Security & Trust
Last updated: 2 April 2026
1. Our Commitment
Fotool.ai is operated by FOTOOL LTD, a company registered in England and Wales. We are committed to:
- Protecting your data with industry-standard security measures
- Being transparent about how we process and store your information
- Complying with UK GDPR, the Data Protection Act 2018, and all applicable data protection laws
- Continuously improving our security posture
Infrastructure Security
Cloud Platform
- Provider: Google Cloud Platform (GCP), SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018 certified
- Region: Primary infrastructure in
us-central1with global CDN distribution - Compute: Serverless Cloud Functions (2nd gen) with automatic scaling and isolation
- Database: Firestore with automatic encryption, multi-region replication, and point-in-time recovery
Content Delivery & Storage
- CDN: Cloudflare enterprise-grade content delivery with DDoS protection
- Object Storage: Cloudflare R2 with server-side encryption (SSE) for all stored media
- Caching: Intelligent edge caching with cache invalidation on content updates
Data Encryption
| Layer | Method | Details |
|---|---|---|
| In Transit | TLS 1.3 | All connections encrypted; HSTS enabled; minimum TLS 1.2 |
| At Rest (Database) | AES-256 | Firestore automatic encryption with Google-managed keys |
| At Rest (Storage) | AES-256 | Cloudflare R2 server-side encryption |
| Passwords | bcrypt | Firebase Authentication with adaptive hashing |
| API Keys | Environment variables | Stored in Cloud Functions environment; never exposed to clients |
Authentication & Access Control
- Authentication: Firebase Authentication with email/password and email verification flow
- Password Security: Minimum length requirements, bcrypt hashing, rate-limited login attempts
- Session Management: Secure, HTTP-only session cookies with automatic expiration
- Access Control: Role-based access control (RBAC) with distinct roles: User, Company Admin, Company Member, Platform Admin
- Firestore Security Rules: Fine-grained document-level access control enforced server-side
- API Security: Cloud Functions validate authentication tokens and authorise requests
Application Security
Secure Development Practices
- Input validation and sanitisation on all user inputs
- Content Security Policy (CSP) headers
- XSS prevention through Angular's built-in template sanitisation
- CSRF protection via SameSite cookie attributes
- Dependency vulnerability scanning
- Regular code reviews with security-focused checklists
AI Safety
- Content safety filters on all AI-generated outputs
- Input validation to prevent prompt injection attacks
- Rate limiting on generation endpoints
- Automated detection and blocking of prohibited content types
Data Protection
- Data Isolation: Customer data is logically isolated within shared infrastructure using unique user and company identifiers
- Data Minimisation: We collect only the data necessary to provide the Service
- Data Retention: Clear retention policies with automatic deletion schedules (see Privacy Policy)
- Data Portability: Users can export their data through account settings
- Right to Erasure: Full account and data deletion available through account settings or by contacting support
Monitoring & Incident Response
- Logging: Comprehensive audit logs for all administrative actions and data access
- Monitoring: Real-time monitoring of infrastructure health, performance, and security events
- Alerting: Automated alerts for anomalous activity, failed authentication attempts, and system errors
- Incident Response: Documented incident response plan with defined severity levels and escalation procedures
- Breach Notification: Commitment to notify affected customers within 72 hours of confirmed data breaches, in compliance with GDPR requirements
Business Continuity
- Automated Backups: Firestore continuous backups with point-in-time recovery
- Multi-Region: Data replicated across multiple availability zones
- Disaster Recovery: Documented DR procedures with defined RPO and RTO targets
- Uptime Target: 99.9% availability SLA for paid plans
Compliance
| Framework | Status |
|---|---|
| UK GDPR | Compliant |
| EU GDPR | Compliant |
| UK Data Protection Act 2018 | Compliant |
| ePrivacy Directive (Cookie Law) | Compliant |
| PCI DSS (via Stripe) | Compliant (no card data stored) |
| ICO Registration (UK) | Registered — ZC121613 |
Responsible Disclosure
We value the security research community. If you discover a security vulnerability in our Service, please report it responsibly:
- Email: support@fotool.ai with subject line "Security Vulnerability Report"
- Provide a clear description of the vulnerability and steps to reproduce it
- Allow us reasonable time to investigate and remediate before public disclosure
- Do not access or modify other users' data during testing
We are committed to acknowledging receipt of vulnerability reports within 48 hours and providing regular updates on our investigation.
Contact
For security-related inquiries:
- Email: support@fotool.ai
- Address: FOTOOL LTD, 1053 London Road, Leigh-On-Sea, Essex, SS9 3JP, United Kingdom
Last updated: 2 April 2026
If you have questions, contact us at support@fotool.ai