Security

This page explains how Gumnut protects your data. It covers our authentication, encryption, access controls, and operational practices. For data-handling commitments, see the Privacy Policy.

Last updated: 2026-05-18

What this covers

Gumnut is operated by Gumnut Labs LLC. This page covers:

  • The marketing site at www.gumnut.ai
  • The Photos web app at app.gumnut.ai
  • The Photos API at api.gumnut.ai, including the MCP server used by AI assistants
  • The Immich-compatible service at photos.gumnut.ai

Authentication

Sign-in is handled by Clerk, a dedicated authentication provider. We never see or store your password directly - Clerk does, using industry-standard password hashing.

Sign-in methods

  • Email and password
  • Email magic link, a one-time link sent to your address
  • Phone number with a one-time code
  • Single sign-on via Google or GitHub
  • Passkeys (WebAuthn) for phishing-resistant sign-in

Multi-factor authentication

You can add an authenticator app (TOTP), such as 1Password, Authy, or Google Authenticator, as a second factor for extra protection.

We do not offer SMS as a second factor. SMS-based 2FA has well-known weaknesses, most notably SIM-swap attacks, and we'd rather not offer a security control we don't trust. Phone-number sign-in still uses SMS to deliver the one-time code, but we treat it as a primary sign-in choice rather than a second factor.

API keys

If you create an API key, we store only a one-way hash of the key. We can verify a key you present on a request, but we cannot recover the key from our database. If you lose it, you create a new one.

AI-assistant connections

When you connect ChatGPT, Claude, or another AI assistant to your library, the connection is authorized through an OAuth flow on our own MCP OAuth server. The assistant receives a scoped access token, not your account credentials, and you can revoke its access at any time from the assistant's integrations settings.

Authorization

Every API request is authorized server-side against the authenticated user. Library, album, asset, person, and face IDs are resolved through a per-request authorization check that confirms the calling user owns the resource before any data is returned or modified. There is no client-side or URL-derived trust - the same authorization layer runs whether the request comes from our web app, an SDK, an Immich client, or an AI assistant.

Encryption in transit

All connections to Gumnut services use HTTPS / TLS. This includes the marketing site, the web app, the API, the MCP server, the OAuth endpoints, and image and video delivery via our CDN. HTTP requests are redirected to HTTPS at the edge.

Encryption at rest

Your data is stored encrypted at rest by our infrastructure providers:

  • Database (PostgreSQL on Render): disk-level AES-256 encryption.
  • Object storage (Cloudflare R2): server-side AES-256 encryption applied to all objects automatically.
  • Backups: inherit the encryption of the underlying storage.

Infrastructure and isolation

Gumnut runs on managed infrastructure:

  • Application servers, background workers, and the database are hosted on Render in the United States.
  • Photo and video files are stored in Cloudflare R2 and delivered through Cloudflare's CDN.
  • Cloudflare provides DDoS protection and a web application firewall in front of the public asset domain.

Network access to the database is restricted to our application servers; the database is not exposed to the public internet.

Internal access to your data

Production data access is limited to a small number of named Gumnut engineers, and is granted only on a need-to-have basis. When an engineer does access user data, it is for one of the following purposes:

  • Operating, debugging, or maintaining the service
  • Investigating a security incident, abuse, or suspected fraud
  • Responding to a support request you initiated
  • Complying with a valid legal request

User data is never retained on employee machines. Engineers access data through authenticated administrative interfaces - your photos, videos, derived data, and database records stay on Gumnut infrastructure. We don't keep local copies of customer databases or asset stores on laptops.

Monitoring and logging

  • Application logs, such as request metadata, error traces, and performance data, are retained for up to 90 days and used for debugging, abuse detection, and capacity planning. We do not intentionally log photo or video contents.
  • Error and performance telemetry is sent to Sentry. See the Privacy Policy for what's included in those events.
  • Authentication events, including sign-ins, MFA changes, and suspicious activity, are recorded by Clerk and visible in your account security history.

Software supply chain

  • Dependency cooldown. New versions of third-party libraries must age for a minimum window before our build will pick them up. This dampens the blast radius of a compromised package release.
  • Pinned dependencies. Application dependencies are pinned to specific versions in lockfiles, and CI builds use those locked versions deterministically.
  • Code review. All changes to production code are reviewed before they merge. Automated review checks scan for common security mistakes on every change.
  • Secret management. API keys, database credentials, and provider tokens are stored as environment-scoped secrets in our infrastructure providers, never in source control.

AI model providers

Image and video descriptions are generated by third-party vision-language models, including Google Gemini on the paid-tier API and/or open-weight models routed via OpenRouter. These providers operate under zero-data-retention terms - they don't retain your photos, videos, or prompts after fulfilling the request, and don't use them to train or improve their own models. The privacy policy lists the specific providers and links to their terms.

Compliance posture

Gumnut is a small, pre-scale operation. We have not undergone a SOC 2, ISO 27001, or equivalent third-party audit, and we don't claim certification we don't hold. The architecture is designed with SOC 2 Type 2 and ISO 27001 controls in mind, so that pursuing formal audits later doesn't require re-architecting the product.

We'll update this page when that changes.

Vulnerability disclosure

If you discover a security issue, please email hello@gumnut.ai with the details. We ask that you:

  • Give us a reasonable opportunity to investigate and fix the issue before disclosing it publicly.
  • Avoid actions that could harm other users' data, degrade service availability, or violate privacy.
  • Stick to your own test accounts when reproducing the issue.

We don't operate a paid bug bounty today, but we're grateful for responsible disclosure and will acknowledge researchers who report valid issues.

Data retention and deletion

See the Privacy Policy for the full list. In brief: deleted photos and videos spend up to 90 days in trash before being purged from our database and object storage; backups are kept up to 30 days; logs and telemetry up to 90 days.

Contact

Security questions or reports: hello@gumnut.ai.