Security

Imato is built on a small, auditable stack on hardware we fully control, and on AI APIs configured to never train on your data.

Transit + storage

Everything flows over TLS 1.2+. Your uploads sit in a private S3-compatible bucket and are accessed via time-boxed presigned URLs (15-minute expiry). Database + object storage volumes are backed up daily and mirrored offsite.

AI provider data handling

We use Google's Gemini 3.1 Flash Lite and Nano Banana 2 through their commercial APIs, both of which exclude your inputs from training data. Your images and translations are never used to improve any foundational model.

Accounts + auth

Sign-in via Apple, Google, or email magic-link — no passwords stored on our end. Sessions are short-lived (15 min) and rotated on every use.

Responsible disclosure

Found a vulnerability? security@imato.ai. We'll acknowledge within 48 hours and credit you publicly once it's fixed.