Skip to content
superstyle

Security & Data

SuperStyle takes security and data privacy seriously. Here’s how we handle your data.

Privacy by design

Section titled “Privacy by design”

SuperStyle follows a privacy-first approach to image handling:

  • Ephemeral by default — Generated images are stored temporarily and auto-delete after 24 hours via S3 lifecycle rules.
  • Automated cleanup — Temporary S3 objects are garbage-collected within 1 day via S3 lifecycle rules, ensuring no orphaned data persists.
  • Direct URLs — All images (temporary and permanent) are served via direct public URLs. No presigned URL complexity.
  • Encrypted at rest — All S3 objects are encrypted using AWS-managed keys (SSE-S3).
  • No training — Your images are never used to train AI models.

Image storage

Section titled “Image storage”

Generated images (try-on, model photos, style suggestions) are uploaded to Amazon S3 and returned as direct URLs. Storage behavior depends on the store_image setting:

store_imageBehavior
false (default)Images are stored under a temp/ prefix. The direct URL works for 24 hours, then the S3 object is automatically deleted.
trueImages are stored permanently under your user/key prefix. You can revisit past generations at any time.
  • Public-read — All images are accessible via direct URL only. There is no directory listing or browsing.
  • S3 bucket — All images are stored in superstyle-user-images in us-east-1.
  • Frontend users — The store_image preference is controlled via a toggle on the Profile page, stored in Clerk user metadata.
  • API users — Pass "store_image": true in the request body to persist images. Default is false.

Image paths

Section titled “Image paths”
superstyle-user-images/
  ├── {userId}/                    ← permanent (store_image=true), direct URLs
  │   ├── try-on/
  │   ├── model-photo/
  │   ├── generate-image/
  │   └── style-me/
  └── temp/                        ← ephemeral (store_image=false), direct URLs, auto-deletes after 24h
      └── {userId}/
          └── {category}/

Transport security

Section titled “Transport security”
  • HTTPS only — All API endpoints are served over HTTPS (TLS 1.2+)
  • No HTTP fallback — Plaintext HTTP requests are rejected
  • CloudFront CDN — API traffic is routed through AWS CloudFront with modern TLS configuration

API key security

Section titled “API key security”
  • Hashed storage — API keys are stored securely in DynamoDB
  • Key rotation — You can generate new keys and revoke old ones at any time from the Developer Portal
  • Usage tracking — Every API call is logged with timestamp and endpoint for audit purposes
  • Key prefixing — All keys start with ss_ for easy identification in code reviews and secret scanning

Rate limiting

Section titled “Rate limiting”

To prevent abuse and protect shared resources, rate limits are enforced on generation endpoints:

  • 20 requests/day per user (across all API keys belonging to the same account)
  • 1 concurrent request per user — a second request while one is in-flight returns 429
  • All endpoints except /usage count toward the limit
  • Limits reset daily at midnight UTC

The API returns X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers on generation responses. When the limit is exceeded, a 429 Too Many Requests response includes a Retry-After header.

Best practices

Section titled “Best practices”

API key management

Section titled “API key management”
  1. Never commit keys to source control — Use environment variables or secret managers
  2. Use separate keys per environment (dev, staging, prod)
  3. Rotate keys regularly — Generate new keys and revoke old ones monthly
  4. Monitor usage — Check the Usage Dashboard for unexpected activity

Client-side usage

Section titled “Client-side usage”
  1. Never expose keys in browser code — Use a backend proxy for production applications
  2. The embeddable widget sends keys from the browser — use restricted keys with rate limiting for widget deployments
  3. Validate input — Always validate image URLs and base64 data before sending to the API

Handling ephemeral images

Section titled “Handling ephemeral images”
  1. 24-hour window — Temporary images auto-delete after 24 hours. If you need the image longer, download and store it on your own infrastructure.
  2. Direct URLs — All image URLs are direct S3 URLs (no presigned query parameters).
  3. Use store_image: true if you need persistent access to generated images.

Backend integration

Section titled “Backend integration”

  1. Store keys as environment variables:

    Terminal window
    export SUPERSTYLE_API_KEY=ss_your_key_here

  2. Use HTTPS for all API calls — The API rejects non-HTTPS connections

  3. Handle errors gracefully — Don’t expose API error details to end users

Infrastructure

Section titled “Infrastructure”
  • AWS Lambda — Serverless compute (no persistent servers to compromise)
  • DynamoDB — Encrypted at rest with AWS-managed keys
  • CloudFront — Edge-level DDoS protection and TLS termination
  • ARM64 — Running on AWS Graviton processors

Subprocessors

Section titled “Subprocessors”

SuperStyle uses the following third-party services to process your data:

ServicePurposeData processed
AWS S3Image storageGenerated images (ephemeral and persistent)
AWS LambdaAPI computeRequest payloads including selfies
AWS DynamoDBKey storage and usage trackingAPI keys, usage logs
Google GeminiAI image generationSelfie data, clothing descriptions

Compliance

Section titled “Compliance”
  • All data is processed in the US East (N. Virginia) AWS region
  • No personal data is shared with third parties beyond the subprocessors listed above
  • API usage logs are retained for 90 days

Reporting security issues

Section titled “Reporting security issues”

If you discover a security vulnerability, please email security@meriedith.com. We take all reports seriously and will respond within 48 hours.