TRUST CENTER

Built for the events you can't get wrong.

Everything procurement, security, and legal teams need to evaluate Fotowall in one place. Documents below are kept current; if you need something not listed, email trust@fotowall.io.

Last reviewed:

Security

Defense-in-depth on a hardened Google Cloud foundation. TLS in transit, KMS-managed at rest, App Check on public writes, audit logging on admin actions.

  • TLS 1.2+; HSTS enforced.
  • AES-256 at rest via Google Cloud KMS.
  • Firebase App Check + reCAPTCHA Enterprise on public-facing writes.
  • SSO and MFA required for production access.
  • Rolling 35-day encrypted backups.
Email security@fotowall.io →

Privacy

GDPR, UK GDPR, and U.S. state privacy compliance built in. Consent Mode v2 analytics, default-denied; self-service DSAR; configurable retention.

  • Privacy Policy describes data, legal bases, retention.
  • Public photo-removal request flow for guests.
  • Per-event hard-delete and full account export tooling.
  • Sub-processor list with 30-day change notification.
Privacy Policy →Photo removal request →

Compliance

Standard SaaS DPA available on request, signed for Enterprise. SCCs incorporated for EEA/UK transfers. SOC 2 Type II audit planned.

  • DPA with full Annexes (Module 2 + Module 3 SCCs).
  • UK IDTA incorporated for UK transfers.
  • CCPA / CPRA "Service Provider" terms.
  • SOC 2 Type II — audit window opens Q4 2026 (planned).
  • Annual third-party penetration test — first scheduled Q3 2026.
Data Processing Addendum →Sub-processors →

Accessibility

WCAG 2.1 AA target, externally audited annually. Public statement with known limitations and remediation timelines.

  • WCAG 2.1 AA conformance target.
  • Automated axe-core scans in CI.
  • Quarterly NVDA + VoiceOver manual review.
  • VPAT 2.5 / ACR available on request.
Accessibility Statement →

Reliability

Uptime targets, on-call coverage during contracted event windows, post-incident transparency.

  • 99.9% monthly uptime target (excluding scheduled maintenance).
  • Status page (planned): status.fotowall.io.
  • 24/7 on-call during contracted Premier / Agency event windows.
  • Public post-incident reviews for SEV-1 events.
Report an issue →

Documents

Every legal and compliance document linked from one place. All are versioned with a last-updated date.

Procurement evidence pack

For RFPs and vendor reviews we can supply the following under NDA, typically within 2 business days:

  • Signed mutual NDA (or sign yours).
  • Completed SIG Lite security questionnaire.
  • Counter-signed DPA based on your legal entity details.
  • Annual penetration test summary (once first audit completes — Q3 2026 target).
  • SOC 2 Type II report (planned — audit window Q4 2026).
  • Architecture overview and data-flow diagram.
  • Business continuity and disaster recovery summary.
  • Insurance certificate (general liability, cyber, E&O).
  • VPAT 2.5 / ACR (accessibility).

Request access: trust@fotowall.io

Responsible disclosure

Security researchers — thank you. Report suspected vulnerabilities to security@fotowall.io. We commit to acknowledge within 2 business days, respond substantively within 10 business days, and not pursue legal action against good-faith research that respects user privacy, avoids service disruption, and gives us a reasonable window to remediate before disclosure.

Talk to us

For procurement, security review, or custom legal terms (MSAs, BAAs once HIPAA support lands), our team is one email away.

Email trust@fotowall.io Contact form