Security Policy

Effective Date: April 16, 2025

At Catfish AI, we take the protection of customer data extremely seriously. This Security Policy describes the organizational and technical measures we implement platform-wide, designed to prevent unauthorized access, use, alteration, or disclosure of customer data.

Security Team

Our team includes people who have played lead roles in designing, building, and operating highly secure Internet-facing systems at companies ranging from startups to large public companies.

Best Practices

Incident Response Plan

  • We have implemented a formal procedure for security events and have educated all our staff on our policies.
  • When security events are detected they are escalated, and our team is notified and assembled to rapidly address the event.
  • After a security event is fixed we write up a post-mortem analysis.
  • The analysis is reviewed in person, distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.
  • Catfish AI will promptly notify you in writing upon verification of a security breach of our services that affects your data.

Build Process Automation

  • We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
  • We typically deploy code many times a day, so we have high confidence that we can get a security fix out quickly when required.

Authentication

We have two-factor authentication (2FA) and strong password policies on our cloud services to ensure access is protected.

Infrastructure

  • All of our services run in the cloud. We do not run our own routers, load balancers, DNS servers, or physical servers.
  • Our services have been built with disaster recovery in mind. We backup all datastores that contain customer data.

Application Monitoring

  • We use advanced monitoring tools to quickly identify and resolve incidents.
  • All access to our applications and AI model interactions are logged.
  • Image processing and generation activities are monitored and logged for security.
  • Actions taken on production consoles are logged and audited regularly.

Data Security

  • Strict privacy controls exist in our application code to ensure data privacy and secure image processing.
  • All uploaded images and generated artwork are stored securely with encryption at rest.
  • Our AI models are protected against unauthorized access and tampering.
  • Each system used to process customer data and images is configured and patched using industry-recognized security standards.

Data Transfer

  • Our service is served 100% over HTTPS.
  • All data sent to or from our service is encrypted in transit using 256-bit encryption.
  • Our API and application endpoints are TLS/SSL only.
  • We encrypt all sensitive data using industry-standard encryption algorithms.

Payment Processing

All payment instrument processing is performed by Stripe, a secure third-party payment processor.

Customer Responsibilities

  • Managing your own user account on our platform.
  • Protecting your own account and user credentials.
  • Compliance with the terms of service agreement.
  • Promptly notify us if a user credential has been compromised or if you suspect possible suspicious activities.
  • You may not perform any security penetration tests or security assessment activities without express advance written consent.

Contact Us

If you have any questions about this Security Policy or our security practices, please contact me on X (Twitter) at @mehbayat.