Skip to content
longflow

Security & trust

Built so you can trust it with the work.

Your scripts and characters are the product of real creative effort. Here is exactly how longflow protects them — encryption, isolation, residency, compliance posture, and how we respond when something goes wrong.

Contact sales
See pricing

The foundations

Security is the default, not an upsell.

The same protections apply on the free plan and the enterprise plan. The tiers differ in seats, throughput, and contractual commitments — not in how your data is secured.

Encrypted at rest and in transit

Every script, keyframe, render, and voice-over is stored encrypted at rest with AES-256 and served over TLS 1.2+. Storage objects are private by default and reached through short-lived signed URLs — never public buckets.

Isolation by row-level security

Postgres row-level security scopes every read and write to your account and workspace. A request can only ever touch the projects you own or have been invited to — enforced in the database, not just the app layer.

Data residency

Primary data lives in EU-region infrastructure (Supabase / AWS eu-central-1). Enterprise customers can request a documented residency commitment and a list of regions their content traverses during generation.

Compliance posture

longflow is GDPR-aligned with a DPA available on request. A SOC 2 Type II program is in progress (in private beta) — we'll share the report under NDA with enterprise prospects as it completes. We do not claim certifications we don't yet hold.

Availability & SLA

We target 99.9% monthly availability for the app and API. Studio and enterprise agreements can include a written uptime SLA with service credits. Generation throughput depends on upstream model providers and is monitored continuously.

Subprocessors

We use a small, vetted set of subprocessors and keep the list current. Each handles a specific job — auth/storage, model inference, voice synthesis, payments — under its own data-processing terms.

How we operate

Practical, everyday safeguards.

Authentication
Email/password and OAuth via Supabase Auth, with hashed credentials and short-lived session tokens. SSO/SAML is available for enterprise workspaces on request.
Access control
Least-privilege service roles, scoped API keys, and workspace seat permissions. Internal admin access is limited, logged, and reviewed.
Your content & training
Your scripts, characters, and renders are yours. We do not sell your data and do not use your private project content to train foundation models.
Deletion & export
Delete a project or your account and the associated objects are removed from storage. Enterprise customers can request a documented retention and deletion schedule.

Subprocessors

Who helps us deliver.

  • SupabaseAuth, Postgres database, object storage
  • AWSUnderlying cloud infrastructure (EU regions)
  • HiggsfieldImage (Soul) and video (DoP) generation
  • ElevenLabsAI voice-over synthesis
  • AnthropicScript understanding and scene breakdown
  • StripeSubscription billing and payments

We notify enterprise customers of material changes to this list. Request the live, versioned register with your DPA.

When something goes wrong

A clear plan for the bad day.

No vendor is immune to incidents. What separates a trustworthy one is how it prepares for and communicates about them.

01

Detect

Continuous monitoring and alerting on the app, API, and database. Suspicious access patterns trigger an on-call review.

02

Contain & assess

We isolate the affected surface, scope the impact, and preserve logs before any remediation that could disturb evidence.

03

Notify

If your data is affected, we notify you without undue delay and within the timelines our DPA and applicable law require.

Enterprise & security review

Need the documents before you sign?

We're happy to walk security and procurement teams through our controls, share our SOC 2 progress and DPA under NDA, complete your security questionnaire, and scope an SLA. Tell us what your review needs.

security@longflow.appCompare plans

Typical first response within one business day.

Start shipping

Your channel could be running by tomorrow.

Connect a channel and let longflow run it.

Start freeContact sales