Skip to content
superstyle

Security & Data

SuperStyle takes security and data privacy seriously. Here’s how we handle your data.

Image handling

Section titled “Image handling”
  • Temporary storage — Uploaded images (selfies, clothing photos) are processed in memory and not stored permanently
  • Auto-deletion — Any cached images are automatically deleted after 3 days
  • No training — Your images are never used to train AI models
  • Generated images — Try-on results are returned directly in the API response and not stored server-side

Transport security

Section titled “Transport security”
  • HTTPS only — All API endpoints are served over HTTPS (TLS 1.2+)
  • No HTTP fallback — Plaintext HTTP requests are rejected
  • CloudFront CDN — API traffic is routed through AWS CloudFront with modern TLS configuration

API key security

Section titled “API key security”
  • Hashed storage — API keys are stored securely in DynamoDB
  • Key rotation — You can generate new keys and revoke old ones at any time from the Developer Portal
  • Usage tracking — Every API call is logged with timestamp and endpoint for audit purposes
  • Key prefixing — All keys start with ss_ for easy identification in code reviews and secret scanning

Best practices

Section titled “Best practices”

API key management

Section titled “API key management”
  1. Never commit keys to source control — Use environment variables or secret managers
  2. Use separate keys per environment (dev, staging, prod)
  3. Rotate keys regularly — Generate new keys and revoke old ones monthly
  4. Monitor usage — Check the Usage Dashboard for unexpected activity

Client-side usage

Section titled “Client-side usage”
  1. Never expose keys in browser code — Use a backend proxy for production applications
  2. The embeddable widget sends keys from the browser — use restricted keys with rate limiting for widget deployments
  3. Validate input — Always validate image URLs and base64 data before sending to the API

Backend integration

Section titled “Backend integration”

  1. Store keys as environment variables:

    Terminal window
    export SUPERSTYLE_API_KEY=ss_your_key_here

  2. Use HTTPS for all API calls — The API rejects non-HTTPS connections

  3. Handle errors gracefully — Don’t expose API error details to end users

Infrastructure

Section titled “Infrastructure”
  • AWS Lambda — Serverless compute (no persistent servers to compromise)
  • DynamoDB — Encrypted at rest with AWS-managed keys
  • CloudFront — Edge-level DDoS protection and TLS termination
  • ARM64 — Running on AWS Graviton processors

Compliance

Section titled “Compliance”
  • All data is processed in the US East (N. Virginia) AWS region
  • No personal data is shared with third parties
  • API usage logs are retained for 90 days

Reporting security issues

Section titled “Reporting security issues”

If you discover a security vulnerability, please email security@meriedith.com. We take all reports seriously and will respond within 48 hours.