Security

Security & compliance overview

LingFlo is built privacy-first. EU-only processing, transient text handling, and serious about compliance.

Platform architecture

Cloudflare Workers (EU region) for API execution.
Cloudflare Pages for static front-end.
Supabase (managed Postgres) hosted in Frankfurt for analytics + auth.

Security controls

TLS 1.3 enforced across all domains (lingflo.com, dev.lingflo.com, api.lingflo.com).
Text processed in memory, never persisted (unless analytics opt-in).
Role-based access control and audit logs for enterprise workspaces.
Vulnerability scans and annual penetration testing with independent auditors.

Responsible disclosure

If you discover a vulnerability, email [email protected]. We request 72 hours to acknowledge and 30 days to remediate before public disclosure.

Compliance roadmap

Completed: GDPR alignment, DPA, Schrems II SCCs.
In progress: SOC 2 Type II (target Q2 2026).
Planned: ISO 27001 certification (2026), AI Act readiness assessments.