Filmroll

Security Policy

Effective: April 18, 2026IT Act 2000 alignedVersion 1.0

This Security Policy outlines the technical and organizational measures Filmroll employs to protect your data and photographs on Filmroll, and the security responsibilities that apply to you as a user.

1. Our Security Commitments

We take the security of your photographs and personal data seriously. Filmroll is built on enterprise-grade cloud infrastructure and implements multiple layers of security to protect against unauthorized access, data loss, and breaches.

2. Infrastructure Security

Cloud Storage

All photographs and user data are stored on industry-leading cloud platforms (AWS S3, Google Cloud Storage, or Azure Blob Storage). These providers maintain ISO 27001, SOC 2 Type II, and other internationally recognized security certifications. Data is stored in geographically redundant environments to ensure availability and disaster recovery.

Encryption

  • Data in transit: All communications between your browser/device and Filmroll are encrypted using TLS 1.2 or higher (HTTPS). We enforce HSTS to prevent downgrade attacks.
  • Data at rest: All stored photographs and user data are encrypted using AES-256 encryption at the storage layer.
  • Payment data: Payment information is never transmitted through or stored on our servers. All payment processing is handled end-to-end by Razorpay / Stripe using PCI-DSS compliant infrastructure.

3. Access Controls and Authentication

Two-Factor Authentication (2FA)

We offer two-factor authentication for all user accounts. We strongly recommend enabling 2FA to add an additional layer of protection beyond your password. 2FA is supported via authenticator apps (TOTP) and email-based OTP.

Password-Protected Gallery Links

Client galleries shared via links can be protected with unique passwords. Passwords are hashed and never stored in plaintext. Link expiry options are available to limit access duration. Expired or revoked links cannot be used to access content.

Watermarking and Download Controls

Photographers can apply automatic watermarks to photographs displayed in client galleries. Download permissions are granular — you control which clients can download full-resolution files, low-resolution previews, or no downloads at all. Attempts to bypass download controls are logged and may result in access revocation.

Internal Access Controls

Access to production systems and user data by Filmroll employees is governed by the principle of least privilege. Only authorized personnel with a legitimate business need may access user data, and all such access is logged and audited.

4. Security Monitoring

We continuously monitor the Platform for suspicious activity, unauthorized access attempts, and anomalous usage patterns. Automated systems and periodic manual reviews are used to detect and respond to potential threats.

5. Data Breach and Incident Response

In the event of a confirmed personal data breach, we will:

  • Notify affected users without undue delay, and within 72 hours of discovering the breach where technically feasible.
  • Report the breach to the Data Protection Board of India as required under the DPDP Act, 2023.
  • Provide details of the nature of the breach, the data affected, likely consequences, and remedial steps taken.
  • Take immediate containment and remediation actions to prevent further exposure.

6. Your Security Responsibilities

Security is a shared responsibility. As a user of Filmroll, you are responsible for:

  • Keeping your login credentials confidential. Do not share your password with anyone.
  • Enabling two-factor authentication on your account.
  • Using strong, unique passwords and updating them periodically.
  • Logging out of your account on shared or public devices.
  • Not sharing gallery links with unintended recipients.
  • Promptly notifying us at security@filmroll.com if you suspect unauthorized access to your account.
  • Ensuring that client-facing gallery links are password-protected when sharing sensitive content.

We are not liable for security incidents arising from your failure to follow reasonable account security practices.

7. Vulnerability Disclosure

We encourage responsible disclosure of security vulnerabilities. If you discover a potential security issue in Filmroll, please report it to us at security@filmroll.com before public disclosure. We will acknowledge receipt within 2 business days, investigate the report, and work to resolve confirmed vulnerabilities in a timely manner. We will not take legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.

8. Third-Party Security

Our third-party service providers (cloud storage, payment processors, analytics) are selected based on their security posture and are bound by data processing agreements that require them to maintain appropriate technical and organizational security measures consistent with industry standards.

9. Periodic Review

This Security Policy is reviewed at least annually and updated to reflect changes in our infrastructure, regulatory requirements, and emerging threats. Significant updates will be communicated to users.

10. Contact

For security concerns, contact: security@filmroll.com
Filmroll, Chennai, Tamil Nadu, India.