Security Policy

Picmaker as a product of Animaker, is committed to offering the highest standards of security to its customers. Protecting customer data is our utmost priority. In this context, we maintain world class security standards in protecting the data of our customers. Picmaker has employed stringent organizational and technical measures to protect customer data from unauthorized access, usage and misuse.

ISO 27001:2013 Certification

ISO 27001:2013 Certification

EU-US Privacy Shield

EU-US Privacy Shield

General Data Protection Regulation(GDPR)

General Data Protection Regulation(GDPR)

California Consumer Privacy Act(CCPA)

California Consumer Privacy Act(CCPA)

Audit and certification:

Picmaker works with independent third party firms to conform to security practices that consistently meet industry best standards. We are an ISO 27001:2013 certified company. Picmaker is willing to share the ISO certification upon reasonable request by clients.

Picmaker uses the payment processing platform Stripe. For more information on Stripe’s security practices, please see https://stripe.com/docs/security/stripe.

BV-Cert_IS0-IEC

Privacy Framework

Picmaker makes sure its processes and procedures are compliant with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). To know more details please visit our Privacy Policy here.

Vulnerability Testing:

Picmaker follows a structured code development and release process. As part of this process, all code is peer reviewed. Picmaker makes purpose-built code analysis tools available for engineers to deploy against application code. Picmaker also performs continuous post-production tests based on real-time threats. Picmaker conducts rigorous internal continuous testing of its application surface through various types of penetration test exercises. In addition, Picmaker coordinates external 3rd party penetration testing using qualified and certified penetration testers.

Regular penetration testing and security scans:

Picmaker Backend is regularly scanned with industry-standard scanning tools for monitoring and detecting vulnerabilities. In addition, once a year, we perform a thorough and detailed penetration testing using third party penetration testing companies.

Security Training for Animaker Team

All members of our team go through a Security awareness training for increased security awareness on a regular basis.

Data Encryption:

Data in transit and at rest is encrypted. We are using AWS KMS (Key Management Service) for all our keys. The data connection to our application is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM). We use the SSL certificate signed by GoDaddy. All symmetric key encryption commands used within the HSA use the Advanced Encryption Standards (AES), in Galois Counter Mode (GCM) using 256- bit keys. The analogous calls to decrypt use the inverse function.Amazon EC2 EBS volume is encrypted using AES- 256-XTS. This requires two 256-bit volume keys, which is like a 512-bit volume key. The volume key is encrypted under a Customer Master Key and stored along with volume metadata.

Training / Awareness:

Picmaker has a formal and documented security awareness training program during the on-boarding process and other training, which happens once every six months.

Incident Response and Reporting System:

Picmaker has a documented and formal incident response plan. Picmaker performs annual testing of its emergency response processes. Our employees are trained in how to communicate incidents internally and our customers are kept informed of incidents that affect their service via e-mail.Picmaker has a well defined and rigorous incident management process for security events. If an incident involves customer data, Picmaker will inform the customer and support investigative efforts via our support team within 72 hours. After a security event is fixed we record a detailed root-cause analysis. This is then assimilated by Picmaker such that we can detect any actions in the future. Picmaker can support properly formed requests for specific tenant data when requested by law enforcement. Individual customers get notified should an incident impact their data.

Build Process Automation:

Picmaker has an established automation process that enables us to seamlessly deploy changes to the Picmaker application and platform. This enables us to address security issues as soon as possible.

Picmaker Infrastructure:

Picmaker operates on Amazon Web Services (“AWS”); All our scoped data and systems are hosted on AWS. So, AWS Infrastructure and its Network Security will be taken care of by AWS as detailed in the AWS SOC2 report. In addition, Picmaker's cloud security team periodically monitors and reviews the scoped environment's network configuration and security.

Picmaker services and data are hosted on Amazon Web Services (AWS) (us-west-2 and us-east-1). Picmaker customer data is stored in multi-tenant datastores.We exercise stringent privacy controls in making sure that one particular data is secluded from other customer data.Picmaker conducts integration tests in place to check our privacy controls. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production. Each Picmaker system used to process customer data is adequately configured and pathed using commercially-reasonable methods according to industry-recognized system-hardening standards and security practice.

Transfer of Data:

Picmaker data is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only and score an "A+" rating on SSL Labs' tests. Picmaker uses strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. Picmaker also encrypts data at rest using an industry-standard AES-256 encryption algorithm.

Authentication:

Picmaker believes in the Zero Trustnetwork security model, based on a strict identity verification process. The framework dictates that only authenticated and authorized users and devices can access applications and data. At the same time, it protects those applications and users from advanced threats on the internet. Picmaker has a Zero Trust security model in place. Picmaker offers no additional privileges or corporate resources from being on the Picmaker network. Picmaker has established two-factor authentication (2FA) and strong password policies on GitHub, Google, AWS, and Intercom to ensure access to cloud services are protected.

Permissions and Admin Controls:

Picmaker enables permission levels to be set for any employee with access to Picmaker Scoped Systems. Permissions and access can be set to include app settings, billing, and user data.

Monitored Application:

Picmaker makes sure that every action on the Picmaker network is logged and audited. Production control activities are logged as well.