Security & Privacy
How we handle your data.
B2B and agency buyers ask the security questions before they sign anything. This page answers all of them in plain English. If you need a DPA, security questionnaire response, or pen-test summary, email security@clipflow.to.
GDPR-compliant by default
EU-operated, EU-hosted, full data-subject rights. DPA available on request.
AES-256 encryption at rest
Including AI provider API keys, which are never stored in plaintext. Per-workspace encryption keys.
No AI training on your content
Brand-voice models are workspace-scoped. We do not aggregate, share, or sell training data.
Source files deleted after 30 days
Raw uploads are auto-purged. Clips and transcripts persist as long as your workspace does.
BYOK AI architecture
Inference happens via your own provider account. Direct provider relationship, no token reselling.
security@clipflow.to
Vulnerability disclosure per RFC 9116 (/.well-known/security.txt). Acknowledged in 2 business days.
Security FAQ
Every question you’ll need to answer for procurement.
Is Clipflow GDPR compliant?
Yes. Clipflow is operated from the EU, data is hosted in EU regions by default, and we follow GDPR data-subject rights (access, deletion, export, rectification). Our DPA is available on request — email security@clipflow.to.
Where is my data stored?
Postgres database (Supabase, EU region by default), object storage (Supabase Storage in the same region), and Stripe (US, encrypted in transit and at rest by Stripe). For US-based customers we can route to US regions on request.
What encryption do you use?
AES-256-GCM for encryption at rest (including AI provider API keys, which are never stored in plaintext). TLS 1.3 for all data in transit. Brand-voice training data and brand kits are encrypted with a per-workspace key.
How long do you keep my source recordings?
Raw uploaded video / audio files are deleted 30 days after import by default. Generated clips, transcripts, captions, and metadata persist as long as your workspace does. You can delete your data at any time from workspace settings.
Do you train AI on my content?
No. We do not train any AI model on customer content. Brand-voice models are workspace-scoped — your past posts inform captions for your workspace only, and never leave it. We do not share, sell, or aggregate training data across customers.
How does BYOK affect data privacy?
BYOK (Bring Your Own Key) means AI inference happens via your own OpenAI / Anthropic / Google account. Your provider sees the prompts (per their data-processing terms); Clipflow holds the key encrypted at rest and only uses it for your workspace. Many enterprise + agency buyers prefer this because the AI provider relationship is direct.
Do you have SOC 2 certification?
SOC 2 Type II is on the roadmap (target: late 2026). Clipflow operates with SOC-2-aligned controls today (audit logs, access control, encryption, incident response) — but we do not yet have a third-party attestation.
How do I report a security vulnerability?
Email security@clipflow.to. Full disclosure policy at /.well-known/security.txt (RFC 9116). We acknowledge reports within 2 business days, do not currently run a paid bug bounty, but credit confirmed reporters on the security page with permission.
Can I export or delete all my data?
Yes. Workspace settings → Data → Export downloads a ZIP of every clip, transcript, brand-kit asset, and metadata in your workspace. Delete account triggers a 30-day grace period (recoverable on email request) followed by hard deletion.
Need a security review document?
For DPAs, vendor questionnaires (SIG, CAIQ), pen-test summaries, or SOC 2 timeline questions, email security@clipflow.to and we’ll respond within 2 business days. Vulnerability reports go to the same address — full policy at /.well-known/security.txt.
See all contact channels