Security

Photographers trust StudioFlow with their entire client book and years of delivered work. This page describes, plainly, how that data is protected — and how to tell us if you find a weakness.

1. Encryption

• In transit: all traffic to StudioFlow — the app, inquiry forms, and client galleries — is encrypted with TLS 1.2 or higher. Plain HTTP is not served.
• At rest: databases (Neon Postgres) and file storage (AWS S3) encrypt data at rest with provider-level AES-256.

2. Access controls

• Within your account, access is role-scoped: Studio-plan seats see the shoots and assignments relevant to their role, not necessarily your whole book.
• Client galleries are protected by unguessable links and optional download PINs.
• Internally, production access is limited to authorized personnel on a need-to-know basis and is logged. We never access your client data except to operate the service or with your permission for support.

3. Backups and resilience

• Databases are continuously backed up via Neon with point-in-time recovery.
• Gallery files are stored durably on AWS S3 (designed for eleven nines of object durability).
• Infrastructure is managed by the providers listed on our Subprocessors page — we deliberately build on audited, major-cloud foundations rather than self-hosted servers.

4. Application security

• Framework-level protections against XSS, CSRF, and injection; dependencies are monitored and patched.
• Passwords are stored hashed with a modern algorithm; we never store full card numbers (payments are handled by Polar, our merchant of record).
• Rate limiting protects login, inquiry forms, and gallery PIN attempts.

5. Compliance posture

SOC 2: in progress. We are building toward a SOC 2 Type II report and will publish status updates here; we do not claim certifications we do not hold. GDPR and CCPA/CPRA commitments are documented in the Privacy Policy and DPA.

6. Responsible disclosure

If you believe you have found a vulnerability, email support@studioflow.1labs.app with the subject line "Security" and reproduction details. We acknowledge reports within 2 business days, keep you informed as we fix the issue, and will not pursue good-faith researchers who avoid accessing other users' data and give us reasonable time to remediate.

7. Incident response

If a breach affects your data, we will notify you without undue delay with what we know, what we are doing, and what you should do — as committed in our DPA and required by applicable law.