Loading...
The base simulator runs 100% in your browser. No patient photo reaches our servers. The photoreal path is different — this page names every sub-processor and every gap.
MediaPipe landmark detection (468 points) and ONNX inference (Depth Anything v2, FairFace) run entirely in the browser using WebAssembly and WebGL. No image bytes are transmitted to Faceify servers during standard simulation. Model weights are fetched once (self-hosted, with CDN fallback) and run locally. Your photo leaves your device only if you turn on the optional AI photoreal preview (sent to a third-party provider) or choose to save a simulation to your account.
lib/simulation/face-mesh.ts · lib/simulation/depth-v2/depth-v2-inference.ts · lib/simulation/ai-suggestions/ethnicity-ml.ts
When a user activates the photoreal preview and grants AI photo consent, the patient photo (base64 data URL) is transmitted to Replicate, a US-based GPU cloud provider, via /api/simulation/diffusion-preview. Replicate generates the preview and returns a URL. The image is not persisted to Faceify's database — it exists on Replicate's CDN for their TTL only.
US users are blocked at the API route level (HTTP 451). Non-US users — including UK and AU — are exposed to this third-party transmission once they grant explicit AI photo consent. The consent modal is being updated to name Replicate by name and describe the US-based transfer.
app/api/simulation/diffusion-preview/route.ts:277 — x-vercel-ip-country === "US" → HTTP 451
The architectural fact — browser-native inference, zero server PHI on the base path — is the strongest compliance asset. The diffusion path creates obligations that are not yet fully met. This table shows both.
The base simulator produces zero data egress by design: MediaPipe landmark detection and ONNX inference run in the browser; no patient photos reach Faceify servers on the standard path. Faceify is not a covered entity. BAA available on Enterprise plan upon request.
Lawful basis: consent (Article 6(1)(a)) for AI photo features; contract (Article 6(1)(b)) for account and billing. Article 17 deletion right is exercisable via /api/account/delete or Settings. For the base simulator, image data does not transit EU borders (stays on device). The diffusion path transmits to Replicate (US); transfer mechanism for EU users is under review.
Same data-residency position as EU GDPR for the base simulator. Supervisory authority: ICO (not EDPB). Any third-party transfers require IDTA (International Data Transfer Agreement), not SCCs. Replicate DPA under IDTA has not yet been executed. This is an open gap for the diffusion path.
Base simulator: image data does not leave the device; PDPA cross-border transfer obligations are not triggered. Consent collected in-app before any simulation preview runs.
Base simulator: image data does not leave the device; PIPA cross-border transfer obligations are not triggered. Consent collected in-app before any simulation preview runs.
Base simulator: image data does not leave the device; APP 8 cross-border disclosure obligations are not triggered. The diffusion path requires an explicit APP 8 disclosure before non-US (including AU) users can use it. That disclosure is being added to the AI photo consent modal. Until it lands, the diffusion path is non-compliant for AU users.
Realtime mode: camera feed stays on-device
When Realtime mode is active, the Banuba SDK processes the camera feed entirely within the browser WASM runtime. No image frames or face landmarks are transmitted to Faceify Labs or any third party. The Banuba license token is validated locally; the SDK does not phone home.
Replicate: patient photo transmitted (diffusion path only)
For non-US users who activate the photoreal preview, the patient's facial photo (base64) is transmitted to Replicate. US users are geo-blocked. Non-US users see an explicit AI photo consent modal. Replicate is a US-based company; no BAA or DPA is currently in place. This is the most significant sub-processor disclosure on this page.
Every vendor that receives data on our behalf. Sub-processor list last reviewed 2026-05-26. We update within 7 days of any vendor change.
| Vendor | What it receives | PHI / patient photo? | BAA / DPA status | Scope |
|---|---|---|---|---|
| Vercel | All HTTP traffic; Vercel Blob stores patient before/after simulation images when saved | Yes — Vercel Blob receives actual patient facial images (on explicit save only) | DPA available; no BAA signed | All paths (hosting); patient images on save (base sim + diffusion) |
| Neon (PostgreSQL) | User PII (email, name, userId); simulation metadata (procedure slug, params); PHI audit log entries; AI photo consent timestamps; Vercel Blob image URLs | No raw photo bytes. Stores image URLs and userId + procedure + consent timestamps. | DPA available; no BAA signed | Base sim + diffusion; billing; auth |
| Vercel Blob | Patient before/after simulation images (base64-sourced, re-encoded) when a signed-in user saves a simulation | Yes — full facial image. Stored at a non-guessable UUID path but with public access. | Part of Vercel DPA; no BAA signed | Base sim on save; diffusion output on save |
| Upstash Redis | IP addresses + rate-limit counters; hashed user IDs as rate-limit keys | No image data. No PHI. | No DPA confirmed from source code | All paths (rate limiting) |
| Resend | Patient email address; surgeon email address; patient name; surgeon name; procedure label; share URL (encodes simulation params only — no photos) | Email addresses. Template explicitly excludes photos. | DPA available; no BAA | Consultation sharing; transactional email |
| Polar | Patient email; payment metadata; subscription status | Email address. No images. | DPA available; no BAA. Polar is Merchant of Record. | Billing only |
| Sentry | Stack traces; error messages; request URLs (tokens redacted by beforeSend filter). Extra context stripped of image/file keys. Session replay active at 1% sample rate with maskAllText + blockAllMedia. | No confirmed PHI. One P2 gap: error message string content is not scrubbed for embedded fragments (low probability). | DPA available; no BAA | All paths (error monitoring) |
| PostHog | Funnel events: procedure name, landmark count (integer), preset ID, deal ID, error code. Page views. Session replay if enabled in project dashboard. | No image bytes in event payloads. Session replay gap: canvas is not explicitly blocked in posthog.init options (P0 fix in progress). | DPA available; no BAA. EU primary region. | All paths (analytics) |
| Replicate | Patient photo (base64 data URL) for photoreal/diffusion preview generation. US users are geo-blocked (HTTP 451). Non-US users only, after explicit AI photo consent. | YES — full patient facial photo transmitted. Replicate is a US-based company. UK/AU transmission triggers UK GDPR Chapter V and AU Privacy Act APP 8 international transfer obligations. No BAA, no DPA confirmed. | No BAA. No DPA confirmed from source. Transfer mechanism for UK/AU not yet executed. | Diffusion/photoreal path only. Non-US only. |
Consent is collected in-app before any procedure preview runs. The consent gate is enforced at the route level — no simulation output is returned before the patient has acknowledged the terms.
Consent records are owned by the clinic, not Faceify. Faceify does not store consent records. The clinic's EHR or patient management system is responsible for maintaining the consent audit trail per their local regulatory requirements.
Diffusion path: explicit AI photo consent
For the photoreal preview, an explicit AI photo consent modal names Replicate, Inc. as the US-based GPU compute provider, describes the data transfer to the US, and states that the base simulator runs entirely in-browser without any data transfer. For UK users, the modal discloses the IDTA gap (no signed agreement with Replicate yet, ICO is the supervisory authority). For AU users, the modal provides the APP 8 cross-border disclosure. Consent is double opt-in; declining disables only the photoreal feature and the base simulator remains fully available.
Security questions, BAA and DPA requests, vulnerability disclosure, and procurement questionnaires:
partners@faceifylabs.comA Data Protection Impact Assessment (DPIA) for the photoreal diffusion path is available upon request. Response within 5 business days.
No invented dates. Status reflects internal roadmap as of 2026-05-26.
ISO 27001
Under review (last reviewed 2026-05-26)
SOC 2 Type II
Not yet pursued. Trigger: first $50k+ ACV contract per internal decision criteria.
Multi-region data residency
Under evaluation for UK and AU private hospital requirements.
PHI-tier audit log
Planned Q2 2026 per CTO report. Will cover photos, annotations, and consultation messages.
Replicate DPA / BAA (UK IDTA + AU APP 8)
Required before diffusion path is compliant for UK/AU users. Under active procurement.
Faceify Labs is an educational visual planning tool designed to facilitate patient-surgeon communication. It is not regulated as a medical device under the U.S. FDA, the Thai FDA, the Korean MFDS, ANVISA (Brazil), or the PMDA (Japan). All previews are visualisations of the requested change — not predictions of surgical outcome, clinical diagnoses, or treatment recommendations. Read our full clinical posture →