Security you can read without an NDA.
We protect your data and the sites we build with encryption in transit and at rest, per-account isolation, and server-only secrets — and we publish exactly how, in plain language. No gated portal, no signature required.
Defense in depth, by default.
The controls below are in effect today — not aspirations.
Encrypted in transit
Every connection is served over HTTPS with TLS 1.3 through Cloudflare's global edge, with HSTS enforced so browsers refuse to drop back to plain HTTP.
Encrypted at rest
Your data lives in managed Postgres (Supabase) with AES-256 encryption at rest, on infrastructure we never run ourselves.
Row-level data isolation
Row-Level Security is enabled on every table, deny-by-default, with owner-scoped policies — so an account can only ever reach its own rows. It is verified in our migrations, not assumed.
Secrets stay server-side
API keys and database credentials live only in server-side code and are read at request time — they never reach the browser. Only deliberately public values are ever shipped to the client.
Abuse-resistant by design
Public, cost-bearing endpoints — intake, uploads, the AI assistant — are rate-limited per IP with burst and sustained windows, so scripted hammering is throttled before it ever reaches a paid provider or costs you.
Mapped to the most common web risks.
Our own assessment of how lova.dev addresses each risk in the OWASP Top 10 (2021). These are controls in effect today — a self-assessment, not a third-party certification.
- A01 Broken Access Control
Row-Level Security denies database access by default; users reach only their own rows, and resource ownership is re-checked server-side on every request.
- A02 Cryptographic Failures
TLS 1.3 in transit (HSTS-enforced) and AES-256 at rest. Secrets and database credentials live only server-side and never reach the browser.
- A03 Injection
Database access runs through Supabase's parameterized client — no raw SQL — and inputs are schema-validated (Zod) before use.
- A04 Insecure Design
Public, cost-bearing endpoints (intake, uploads, the AI assistant) are rate-limited per IP with burst and sustained windows, throttling abuse before it reaches a paid provider.
- A05 Security Misconfiguration
Security headers — HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy — ship on every response, with an enforced Content-Security-Policy, and we advertise no server version.
- A06 Vulnerable & Outdated Components
Dependencies are pinned to a committed lockfile and installed frozen in CI; core frameworks (Astro, Supabase) are kept on current major releases.
- A07 Identification & Authentication Failures
Authentication is handled by Supabase and re-verified server-side on every request, with rotating session tokens and enumeration-safe error messages.
- A08 Software & Data Integrity Failures
Deploys build from a frozen lockfile with pinned CI, and every release credential is stored as an encrypted CI/Cloudflare secret — never in the repo.
- A09 Security Logging & Monitoring Failures
Server errors are captured in Sentry with route, method and status only — never cookies, prompts, or query strings — and uptime is watched by external monitors.
- A10 Server-Side Request Forgery (SSRF)
The app never fetches user-supplied URLs; every outbound call targets a fixed, hardcoded provider, leaving no SSRF surface.
Reference: OWASP Top 10.
It's your work — and it stays yours.
You own the code
We hand over the full repository at the end of every project — no lock-in. Host with us on a care plan, or take it and self-host anywhere.
We never sell your data
We don't sell or rent your data, and we don't use your project's content to train AI models. Your information is used only to build and run your project.
This page is public on purpose.
Our security posture is documented here for anyone to read — no NDA, no sales call, no gated portal. You should be able to evaluate how we handle your data before you ever hire us.
The vendors that help us run.
We share data only with the providers below, each bound to handle it securely. Your data is currently stored in the United States; EU residency is on the roadmap.
- Cloudflare Hosting, global edge/CDN, DDoS protection Serves all traffic; processes IP + request metadata
- Supabase Managed Postgres database & authentication Account, project & content data, AES-256 at rest
- Stripe Payment processing Billing details + a tokenized card reference — we never store full card numbers
- Resend Transactional & product email Email address + the content of the emails we send
- HubSpot CRM / lead management Contact details you submit through our forms
- OpenRouter (+ Anthropic) AI gateway — the Ask Lova assistant & CMS copy assist The prompts & messages you send the assistant; CMS copy edits
- Google Ads, Tag Manager & site tag Cookieless tag + ad-conversion measurement
- Sentry Error monitoring Error diagnostics — route, status, short tags; no PII or secrets
- Cal.com Call scheduling Name, email + the time you book
Full processor + data matrix on our privacy page. Using Lova Plus, our self-serve AI builder? It documents its own security there.
What we're working toward.
These are in progress, not yet achieved. We'll update this page as each lands.
-
SOC 2 Type II & ISO 27001. Actively pursuing certification. We are not certified today and don't claim to be.
-
GDPR readiness. Building toward GDPR readiness, including data export and erasure workflows.
-
EU data residency. Region pinning for customers who need their data stored in the EU is on the roadmap.
Security FAQ
Is Lova SOC 2 or GDPR compliant? +
Not yet — SOC 2 Type II, ISO 27001, and GDPR readiness are on our roadmap and in progress, not yet achieved, and we don’t claim to be certified. In effect today: TLS 1.3 in transit, AES-256 at rest, row-level data isolation, and server-only secrets.
How is my data encrypted? +
In transit with TLS 1.3 over Cloudflare's edge, and at rest with AES-256 in managed Postgres (Supabase). Secrets and database credentials live only server-side and never reach the browser.
Do I own the website you build? +
Yes. We hand over the full repository at the end of every project — no lock-in. Host it with us on a care plan, or take the code and self-host anywhere.
Do you sell my data or train AI on it? +
No. We never sell or rent your data, and we don’t use your project’s content to train AI models. Your data is used only to build and run your project.
How do I report a security vulnerability? +
Email security@lova.dev with 'Security' in the subject and the details. We support good-faith research, ask for responsible disclosure with a reasonable fix window, and don't take legal action against good-faith researchers.
Accessibility — WCAG 2.1 AA / Section 508
lova.dev and the Lova Plus platform are built and audited against WCAG 2.1 AA — the standard referenced by Section 508 — with accessibility remediation an ongoing part of how we ship. And it doesn't stop at our own sites: every website and app we build ships with an accessibility review against the same WCAG 2.1 AA / Section 508 standard, built into our launch and maintenance process.
Report a vulnerability.
We support good-faith security research and ask for responsible disclosure — give us a reasonable window to ship a fix before going public, and we won't pursue legal action against good-faith researchers.
Email us at security@lova.dev with 'Security' in the subject — our machine-readable contact is published at /.well-known/security.txt.