Capture One does not and will not sell or rent customer’s data.

Physical safety

All production services are cloud-based or in external professional datacenter and no customer faced services will stop working if our own physical locations are hit by fire, power failure, flooding etc.

Our primary customer faced services are hosted in Microsoft Azure infrastructure with Geo Redundant Backup Plans to cover disaster recovery scenarios.

Access Control

All access to Capture One’s office is controlled with strictly personal digital access keys (fobs) with also controlling burglar alarm system.

Firewalls & antivirus

All Capture One’s computers have Antivirus installed to protect against virus, phishing etc. All on-prem servers are hosted in a professional datacenter behind firewall and can only be accessed via MFA controlled VPN or from inside our corporate network. All cloud-based infrastructure, i.e. Capture One’s Microsoft Azure tenant, are only accessible with MFA authentication integrated with our corporate authentication setup. Capture One ’s office network is based on Cisco Meraki technology and Wifi is same and integrated with corporate authentication Microsoft Azure Active Directly.

Encryption

All web hosted systems handling personal data are using HTTPS encrypted protocol to transfer data between client and the Capture One’s backend systems. All internal access to customer data, i.e. customer support, tech support etc., can only happen via encrypted channels like HTTPS, VPN etc.

Organisation safety

All access to Capture One own systems are controlled with personal logins only. No generic logins are allowed. Microsoft MFA is forced on all personal logins to our corporate systems including VPN connections. Microsoft extended security plans are activated to protect the data from phishing etc.

Access to 3rd party systems are controlled by IT and only personal logins are allowed for proper tracking of user activity.

Confidentiality

All employees with access to the IT systems are under a legal contract including confidentiality agreement regarding all company and customer data.

COL & CFT are both Microsoft Azure based services, therefore we also refer to Microsoft’s security measures in our DPA. Appendix B, Section 11.

Microsoft Azure

The security measures in place on the Microsoft Azure platform are specified in the DPA with Microsoft Ireland Operations, Ltd (“Microsoft”) which may be downloaded via the following link https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. More information on Microsoft Azure security measures can be found via the following link https://learn.microsoft.com/en-us/azure/security/fundamentals/overview.

Sendgrid

The security measures in place with Sendgrid are specified in the DPA with Twilio, Inc. which may be downloaded via the following link https://www.twilio.com/en-us/legal/data-protection-addendum. More information on Sendgrid security measures can be found via the following link https://www.twilio.com/en-us/legal/security-overview.

AI Governance

Capture One does not use any customer data to train their AI models.

We only train Capture One AI models on content where we have permission or rights to do so.

We do not mine content from the web to train Capture One AI Models.

Capture One currently does not use generative AI within the product.

Our AI models are all deployed in the applications running on the devices you deploy Capture One.

This statement does not apply to Capture One Photoroom integration. The Photoroom AI models are hosted by Photoroom being an independent data controller. The AI security is governed by Photoroom’s terms and conditions.