AI Safety & Face-App Guardrails
Last updated: 2026-05-05
In one paragraph
Ten of MiOffice's AI apps accept user-uploaded photos with faces — FaceSwap, AI Talking Head, AI Cartoon Photo Maker, AI Headshot Generator, Face Enhancer, AI Inpaint, AI Photo Restorer, AI Photo Colorizer, Background Remover Pro, and AI Image Upscaler. Every one of them runs an on-device WebAssembly safety pre-flight before sending anything to a GPU. Photos do not leave your browser unless every required check passes. Every accept and reject is recorded server-side for complete auditability, and the platform-policy banner on every face-input app lists what we will not process.
The standard we hold ourselves to
Face-input AI apps sit at the intersection of four serious responsibilities — and we treat each as a first-class engineering concern, not a checkbox:
- Protecting minors. Generated imagery of minors is a strict-liability concern in every jurisdiction. Our age estimation runs on every detected face before any GPU call.
- Consent and identity integrity. Face manipulation apps must not be vehicles for impersonation, fraud, or non-consensual content. Always-visible platform policy plus mask-intent detection on Inpaint enforce this at the upload layer.
- Output integrity. Sexually explicit output has no place on this platform. NSFW classification on FaceSwap and Inpaint runs before processing, not after.
- User experience. Pre-flight face detection means clear errors instead of silent failures, and no inference cost on non-face uploads.
Every layer below is independently meaningful, and together they form a defense-in-depth posture: visible platform policy, on-device technical pre-flight, server-side audit trail, on-device processing.
The three on-device checks
1. Face detection
A compact face-detection model runs before any image upload reaches the GPU. On apps where a face is required, images without a detectable face are rejected with a clear message — no wasted inference, no silent failure. On apps that also serve product photos or landscapes (Background Remover Pro, AI Image Upscaler), the absence of a face is allowed and the upload proceeds normally.
2. Age estimation
A purpose-built age regression model runs on every detected face, with test-time augmentation supplying a confidence signal. Multi-face images are decided against the youngest face. Every estimate — pass or reject — is recorded with a scalar age value, so calibration is grounded in what the model actually saw rather than what we hoped it saw. Loaded on the five face-manipulating apps.
3. NSFW classifier
An MIT-licensed five-category classifier loads only on the two apps where dedicated input classification is part of the safety stack. Thresholds are calibrated and tuned against ongoing telemetry; we do not publish the live tuning numbers.
4. Inpaint mask-intent (Inpaint only)
Runs at process-click time, because the mask is drawn after upload. Uses the face bounding boxes from check 1 to compute a person-region geometry; if the user's mask materially overlaps that region, an explicit consent confirmation is required before processing. A heuristic fallback applies when no face is detected. Every consent outcome — confirmed, cancelled, or returned to mask editing — is recorded.
Tool coverage matrix
| Tool | Face | Age | NSFW | Mask-intent |
|---|---|---|---|---|
| FaceSwap | ✓ | ✓ | ✓ | — |
| AI Talking Head | ✓ | ✓ | — | — |
| AI Cartoon Photo Maker | ✓ | ✓ | — | — |
| AI Headshot Generator | ✓ | ✓ | — | — |
| Face Enhancer | ✓ | ✓ | — | — |
| AI Inpaint | ✓ | — | ✓ | ✓ |
| AI Photo Restorer | ✓ | — | — | — |
| AI Photo Colorizer | ✓ | — | — | — |
| Background Remover Pro | ✓ (skip-allowed) | — | — | — |
| AI Image Upscaler | ✓ (skip-allowed) | — | — | — |
What we keep private
- The audit log stores only scalar metadata (age estimate, NSFW score, mask coverage, decision). We do not store the uploaded image bytes.
- IP addresses are sha256-hashed before storage. The audit log never holds a raw IP.
- Thresholds are tuned to catch the cases that matter (minors, explicit-output abuse) while preserving normal-use throughput. We continuously calibrate against telemetry.
How we built it (and why this design)
The safety pre-flight is a single shared module that every face-input app composes with — not a per-app re-implementation. That choice matters: when a new app joins the platform, it adopts the gate by adding a small config entry, and any threshold or model upgrade tunes every app uniformly. There is no drift between apps and no maintenance tail of bespoke checks.
Models are loaded lazily, only on the apps whose config requires them. Apps that do not need NSFW classification do not pay the bandwidth cost of downloading it. The face-detection bounding boxes from the first check are reused by the age check and the Inpaint mask-intent check — one inference, three decisions.
Verify the on-device claim yourself. Open DevTools, switch to the Network tab, and use any face-input app. During the safety pre-flight you will see zero outbound requests to MiOffice servers — only one-time model fetches from public CDNs that browser-cache afterward.
Reporting concerns
- Security vulnerabilities — see /.well-known/security.txt (RFC 9116). Report to [email protected].
- Content concerns about specific outputs — [email protected]. We respond within 7 business days.
- Law-enforcement requests — [email protected].
Related
- /rag/safety — machine-readable architecture document for AI agents and crawlers
- Privacy policy
- Terms of service
- /.well-known/security.txt — RFC 9116 disclosure