Security you can read without an NDA
We protect your data with encryption in transit and at rest, per-account isolation, and server-only secrets — and we publish exactly how, in plain language, right here. No gated portal, no signature required.
Defense in depth, by default
The controls below are in effect today — not aspirations.
Encrypted in transit
Every connection is served over HTTPS with TLS 1.3 through Cloudflare's global edge. Data moving between you and us is encrypted end to end.
Encrypted at rest
Your data is stored in managed Postgres (Supabase) with AES-256 encryption at rest, so it stays protected on disk.
Row-level data isolation
Row-Level Security is enabled on every table, deny-by-default. Where users have direct data access, owner-scoped policies tie each row to the account that owns it — verified in our migrations.
Secrets stay server-side
API keys and database credentials live only in server-side code and never reach the browser. Privileged database access runs exclusively through a server credential that is never shipped to the client.
It's your work — and it stays yours
Export anytime, no lock-in
You can export the code for the site you generate whenever you want and host it anywhere. We don't trap your project inside our platform.
We don't train AI on your content
Your prompts are sent to our AI provider for the sole purpose of generating your site. Lova Plus never uses your content to train AI models, and we never sell your data.
Transparency
This page is public on purpose
Our security posture is documented here for anyone to read — no NDA, no sales call, no gated portal. We think you should be able to evaluate how we handle your data before you ever sign up.
What we're working toward
These are in progress, not yet achieved. We'll update this page as each lands.
SOC 2 Type II & ISO 27001. We're actively pursuing SOC 2 Type II and ISO 27001 certification. We are not certified today and don't claim to be.
GDPR readiness. We're building toward GDPR readiness in parallel, including data export and erasure workflows.
EU data residency. Region pinning for customers who need their data stored in the EU is on the roadmap.
Security FAQ
Not yet — SOC 2 Type II, ISO 27001, and GDPR readiness are on our roadmap and in progress, not yet achieved, and we don't claim to be certified. In effect today: TLS 1.3 in transit, AES-256 at rest, row-level data isolation, and server-only secrets.
Data is encrypted in transit with TLS 1.3 over Cloudflare's edge and at rest with AES-256 in managed Postgres (Supabase). Secrets and database credentials live only server-side and never reach the browser.
No. Your prompts are sent to our AI provider solely to generate your site; Lova Plus never uses your content to train AI models and never sells your data.
Yes — you can export the full code for any site you generate at any time and host it anywhere. There's no lock-in, and if you cancel you keep every project.
Email securityplus@lova.dev with details. We support good-faith research, ask for responsible disclosure with a reasonable fix window, and don't take legal action against good-faith researchers.
Report a vulnerability
Found a security issue? We want to hear about it. Please disclose it responsibly and give us a reasonable window to investigate and fix it before any public disclosure. We don't take legal action against good-faith research.
Email our security team at securityplus@lova.dev.