Security at Keenpix
Keenpix is an image transformation service, so its first security boundary is deciding which origins and URLs it may fetch. This page documents the controls present in the product; it is not a certification or penetration-test claim.
Origin and request controls
Projects allowlist origin hostnames. Outbound fetches are SSRF-hardened, and optional HMAC-signed URLs can restrict who may create transform requests. No public project API secret needs to be embedded in image markup.
Data handled by the cloud service
The managed service processes source image URLs, transformed image bytes, cache entries, and request telemetry needed for delivery and analytics. Keenpix is not a digital asset manager and does not ask you to move master assets into a Keenpix media library.
Deployment choice
Teams that require infrastructure control can run the AGPL-3.0 engine themselves. Self-hosting transfers responsibility for network policy, updates, backups, monitoring, and incident response to the operator.
Claims we do not make
Keenpix does not currently claim SOC 2, ISO 27001, PCI certification, a public bug-bounty program, or a contractual uptime SLA. Those claims will appear only if supporting evidence exists.