Flask

Security

You & your team
Browser over TLS
Flask app
Vercel · US
Supabase
Data & auth
Mux
Video
Cloudflare
Uploads
Stripe
Payments

Flask runs on managed cloud infrastructure — we operate no servers or data centers of our own. Application data is hosted in the United States.

How we protect your data

Encrypted in transit

All traffic between your browser and Flask runs over TLS (HTTPS). Data at rest is encrypted by our infrastructure providers.

Least-privilege access

The public database key has no read or write permissions. Every byte of data is brokered through our authenticated backend API.

Three-tier permissions

Content is scoped to its creator, invited team members, and — only when you explicitly enable it — public share links.

AI processing

The assets you review and the feedback you record are treated differently. Only your recordings are ever sent to an AI model.

Never sent to AI

Your assets

The videos and images you upload for review are stored and streamed for playback only. They are never sent to, or processed by, any AI model.

Processed by AI

Your recordings

Voice, camera, and screen recordings you leave as feedback are transcribed by ElevenLabs, and the resulting text is processed by Google Gemini to structure and summarize your feedback. Only your recordings are processed this way — never the asset they are attached to.

Data retention

When you upload a file, we keep the original master file available for you to download for 30 days. After 30 days the original master file is deleted. This does not affect the asset itself — the processed, streamable version stays available; only the original upload is removed.

Authentication

Accounts authenticate through Supabase Auth, supporting both email and OAuth sign-in. We never store your password. Access to folders and assets is authorized in application code on every request — not left to the database alone.

Payments

All payments are processed by Stripe. Flask never collects, transmits, or stores your full card details — that is handled directly by Stripe, a PCI-DSS Level 1 certified provider.

Stripe's privacy policy

Subprocessors

A small set of third-party services operate Flask. Each processes only the data needed for its function.

Supabase
Database, auth & file storage
Mux
Video processing & streaming
ElevenLabs
Speech-to-text transcription
Cloudflare R2
Large media upload storage
Vercel
Application hosting
Stripe
Payments & billing
Google (Gemini)
AI summaries & transcripts
Resend
Transactional & product email
PostHog
Product analytics

Compliance

We design our data handling to align with GDPR and UK GDPR. We are not currently certified under the frameworks below. If your team has specific compliance requirements, get in touch.

SOC 2· Not certifiedISO 27001· Not certifiedHIPAA· Not certifiedGDPR / UK GDPR· Aligned

Report a vulnerability

Found a security issue? Email us with details and steps to reproduce. Please allow us reasonable time to fix it before public disclosure.

hello@flask.do