuse and improve reliability. Failed tasks are tracked so credits can be reconciled, and operational logs support troubleshooting and abuse detection.
- Session expiry windows
- Credit ledger and reconciliation
- Task history for traceability
- Logging for abuse detection
8. Reporting a Vulnerability
If you discover a potential security issue, we encourage you to report it responsibly through the in-product support and feedback channel. Please avoid publicly disclosing the issue before we have had a reasonable opportunity to investigate and address it.
- Report issues via in-product support
- Provide enough detail to reproduce
- Allow reasonable time to investigate
- Avoid public disclosure before a fix
9. Contact Us
If you have questions about our security practices or how we handle your data, please reach out through the in-product support and feedback channel. We aim to respond to security inquiries promptly.
- Use the in-product support channel
- We respond to security inquiries promptly
- Operated by AISellerKit
- Product: CommercePix AI