Data Processing Addendum

Last updated: October 16, 2025

This addendum outlines how ProHeadshots AI processes and safeguards customer data, including the third-party processors engaged to deliver the service.

Data Categories

Authentication data handled via Supabase Auth.
Training assets (uploaded photos) stored temporarily in AWS S3.
Payment metadata (checkout IDs, transaction status, order details) exchanged with our PCI-DSS compliant payment gateway.
Model artifacts and inference results generated through Replicate.

Processors and Roles

Supabase: auth, database, access controls (data processor).
AWS: secure file storage for uploads and training archives (data processor).
Payment Gateway: secure payment processing, checkout sessions, refund management (PCI-DSS Level 1 certified payment processor).
Replicate: ML training and inference managed via secure webhooks (data processor).

Security Measures

Transport Layer Security (HTTPS) enforced across all endpoints.
Environment-specific API keys with least-privileged access and periodic rotation.
Webhook signature verification (payment gateway & Replicate) using HMAC-SHA256 to prevent tampering and ensure data integrity.
Access controls and audit logging for administrative actions.

Retention & Deletion

Uploaded photos and generated results are retained only as needed to deliver the service. Upon verified deletion request, associated artifacts are removed from AWS S3, Supabase storage, and Replicate workspaces. Payment records are retained according to statutory accounting requirements.

Contact

Questions regarding data processing? Email support@profilelift.pro. We respond within 7 days.