All data transmitted between your browser, our API, and our processing infrastructure is encrypted using TLS 1.3. We do not support TLS versions below 1.2 on any endpoint, and we enforce HSTS with a max-age of one year to prevent downgrade attacks. Certificate transparency is enforced, and we subscribe to certificate authority notification services to detect any unauthorised certificate issuance for our domains.

All data at rest — including source images, AI-generated outputs, account metadata, and audit logs — is encrypted using AES-256. Encryption keys are managed through a dedicated key management service (KMS) with hardware security module (HSM) backing. Encryption keys are rotated annually or immediately upon any suspected compromise. Enterprise customers can optionally supply customer-managed encryption keys (CMEK), ensuring that we are unable to access their data without the key in their custody.

Database backups are encrypted using the same AES-256 standard and are stored in a geographically separate region from the primary data. Backup integrity is verified by automated restore tests conducted weekly. All backup files are purged on a rolling 30-day schedule unless a longer retention period has been configured under an enterprise data residency agreement.

Internal service-to-service communication within our processing pipeline is encrypted using mutual TLS (mTLS), and all services authenticate to one another via short-lived certificates issued by our internal certificate authority. This prevents lateral movement within our infrastructure in the event that any single service is compromised.

Virtual Staging implements role-based access control (RBAC) across all plan tiers. Team and Enterprise administrators can define custom roles, assign granular permissions per role, and restrict access to specific projects or client folders. Individual users can only access the resources their role grants. Administrators receive an audit log entry every time a permission assignment is created, modified, or revoked.

Enterprise accounts can enable single sign-on (SSO) using SAML 2.0 or OIDC, integrating with identity providers including Okta, Microsoft Entra ID, Google Workspace, and OneLogin. When SSO is enabled, users must authenticate through your identity provider, and direct password login to Virtual Staging is automatically disabled. SCIM 2.0 provisioning is available for automated user lifecycle management, ensuring that offboarded employees lose access immediately when their account is deprovisioned in your directory.

All accounts support TOTP-based two-factor authentication (2FA). Enterprise administrators can enforce 2FA as a mandatory policy across their entire workspace. Sessions are time-limited and automatically expire after a configurable idle period (default: 8 hours). All active sessions are visible in the Security tab of account settings, and users can revoke any session remotely at any time.

Internal Virtual Staging employee access to customer data is restricted on a strict need-to-know basis. No employee has standing access to customer images or content; temporary elevated access requires manager approval, is time-limited, and generates a full audit trail. Production system access requires a hardware security key and is reviewed quarterly through access recertification.

Virtual Staging runs on a multi-region cloud infrastructure with automatic failover between availability zones. Our primary processing regions are in the United States and European Union. Enterprise customers can elect data residency to ensure that their images and outputs are processed and stored exclusively within a specific geographic region, supporting compliance with GDPR, CCPA, and sector-specific data localisation requirements.

All image uploads pass through an automated validation and scanning layer before entering the processing pipeline. Uploaded files are validated against expected MIME types and image dimensions, scanned for malicious payloads, and stripped of any embedded metadata (EXIF, IPTC) that is not required for staging. Processed images are stored in private object storage buckets with no public-facing URL. Access to stored images is granted only via short-lived, pre-signed URLs that expire after one hour.

Our AI processing fleet operates in isolated GPU environments. Each render job runs in an ephemeral container that is created fresh for the job and destroyed immediately upon completion. Source images and outputs are never written to shared or persistent volumes accessible by other customers. This design ensures complete tenant isolation throughout the processing lifecycle.

We maintain a publicly accessible status page at status.virtualstagedesign.com where you can monitor real-time infrastructure health, current incident reports, and historical uptime data. We commit to a 99.9% monthly uptime SLA on all paid plans, and 99.95% for Enterprise customers with SLA addenda. In the event of an incident, we publish a post-mortem report within five business days of resolution.

Virtual Staging is SOC 2 Type II certified, with an audit scope covering Security, Availability, and Confidentiality trust service criteria. Our annual audit is conducted by an independent AICPA-registered CPA firm. Enterprise customers can request a copy of our most recent audit report and bridge letter under NDA by contacting security@virtualstagedesign.com.

We process personal data of European and UK residents in accordance with the General Data Protection Regulation (GDPR) and UK GDPR. We act as a data processor on behalf of our enterprise customers, who remain the data controllers for any personal data contained in the images they upload. We execute standard Data Processing Agreements (DPAs) with all enterprise customers and maintain Standard Contractual Clauses for cross-border data transfers.

Our MLS compliance module automatically flags images in which the AI has made changes that may require disclosure under listing rules — including furniture additions to spaces that appear occupied, or modifications to visible exterior features. Flagged images require explicit confirmation from the user before they can be downloaded. This workflow is designed to support, but does not replace, your own compliance review obligations.

We conduct an annual third-party penetration test of our web application and API surface, performed by an independent security firm. Critical and high findings are remediated within 30 days of the report; medium findings within 60 days. Additionally, we operate a responsible disclosure programme — security researchers who discover vulnerabilities can report them to security@virtualstagedesign.com and we commit to acknowledging reports within two business days and resolving valid findings within 90 days.

Virtual Staging maintains a documented incident response plan that is tested through tabletop exercises at least twice per year. In the event of a confirmed data breach involving personal data, we will notify affected customers within 72 hours of becoming aware of the incident, in accordance with GDPR Article 33 obligations and applicable US state breach notification laws.

Incident notifications will include a description of the nature of the breach, the categories and approximate number of records affected, the likely consequences of the breach, and the measures we have taken or propose to take to address it. We maintain cyber liability insurance to ensure we have the resources to respond to significant incidents without disruption to the service.

Security questions, vulnerability reports, and requests for compliance documentation should be directed to security@virtualstagedesign.com. We aim to respond to all security-related enquiries within two business days. For enterprise customers with active SLA contracts, security escalations are routed directly to your assigned customer success manager.