Platform Security Summary

TriPrism, Inc. / PhotoTouch, Inc.

Document Date: April 28, 2026

This document summarizes the security controls and compliance posture of the PhotoTouch platform. It is intended for use by photographers and their enterprise clients (schools, venues, retailers, event organizers) who require vendor security documentation.

For the full security overview, visit admin.findyourpictures.com/legal/security. For detailed documentation, contact security@triprism.com.

1. Service Overview

2. Data Protection & Access Control

Encryption

• Data in transit: TLS 1.2+ enforced across all domains (HTTPS only, no fallback)
• Data at rest: AES-256 encryption on stored photographs and media assets
• Credentials at rest: Application-level encryption for all API keys, tokens, and sensitive configuration
• Email authentication: SPF, DKIM, and DMARC configured on all outbound email domains

Authentication

• Passwords stored using one-way cryptographic hashing (never plaintext)
• Two-factor authentication (2FA) available via authenticator app, email, or SMS
• MFA is mandatory for TriPrism administrative access
• Photographer account owners can enforce MFA for users in their own account from the account dashboard, based on their policy requirements
• Configurable password expiry policies (30–365 days)
• Rate limiting and automatic lockout on repeated failed login attempts
• Sessions expire after a defined inactivity period

Authorization

• Role-based access control (RBAC) with 10 distinct user roles
• Granular three-tier permission system (Read / Write / Execute) with per-user overrides
• Geographic scoping restricts data visibility to assigned organizational units
• Administrative access follows the principle of least privilege
• Read-only roles available for view-only access requirements

3. Audit Logging & Monitoring

• All administrative actions are recorded in an append-only audit log (who, what, when, where, outcome)
• Risk-based classification automatically flags unusual activity patterns for review
• Real-time automated alerts for elevated and critical security events
• Per-account activity logs accessible to account administrators
• Audit logs retained for a minimum of 7 years
• Login failure monitoring with configurable alerting thresholds

4. Incident Response

• Documented incident response plan covering identification, containment, eradication, recovery, and post-incident review
• Critical security events automatically generate tracked incidents with response SLAs
• Security incidents affecting customer data are communicated without undue delay, including within 72 hours where required by applicable law (for example GDPR Article 33)
• Post-incident reviews conducted to identify root causes and implement preventive measures
• Incident acknowledgment, investigation, and resolution tracked with full audit trail

5. Backup & Recovery

• Automated database backups on regular schedule, stored in geographically separate off-site locations
• Enterprise backup infrastructure with encryption at rest
• File-level and system-level backups maintained independently of database backups
• Recovery procedures tested periodically
• Infrastructure designed with redundancy at network, compute, and storage layers

6. Endpoint & Infrastructure Security

• Enterprise-grade endpoint cybersecurity with real-time threat detection, malware prevention, and automated remediation
• Centrally managed endpoint protection with continuous monitoring
• Database access restricted to application servers — no public access
• Webhook signature verification on all inbound integration endpoints
• SSRF protections on outbound API integrations (private IP ranges, internal hostnames, and metadata endpoints blocked)
• CSRF protection on all form submissions
• Input validation and output encoding to prevent injection attacks
• Parameterized database queries

7. Data Privacy

• Built-in GDPR tools: data search, export, and cascade-safe erasure with full audit trail
• Automatic email and SMS suppression lists (bounce, complaint, opt-out processing)
• Consent management with digital model release capture and customer-facing revocation
• No biometric processing — no facial recognition, no biometric templates, no cross-photo identity matching
• No advertising cookies or third-party tracking
• Photographer controls their own data retention — platform provides tools, photographer sets policy
• Sub-processor list publicly disclosed with 30-day change notification commitment

8. Compliance Status

Current Assurance Posture (As of April 28, 2026)

• Documented incident response plan with quarterly mock exercises and one annual live drill
• SOC 2 Type II attestation is in progress; current controls are operated in a SOC 2-aligned manner
• Monthly vulnerability scanning is performed; findings are tracked to remediation and closure in an internal issue management system
• Quarterly external perimeter/PCI-style scans are reviewed and actioned through the same remediation workflow
• Independent third-party penetration testing has not yet been completed and is planned
• Cyber insurance is currently under evaluation

Periodic Review Schedule

9. Legal Documentation

The following documents are publicly available:

10. Contact