Security and Privacy at FaceSentry
The data you entrust to us — your face — is the most sensitive information you have. Here is exactly how we protect it.
On-premise AI, zero third-party exfiltration
Every AI model that touches your photos runs on infrastructure we control. Your images and biometric embeddings never leave our servers. We do not send your data to OpenAI, Google Vision, Anthropic, Clearview, PimEyes, or any hosted inference API. If a model cannot run on our hardware, we do not use it.
Biometrics stored as vectors, not photos
The face data we use for matching is a 512-dimensional embedding — a list of numbers derived from your reference photo by a one-way neural network. It cannot be reverse-engineered into an image of your face. Reference photos and embeddings live in separate storage, and both are deleted the moment you delete a protected person or your account.
Encryption at rest and in transit
All traffic is served over TLS 1.3 with modern cipher suites. Data at rest is encrypted by our cloud providers. Database rows are additionally protected by row-level security policies scoped to the owning user — the query planner itself enforces that one user can never read another user's data.
Isolated, SOC 2 infrastructure
FaceSentry runs on Supabase (SOC 2 Type II via its underlying provider) and Hetzner Cloud. Production secrets are never committed to source control. Deployments use signed commits, key-based SSH, and service accounts with least-privilege credentials.
Defense in depth
Rate limiting fails closed if our cache is unreachable. CSRF tokens are required on every state-changing request. SSRF protection resolves outbound URLs to an IP, validates it against private-range blocklists, and pins the fetch to that resolved IP to prevent DNS rebinding. Stripe webhooks are idempotent at the database level. Content Security Policy blocks inline scripts and untrusted third-party origins.
Biometric privacy by design
We comply with Illinois BIPA, Texas CUBI, and Washington My Health My Data Act. You consent to biometric processing at registration and again for every non-self person you add. Consent is recorded with a timestamp and IP. You can withdraw consent any time by deleting the person or the account; the underlying embeddings are permanently destroyed.
Responsible disclosure
If you believe you have found a security vulnerability, email security@facesentry.com. We investigate every report and will acknowledge receipt within two business days. We do not pursue legal action against researchers who act in good faith, stay within the scope of public-facing endpoints, avoid accessing other users' data, and give us a reasonable window to remediate before disclosing publicly.