Security and Trust

Over 1000 companies and 70,000 developers use ImageKit to store, manage and deliver images, videos, and other media across the globe. We understand the responsibility at hand and the need to provide a secure, reliable platform to suit your business requirements. Improving and maintaining our security standards is one of our key business priorities. Our commitment to building a secure platform for media management and delivery reflects in our compliance, features, and policies listed below.

Compliance and Testing

ImageKit is ISO 27001:2013 compliant. It is an international standard in information security management. As a part of this compliance, our processes, systems, and people policies have been audited by an independent third-party accreditation body. The audit is conducted periodically to ensure we are compliant with this standard.

ImageKit also runs a private bug bounty program via a crowdsourced security platform. Through this program, independent security researchers regularly scrutinize our APIs and systems. If any issues are found, they are reported to our team, which fixes them as soon as possible. We also have independent third parties periodically run penetration tests on our network and application to detect any vulnerabilities and address them.

We are also an AWS Advanced Technology partner and have successfully completed Foundational Technical Review by AWS’s team validating that we follow the best practices for cloud deployments and security.

Features for secure delivery

ImageKit provides several features as a part of its product to secure media delivery on your websites and apps.

You can connect your storage or servers that contain the original assets to ImageKit and provide ImageKit with read-only access to them. This ensures that your original content stays under your ownership, and ImageKit only accesses it when you request a resource through it.

You can mark your images as “Private”, whether they are stored on your own storage or in ImageKit’s integrated Digital Asset Management solution. This ensures that no one without valid API keys can access your files. In addition, using your API keys, you can sign your URLs and set them to expire after a specific time. This prevents any unauthorized use of your assets by third parties.

You can watermark your images and videos and restrict the transformations allowed on your media files using the named transformations feature.

Our enterprise plan users can access advanced security features where you can block or allow incoming requests from specific IPs or IP Ranges, referrers and countries.

Media Management

You can use ImageKit’s integrated digital asset management solution, the Media Library, to store and manage images, videos, and other files.

ImageKit provides a user-friendly dashboard to upload, search, manage, restore versions, and delete any asset you have in the media library directly in the browser. We also provide APIs to do the same operations and a lot more programmatically. You can also create your custom tags and organization scheme for assets uploaded to the media library. These features ensure that you can find assets, either through the UI or programmatically, associated with a specific user or resource at any time and take appropriate action as part of your data policy.

We also provide an option to get a near real-time backup of all the assets you upload to our media library in an AWS S3 storage bucket you own. You, therefore, always have control and ownership of all the assets in a storage that is under your control.

Access Control

Multiple users might be involved in media upload, management, and delivery. ImageKit provides user management options to all our paid users where you can restrict the access a user has in the ImageKit dashboard. Even if you access ImageKit programmatically, you can create restricted API keys to limit the actions that can be performed by using that set of API keys. We also support Single Sign-On (SSO) to help you manage access controls in ImageKit using your central Identity Provider platform.

ImageKit supports multi-factor authentication for all accounts. Users would be required to enter an additional code received on their email every time they try to log in to add a layer of security to their account.

Enterprise users also have access to audit logs to monitor the actions taken by different users added to their ImageKit account, helping them understand what exactly changed in their setup and when.

Network

ImageKit’s processing and storage network is built on top of AWS and other reputed cloud providers and is spread across six global locations. Each location is isolated from the other from a data storage perspective, helping you comply with any local data storage and processing laws. As an extreme fallback should a particular region become completely unresponsive, we might use alternative regions to process your requests, temporarily guaranteeing our service's high availability.

ImageKit integrates with AWS Cloudfront CDN and serves billions of requests daily. The traffic is served over HTTPS, and our team takes care of procuring, deploying, and maintaining SSL Certificates. Using a CDN improves response times and adds another layer of security on top of our systems. Should you require additional security or firewalls that are not natively supported in ImageKit, you can integrate ImageKit with any popular CDN you use for media delivery and security.

We also monitor all incoming traffic on our systems and set alerts for any significant traffic pattern changes. Should any situation arise where our team needs to step in, we get in touch with the impacted customer(s) and can take corrective measures such as blocking countries, URL patterns, and IPs, if needed.

Custom SLAs

We also support custom response and uptime SLAs on specific enterprise plans. Enterprise users also have access to an on-call incident response team that can work with them to mitigate any security issues impacting their media delivery.

Internal Systems and Processes

Our team is constantly up-to-date with the latest vulnerabilities that impact OS, languages, or libraries we use in our product. Regular patches are applied for known vulnerabilities, including those identified by the independent security researchers testing our product.

Access to our production systems, staging environments, and customer data is restricted in line with our ISO 27001:2013 compliance. All employees joining ImageKit are subject to a mandatory criminal, and employment background check to minimize any security threat through personnel.

Uptime and Transparency

We publish our historical service uptime and incident details on our Status Page.

The ImageKit dashboard provides granular insights about Referrers, IPs, User Agents, Browsers, Traffic Patterns, errors, output formats, and more for all content delivered via ImageKit. These stats are available for the last 90 days to help you identify any anomaly in the traffic served through your ImageKit account.

You can also set billing alerts in your ImageKit account, and we will notify you when you exceed that billing threshold. This helps you keep your costs under control.

To keep things transparent, ImageKit also exposes the Server-Timing response header for any media request. This response header indicates the time it takes ImageKit to download, and transform a media file.

Policies

Last but not least, we keep our terms of use, privacy policy, and GDPR policy updated on our website and indicate what data we collect, the controls in place, acceptable use of our service, and options available to our users for any data stored on ImageKit.

We also offer a Data Processing Agreement that can be executed in addition to any pricing agreement to further elaborate on the collection and storage of data and the rights and responsibilities of each party involved.