Security overview

This document covers how Polotno SDK handles data, the security posture of core features, and the responsibilities and options available to customers.

Architecture at a glance

• Core SDK (client-side) is local-first: editing, rendering, and export run within your environment (the user’s browser). Limited network calls occur for license validation and, by default - to fetch fonts, Unsplash and other assets from Polotno-managed endpoints (no tracking; no user design content sent to Polotno). These asset sources can be reconfigured to your own endpoints or removed if required.

• No content uploads to Polotno for core features.

• Uploads: The editor includes a default Upload panel that ingests files entirely in the browser (converted to base64 for local use). No file content is sent to Polotno. Customers may replace this panel to use their own storage, scanning, and access controls.

• AI features (Optional; disabled by default): “AI Write”, “Background Removal”, "Text To Image", "Image To Image", "Text To Video" run through the Polotno AI Proxy at api.polotno.com and use model providers (e.g., OpenAI, Replicate).

• Polotno Cloud Render (optional): A separate, job-based API for server-side rendering.

Enterprise Configuration Options

For organizations with strict data residency or egress policies, Polotno supports:

• Bring-your-own endpoints: Route AI requests through your own proxy and provider accounts.

• Self-hosted assets: Configure custom CDN/asset endpoints for fonts, images, and media libraries (Unsplash, etc.).

• Restricted-connectivity mode: Disable all external network calls except license validation.

Data handling

Scope boundary: Except for optional AI features and optional Cloud Render, Polotno does not process or store end-user content.

AI features (Optional; disabled by default; configurable)

When enabled, the SDK sends only the user-selected content (text and/or media) and model parameters to the Polotno AI Proxy at api.polotno.com, which forwards the request to the model provider and returns the generated or transformed result. This applies to AI Write, Background Removal, and generative/transform features such as text-to-image, image-to-image, and text-to-video (and similar variants).

• Roles:

  • Customer: Controller

  • Polotno (AI Proxy): Processor for AI features only

  • Model vendors (OpenAI/Replicate): Sub-processors

• Purpose of processing:  To generate or transform content (e.g., rewrite text; remove image backgrounds; create or modify images/video).

• Data minimized: The proxy forwards the selected text or image and model parameters. Polotno does not add user identifiers.

• Customer control: Enterprises may (a) disable AI features or (b) override endpoints to use their own proxy and/or provider accounts.

• Data retention:

  • Content: Polotno does not intentionally store or log user content (text/images) sent through the AI Proxy beyond what is strictly necessary to process the request. Requests are processed in memory and not persisted in application databases or long-term storage. Transient buffering may occur as part of normal network and system operations but is not retained after completion of the request.

  • Metadata: We collect minimal usage metadata (timestamps, feature usage, request counts) for billing and service health monitoring. This metadata does not contain user content and is retained for 3 months.

Polotno Cloud Render (Optional; OFF by default)

If used, the customer’s app sends design JSON and asset URLs to Polotno’s API over HTTPS. The API returns the rendered result. Content is not used for training or marketing.

Data retention: Design JSON and rendered outputs are retained for 7 days to enable job status retrieval, then permanently deleted. Customers may request immediate deletion via API. Usage logs (job IDs, timestamps, render duration) are retained for billing and operational purposes for 3 months.

Licensing & logging

• License validation: Polotno validates licenses with a lightweight call containing license key, domain(s) and limited technical metadata (such as IP address and user-agent). This data is used solely for license management, abuse prevention, and security monitoring and is retained for 3 months.

• No telemetry: The SDK includes no client-side analytics beacons or behavioral tracking that captures end-user behavior for marketing or product analytics. Operational usage metadata is collected only on server-side services (such as the AI Proxy and Cloud Render) for billing and service health, as described below.

• Inspectable: All network requests are visible via browser DevTools.

Security development practices

• Dependency hygiene: Regular vulnerability reviews and updates; versions are pinned to prevent unplanned changes.

• Supply chain: No hidden dynamic code loading. One optional exception is jspdf for PDF export, which customers can bundle ahead of time to avoid runtime loading.

• Secure coding: Untrusted content is handled as data, not executable code. Rich-text editing is restricted to a safe formats list by default.

Incident Response & Vulnerability Disclosure

• Security contact: [email protected]

• Vulnerability reports: We welcome responsible disclosure and aim to acknowledge reports within 48 hours.

• Incident notification: In the unlikely event of a security incident affecting customer data (AI Proxy or Cloud Render only), we will notify affected customers without undue delay and, where feasible, not later than 72 hours after becoming aware of the incident. Such notice will include information reasonably required for customers to meet their own regulatory and contractual notification obligations (including, where available, the nature of the incident, categories of data and data subjects affected, likely consequences, and measures taken or proposed to address the incident).

• Incident response plan: We maintain internal runbooks for containment, investigation, and remediation.

Compliance & contracts

Core SDK

• Data to Polotno: No (editing/export run in the end-user’s browser).

• GDPR/CCPA: For core SDK use, Polotno does not process end-user design content as a processor. Polotno processes only limited technical and account data (such as license information, domain and technical metadata) for license management, security and support. In many cases this does not require a data processing agreement for end-user content; where a customer considers a DPA necessary, Polotno can provide one that covers these limited processing activities.

AI features (optional)

• Data to Polotno: Yes — only the user-selected text/media via the AI Proxy.

• GDPR/CCPA: Polotno is processor; model providers are sub-processors.

• Contract: DPA available; SCCs used for international transfers where applicable.

• Sub-processors: Polotno will provide a current list upon request and give advance notice of material changes. If a customer objects, Polotno will work in good faith to disable the affected feature or offer a reasonable alternative.

Cloud Render (optional)

• Data to Polotno: Yes — design JSON/assets are sent for rendering.

• GDPR/CCPA: Polotno is processor.

• Contract: DPA available; SCCs where applicable.

Use limitations

• Customer content is not used for model training or marketing.

• Polotno does not sell personal information or share it for cross-context behavioral advertising.

FAQ

Q: Does Polotno process end-user content?

Core SDK: No. Content remains in the customer’s environment.
AI features (optional): The selected text/image is proxied through Polotno solely to perform the requested AI operation.

Q: Who is the controller/processor?

The customer is the controller. For AI features, Polotno is the processor and model vendors are sub-processors.

Q: Can we avoid Polotno being in the AI path?

Yes. Enterprises can disable AI features or point the SDK to their own proxy and/or provider accounts.

Q: Do you use customer content for training or marketing?

No.