Security Declaration

PicSee Inc. (hereinafter "PicSee") is committed to maintaining the security of its information systems and user data. PicSee has obtained ISO 27001 Information Security Management certification and operates a comprehensive information security management system in accordance with applicable regulations and industry best practices.

The following outlines PicSee's key information security controls in its cloud environment:

1. Information Security Governance

PicSee provides services on AWS cloud infrastructure and follows these principles in system design and operations:
  1. Least Privilege
  2. Defense in Depth
  3. Secure by Default
  4. Zero Trust access control

The scope of information security management covers the following areas, with continuous improvements based on threat intelligence and operational needs:
  1. Cloud infrastructure security
  2. Identity and access management (IAM)
  3. Application security
  4. Source code security scanning
  5. Vulnerability scanning and penetration testing
  6. Log monitoring and incident tracking
  7. Data protection and backup
  8. Malicious URL and abuse protection


2. System Architecture & Availability

System Architecture
PicSee's core services run within an AWS VPC, utilizing EC2, DynamoDB, ElastiCache, Timestream, Amazon S3, and CloudWatch. The system uses a layered architecture and event-driven design, with GCP as a failover, to reduce single points of failure. Service stability is maintained through:
  1. AWS Auto Scaling
  2. Redis caching
  3. S3 backup
  4. GCP failover
  5. CloudWatch monitoring and alerting

Service Availability Target (SLA Target)
PicSee's current availability targets are:
  1. PicSee website and API: 99.9%
  2. Short URL redirect service: 99.95%

3. Cloud Security Controls

1. AWS WAF
PicSee's public-facing website and redirect system is protected by AWS WAF to mitigate:
  1. SQL Injection (SQLi)
  2. Cross-site Scripting (XSS)
  3. HTTP Flood
  4. Rate Limiting
  5. Bot abuse
  6. OWASP Top 10 attack types

2. DDoS and Traffic Protection
PicSee employs the following to reduce the impact of large-scale traffic attacks and abnormal requests on service availability:
  1. Cloudflare Proxy and CDN: helps hide origin server IPs and blocks DDoS and bot traffic at the edge.
  2. AWS WAF
  3. Load Balancing / Auto Scaling
  4. S3 backup
  5. GCP failover
  6. Redis caching and distributed architecture

3. Security Group
  1. Only necessary service ports are open
  2. Management interfaces are restricted to specific sources
  3. Internal data services are not directly exposed to the Internet
  4. Production and management networks are segmented

4. NACL
  1. Subnet-level traffic filtering
  2. Blocking unexpected source traffic
  3. Network segmentation in conjunction with AWS VPC

4. IAM & Access Management

IAM Management
PicSee uses IAM as the core for identity and access management. All privileged accounts require MFA (Multi-Factor Authentication), following these principles:
  1. Least Privilege
  2. Role-Based Access Control (RBAC)
  3. Separation of Duties

Secrets Management
Sensitive information such as API keys, database passwords, and third-party credentials are centrally managed via AWS Secrets Manager or equivalent, avoiding hard-coding of secrets in source code or configuration files.

5. Data Security & Encryption

1. Transmission Encryption
PicSee's public-facing website, default redirect system, and API use TLS 1.3 for encrypted transmission. For customers using their own branded short domains, encryption options are provided based on the customer's plan.

2. Data at Rest Encryption
Databases, backups, and cloud storage resources are all protected by encryption to reduce the risk of unauthorized access.

3. Database Access Control
Database access follows a least-privilege design:
  1. Application accounts have only the necessary permissions
  2. Production and test environments are isolated
  3. External direct connections are restricted
  4. Account and permission configurations are reviewed regularly

6. Secure Development Lifecycle (Secure SDLC)

1. Source Code Security Scanning (SAST)
PicSee performs source code security scanning (SAST) before each release to detect the following. High-risk issues must be remediated before going live:
  1. Injection vulnerabilities
  2. Use of insecure functions
  3. Credential leakage
  4. Common code weaknesses

2. Third-Party Dependency Vulnerability Scanning
With each release, third-party package and dependency vulnerability scans are performed to monitor known CVEs and Supply Chain Attack risks.

3. Code Management Process
PicSee manages production releases using Git Flow and a CI/CD pipeline.
All production code must go through the following process before deployment:
  1. Developer commit
  2. Code Review
  3. QA verification
  4. Automated deployment pipeline

7. Vulnerability Scanning & Penetration Testing

1. Black-Box Vulnerability Scanning (DAST)
Public-facing web and API systems undergo regular vulnerability scanning to detect:
  1. OWASP Top 10
  2. API security issues
  3. Session management issues
  4. Misconfigurations
  5. Information disclosure

2. Penetration Testing
PicSee conducts annual penetration testing in March, initiated by customers, to verify the security of public-facing systems. Findings are prioritized and remediated based on risk level.
Customers requiring penetration testing may submit a request to PicSee, and we will provide the necessary assistance.

8. Host & System Operations Security

1. Patch Management
PicSee applies the following updates with each release:
  1. OS Security Patches
  2. Runtime updates
  3. Middleware updates
  4. Container / package updates

2. Host Protection
PicSee's cloud hosts run within AWS EC2 and a restricted VPC network and are not accessible to general users or used as employee workstations.
Traditional Endpoint Antivirus / EDR architecture is therefore not deployed. Instead, the following principles serve as the primary host protection strategy, reducing the risk of traditional endpoint malware infection:
  1. Security Group network isolation
  2. IAM access control
  3. Patch Management
  4. Vulnerability remediation
  5. Least privilege design
  6. AWS cloud security mechanisms

3. Logging & Monitoring
PicSee uses the following to monitor its systems. Important operation logs are retained for five years to support security incident investigations:
  1. AWS CloudWatch
  2. CloudTrail
  3. System operation logs
  4. Security event alerting

9. Malicious URL & Abuse Protection

PicSee maintains a multi-layered malicious URL and abuse protection system to reduce the risk of phishing, fraud, and malicious traffic. All destination URLs are checked against malicious URL databases and third-party reputation services (such as Google Safe Browsing); if a risk rule is triggered, the system will immediately reject the short URL creation.

PicSee also performs risk analysis on short URL redirect behavior, including detection of abnormal redirects, suspicious traffic, and abuse patterns. If the system identifies a risk, it may display a security warning page, throttle traffic, or disable the relevant short URL. For confirmed malicious activity, PicSee can immediately disable the short URL, block the account and source IP, and restrict the account from further use.

PicSee also maintains an abuse reporting and manual review process to reduce the survival time of malicious content and improve overall platform security.

10. User Account & Privacy Protection

1. Login Security
PicSee supports the following login methods and does not store user passwords, reducing the risk of credential leakage:
  1. Google OAuth
  2. Email verification code

2. Audit Logs & Group Permissions
The system provides group permissions and audit log features to track important backend operations. Administrators can instantly revoke group member permissions.

3. Privacy & Account Deletion
PicSee provides a privacy policy, terms of use, and an account deletion mechanism.
Users may request to delete their account and associated identifiable data.

11. Continuous Improvement

PicSee continuously strengthens its information security management and technical protection capabilities based on:
  1. Cloud security best practices
  2. Threat intelligence
  3. Customer requirements
  4. Regulatory requirements
  5. System architecture evolution

If you have any questions about this Security Declaration, please contact us:
Email: service@picsee.vip

Last Updated: May 2026