Some organizations and enterprise users may request that vendors fill out custom compliance or IT security forms to assess platform suitability.
Flickr is proud to support a wide range of customers, but due to our structure and policies, we currently have limited support for custom form completion.
What We Can Provide
We are happy to provide the following documentation upon request:
- IRS W-9 Form
- Form 889 (U.S. Government assurance of no prohibited Chinese telecom)
To request one of these forms, please contact Flickr Support.
What We Do Not Complete
At this time, we do not complete custom security or compliance questionnaires, including (but not limited to):
- VPAT (Voluntary Product Accessibility Template)
- CSCRM (Cybersecurity Supply Chain Risk Management)
- Custom internal IT/vendor risk forms
- Data Processing Agreements (DPAs) or Business Associate Agreements (BAAs)
Note: We’re also not able to provide Tax Residency Documents.
We understand these are important documents, and while we don’t fill them out directly, we aim to provide clear, public answers to many of the questions in our Terms of Use, Privacy Policy, Data Processing Agreement, and Standard Contractual Clauses.
Flickr Security Questionnaire Response
Answers provided below are based on Flickr Terms & Conditions of Use.
Data Protection & Privacy
Security & Access Control
Access Controls
- User Access Controls: Users are responsible for maintaining the confidentiality of passwords and restricting access to accounts. Flickr provides privacy options and settings in the Privacy & Permissions section of user accounts.
- Employee Data Access: Flickr limits access based on job role and the principle of least privilege. Some employees may access customer PII (names, emails, phone numbers, billing), but sensitive data (like payment details) is restricted to authorized personnel only. All access is logged, monitored, and reviewed periodically.
Data Encryption
- Data Security: Customer data is stored in AWS with AES-256 encryption at rest. Data in transit is encrypted using TLS 1.2 or higher. All employees' access to our cloud infrastructure is restricted to secure VPN connections that employ strong encryption.
Incident Response & Monitoring
Incident Management
- Security Incident Reporting: Contact available through https://flickrhelp.com/hc/en-us/requests/new for reporting content violations and security concerns.
- Detection & Resolution: Flickr employs systems and measures to detect and remove illegal content, including child sexual exploitation and abuse material (CSEA). Automated scanning and monitoring of user content is performed.
- Breach Policy: Yes, Flickr has a breach reporting and incident response policy.
Recent Security Status
- Security Incidents: No breaches or major security incidents in the last 12 months.
Auditing Capabilities
- Internal Auditing: Flickr Inc. uses centralized logging and monitoring systems to audit access to internal resources. Events such as logins, failed authentication attempts, role changes, and access to sensitive systems are logged and stored in secure, tamper-evident systems. These logs are regularly reviewed, and alerts are generated for high-risk actions.
- Customer Auditing: No auditing capabilities offered for customers.
Business Continuity & Recovery
Disaster Recovery
- Data Availability: Users are solely responsible for creating and maintaining backup copies of User Content. SmugMug does not guarantee User Content will be available after account termination.
- Contract Completion: SmugMug does not guarantee that User Content will be available after termination of the subscription. Users are solely responsible for creating backup copies.
Data Handling
- Data Deletion: When User Content or files are deleted (or account cancelled), files will be deleted as soon as reasonably possible pursuant to data destruction policies and cannot be recovered.
- Media Handling: Files deleted pursuant to Flickr's data destruction policies cannot be recovered by Flickr or any third-party vendor following deletion.
- Data Ownership: Users retain all intellectual property rights in User Content. Flickr does not claim ownership, right, title, or interest in User Content.
Service Termination
- Migration Notice: Flickr will use reasonable efforts to notify users of account termination due to inactivity via email. Users are responsible for downloading the User Content they wish to save.
- 90-Day Notice: Flickr will use reasonable efforts to notify users of account termination due to inactivity via email. Users are responsible for downloading the User Content they wish to save.
Development & Third Parties
Third-Party Requirements
- Security Standards: Flickr uses third-party vendors to host and store media. "We may require our vendors to maintain certain standards with respect to your User Content."
- Security Assessments: Flickr uses third-party vendors and may require vendors to maintain certain standards with respect to User Content.
- Contractual Language: Third-party payment processors (e.g., Amazon Payments or PayPal) are used. Any Payment Information provided is governed by the Privacy Policy terms.
- Service Providers: Flickr may engage service providers for assistance with carrying out obligations under the Terms of Use.
Development Practices
- SDLC Changes: No changes to the system development lifecycle practices. For Flickr software additions, see release notes: Release Notes – Flickr Blog.
- Secure Development: Code is peer-reviewed and deployed through secure CI/CD pipelines with access control. Third-party libraries are scanned for vulnerabilities.
- Third-Party Information Sharing: None.
- AI Components: No.
Compliance & Legal
Audits & Certifications
- Security Audits: Flickr will cooperate with law enforcement agencies, regulatory authorities (including OFCOM in the United Kingdom), and other governmental bodies in their investigations.
- Certifications: No. However, all customer data is stored in Amazon AWS, which holds these certifications. AWS Compliance.
Accessibility & Age Requirements
- Section 508/ADA Compliance: The Services are not targeted towards, nor intended for use by, anyone under the age of 18. Users must be at least 18 years of age.
- Geographic Data Storage: Flickr is located in California, United States. International users accessing from other countries have transactions occurring in the United States,
Additional Security Information
- Content Scanning: Flickr employs automated scanning for illegal content, including CSEA. May immediately suspend/terminate accounts for circumventing SafeSearch, interfering with reporting mechanisms, or uploading content violating child safety requirements.