Legal

Security

Last updated: July 6, 2026

1. Our approach

Protecting your content and personal data is core to how we build CaptureFlow. This page summarizes the technical and organizational measures we use to keep your data safe. It complements our Privacy Policy and Terms of Service.

2. Encryption

  • In transit: All traffic to and from CaptureFlow is encrypted with HTTPS/TLS.
  • At rest: Data is stored on managed infrastructure with encryption at rest.
  • Credentials: Third-party OAuth access and refresh tokens (for example LinkedIn) are encrypted with AES-256 before they are stored.

3. Infrastructure

  • Database: Supabase (PostgreSQL) with Row Level Security enforcing workspace-level data isolation.
  • File & media storage: Supabase Storage for documents and images; Mux for video processing and hosting.
  • Application hosting: Vercel, running on hardened cloud infrastructure.
  • Rendering & processing: AWS (including Lambda) for video rendering workloads.

4. Access control

  • Role-based permissions: Owner, admin, member, and viewer roles scope what each user can access.
  • Workspace isolation: Data is partitioned per workspace so teams and agency clients never see each other's content.
  • Least privilege: Internal access to production data is limited to what is required to operate and support the service.

5. Authentication

You can sign in with email, Google, or LinkedIn. Sessions are managed securely, and you can disconnect a connected account at any time from Settings, which immediately invalidates our access to it.

6. Payments

Payments and subscriptions are handled by Stripe. We never see or store your full card details on our systems.

7. Sub-processors

We rely on a small set of trusted sub-processors to run the service. The current list and the purpose of each is maintained in our Privacy Policy. We share only the minimum data necessary for each service to function.

8. Data retention & deletion

You can delete your account and content at any time from Settings. On deletion, your data is removed in accordance with our Privacy Policy. Connected-account tokens are deleted immediately when you disconnect an integration or delete your account.

9. Responsible disclosure

If you believe you have found a security vulnerability, we want to hear from you. Please email security@captureflow.ai with details and steps to reproduce. Give us a reasonable window to investigate and fix the issue before any public disclosure. We do not take legal action against researchers acting in good faith.

10. Contact