Security posture.

Every request runs on Cloudflare's edge — the same network that serves a meaningful slice of the open web. We don't operate our own data centers. The service inherits Cloudflare's SOC 2 Type II, ISO 27001, ISO 27018, and PCI DSS compliance posture.

Account data, custom-domain records, and usage telemetry persist in AWS DynamoDB (us-east-1). AWS holds SOC 1/2/3, ISO 27001/27017/27018, and PCI DSS Level 1 — the data layer is compliant end-to-end. The Worker tier is pinned to aws:us-east-1 placement to minimize round-trip latency to the database.

No API keys, no auth headers. Each workspace gets a unique namespace baked into the URL — there's nothing to leak. Dashboard access is gated by email OTP login; no passwords stored, none to phish.

Browser traffic is gated by a per-workspace CORS allowlist (you choose which origins can call your image URLs). Server-to-server traffic with no Origin header passes through unconditionally — your backend keeps working without configuration.

New workspaces ship permissive — both allowlists default to ['*'], so URLs work the moment you sign up. Tightening is your call, on your timeline:

• Allowed origins — the CORS gate. Swap the * for the specific origins that can call your image URLs from a browser. Wildcards supported (*.example.com).
• Allowed external sources — when callers pass a full URL as ?src=, the host must match a pattern in this list. Restrict it to stop hot-linking and surprise charges.

Open by default for prototyping, restricted on purpose for production.

img apis fetches from storage you control (HTTP URL prefix, Cloudflare R2 bucket, AWS S3 bucket) and discards the bytes after transforming. The only thing that persists on our side is the transformed output — stored in our own Cloudflare R2 and served through the edge cache, with a TTL of one year for transforms and 24 hours for /info.

If you keep originals in your own R2 or S3, residency follows your bucket region. We don't replicate or move them.

Marks live in your account as named presets. Bind a preset to specific source keys with autoApplySources, and every transform from those sources gets the mark stamped on automatically — the URL's ?mark= parameter is silently ignored. Useful for licensing enforcement, attribution, or brand consistency the caller can't strip.

All payments run through Stripe. We never see or store your card number — only your subscription state and plan tier. Stripe is PCI DSS Level 1 certified.

TLS everywhere. HSTS preloaded. Custom domains get auto-provisioned SSL certificates via Cloudflare's edge — point a CNAME at customers.imgapis.com and the cert is live in about 30 seconds.

Found a security issue? Email security@imgapis.com with the details and we'll respond within one business day.

We don't currently run a paid bug-bounty program, but we publicly acknowledge researchers with permission. Please don't run automated scanners against production accounts that aren't yours.

Security questions: security@imgapis.com. Everything else: hello@imgapis.com.