One contract for every team in your org

Ye, SOC 2 Type 2 certified (API scope). The most recent report is from April 2026. Sub-processor list, DPA, incident response process, and encryption posture are available at trust.photoroom.com.

Yes at the team workspace level. Workspaces, projects, and brand assets are scoped to the team that owns them, and members of one team cannot see another team's projects. Folder-level access control within a single workspace is a known gap for multi-business-unit organizations. If this affects how your teams need to operate, raise it with your account team so it factors into prioritization.

Per-team consumption reporting is available today, broken out by team and time period. Per-API-key and per-endpoint breakdowns are in development, alongside a self-serve usage dashboard for Enterprise customers.

API keys have unlimited validity by default, and new keys can be created at any time. Key revocation and rotation are handled through your account team on request. Automated rotation is on the roadmap.

API access logs are retained for one year and operation logs for fifteen days. For compliance reviews requiring specific log artifacts, raise the request with your account team.

Photoroom currently supports SSO with Google. If SSO matters for your rollout, flag it with your account team so it can factor into prioritization.

Native MFA isn't part of the platform today. If your organization uses Google Workspace, MFA is enforced on your side via Google Workspace settings. Once SAML SSO ships, MFA is enforced through your identity provider.