Trust & Security

Lovex AB is a swedish aktiebolag under eu and swedish law. subject to gdpr, the eu ai act, and the swedish companies act. Our products are built EU-first, with compliance treated as product architecture rather than bolt-on paperwork. This page lays out what that means in practice, and what we have not yet done. Anything we do not yet have, we say so plainly here.

Certifications and frameworks

We do not claim certifications we do not hold. Audited certifications follow real enterprise demand; until then, we publish our underlying controls openly and welcome written security reviews.

• GDPR (EU 2016/679) [In place] — Operating model is GDPR-native. Lawful basis, retention, processor obligations, and data subject rights documented and implemented in product.
• SOC 2 Type II [Not started] — Not pursued pre-enterprise demand. We will start formal preparation when a paying enterprise contract is contingent on it; readiness window is 3-6 months from kickoff.
• ISO 27001 [Not started] — Same posture as SOC 2 — pursued on real enterprise demand. We can map controls to the standard during a security review.
• EU-U.S. Data Privacy Framework [In place] — Where data crosses to U.S. sub-processors, transfers rely on DPF certification at the recipient plus Standard Contractual Clauses with supplementary measures per Schrems II.

Regulatory posture

• GDPR. EU-native: lawful basis declared in the privacy policy, Article 28 DPA published, sub-processor list public with 30-day change notice, data subject rights (access, erasure, portability) available as self-service inside the product. See /privacy.
• EU AI Act. AI features are labeled as AI-generated where outputs are shown to users. Human oversight paths (edit, override, escalate) are available throughout. No use in prohibited categories (social scoring, real-time biometric ID in public spaces, manipulative AI, workplace emotion recognition).
• ePrivacy / Cookies. No non-essential cookies before consent. Analytics fires only after the visitor accepts. Reject-all has equal prominence with accept-all. Consent is logged with timestamp and policy version. See /cookie-policy.
• Schrems II. Transfers outside the EEA rely on either an adequacy decision (DPF) or Standard Contractual Clauses with supplementary measures. Primary application data sits in the EU; only support access and AI inference cross border under those safeguards.

Where customer data lives

Application data sits in the EU. Sub-processors that operate in the United States are covered by the EU-U.S. Data Privacy Framework plus Standard Contractual Clauses with supplementary measures per Schrems II.

• Application database (account, project, and content data). European Union (primary). Safeguard: EU-hosted; SCCs only for incidental support access.
• Application hosting and edge delivery. EU edge for cached/static content; United States for control plane. Safeguard: EU-U.S. Data Privacy Framework + Standard Contractual Clauses.
• AI inference (chat, generation). United States. Safeguard: EU-U.S. Data Privacy Framework + SCCs; contractual zero-retention for model training.
• Product analytics. European Union (Frankfurt). Safeguard: EU-hosted; no transfer outside the EEA in normal operation.
• Transactional email. European Union and United States, by recipient region. Safeguard: EU-U.S. Data Privacy Framework + Standard Contractual Clauses.
• Payments. Ireland (EU headquarters) with global processing infrastructure. Safeguard: Standard Contractual Clauses; PCI-DSS Level 1 at processor.
• Error monitoring. European Union. Safeguard: EU-hosted; user content redacted before transmission.

Technical and organizational measures

These are the same measures listed in Annex B of our Data Processing Agreement, expanded.

• Encryption in transit. TLS 1.2+ on every public endpoint. HSTS enabled.
• Encryption at rest. AES-256 encryption at rest through our managed database and storage providers. Encrypted backups in an EU region.
• Tenant isolation. Row-level security policies at the database layer, scoped per team and project. Application code enforces the same scoping as defense in depth.
• Access control. Least-privilege role-based access for personnel. Mandatory multi-factor authentication on administrative accounts. Hardware-backed credentials where available.
• Authentication. Magic-link and OAuth sign-in. Sessions rotate on a rolling 30-day window. SSO/SAML is on the roadmap for the Business tier.
• Secrets management. Secrets stored in managed secret stores, never in source control. Rotation on personnel changes and on suspected exposure.
• Logging and monitoring. Application and access logs retained for security investigation. Alerting on anomalous access patterns and elevated error rates.
• Backups. Automated, encrypted backups of production databases with periodic restore tests.
• Change management. Every production change goes through version control, automated checks, peer review, and staged rollout. Migrations are versioned in-repo and applied via a gated workflow.
• Vulnerability management. Continuous dependency scanning in CI. Critical advisories patched on a defined SLA. Coordinated disclosure at security@lovex.dev.
• Personnel. Confidentiality obligations on every team member. Data protection training on onboarding. Prompt access revocation on departure.

AI use

AI features are powered by third-party large language model providers under written DPAs. Providers are listed by category at /subprocessors. Customer content sent to AI features is processed in transit, not retained for model training, and is deleted from provider-side abuse-monitoring logs on the provider's published schedule.

Training policy. We do not use customer content to train our own models. Our AI providers are contractually prohibited from using customer content to train their general-purpose models, where they offer that commitment.

Human oversight. Outputs are presented as drafts that the user accepts, edits, or rejects. Users can escalate to a human reviewer in every flow.

Retention, export, and deletion

Active account content is retained while the customer is active. Decaying telemetry (activity feed, notifications, project chat) is pruned on a daily cron with category-specific TTLs. Account deletion is processed immediately on request — there is no user-facing recovery window. Backups containing personal data are overwritten by the backup rotation, typically within 30 days, after which the data is no longer accessible. Accounting records are retained for seven years as required by Swedish bookkeeping law (this is a legal floor that overrides GDPR deletion for those records specifically).

• Export. /api/account/export — machine-readable JSON of all data tied to the user
• Delete. /api/account/delete — immediate: personal-data tables (profile, notifications, push subscriptions, preferences) are hard-deleted via FK cascade; authored content in shared workspaces (comments, chat messages, projects, tasks) is anonymized by setting user_id to NULL so teammates are not left with confusing gaps; the auth.users row is removed.
• Backup rotation. Backups containing personal data are overwritten by rotation within ~30 days. This is not a user-recoverable window — the live system has already deleted the data; only the backup tape lags. After rotation completes the data is no longer accessible by any means.

Sub-processors

We use a small set of sub-processors categorized by role (hosting, database, AI inference, email, analytics, payments, identity, error monitoring). Each is bound by a written DPA and an appropriate transfer safeguard. We give at least 30days’ notice before adding or replacing a sub-processor by updating the public list at /subprocessors. Customers with a signed order form can ask for the specific vendor identities at security@lovex.dev under a confidentiality undertaking.

Incident response

Customer-impacting incidents are triaged through a documented runbook: detect, contain, assess, notify, remediate, post-mortem. Personal data breaches affecting customers trigger notification within 72 hours of becoming aware, per Article 33 GDPR. Severity-high incidents land in a written post-mortem within 14 days.

Notification SLA. Within 72hours of becoming aware of a Personal Data Breach affecting a customer’s data, we notify the customer per Article 33 GDPR.

Vulnerability disclosure. Send findings to security@lovex.dev. Full policy with response SLAs, severity matrix, scope, and safe-harbor terms at /security/disclosure. Machine-readable contact at /.well-known/security.txt (RFC 9116).

Contracts and documents

• Master Services Agreement — Enterprise framework agreement; downloadable; signed counterpart available on request. Order Forms reference this MSA.
• Service Level Agreement — Support response targets per tier and 99.9% uptime objective. Credit-backed availability negotiable in Enterprise Order Forms.
• Service status — Live operational state per component, current incidents, and an RSS feed at /status/feed.xml that compliance tooling subscribes to.
• Security index — Procurement-facing index of every security and compliance artifact in one place. Direct links, no narrative.
• Vulnerability Disclosure Policy — Reporting channel, response SLAs, severity matrix, in/out of scope, and safe-harbor terms. Machine-readable contact at /.well-known/security.txt (RFC 9116).
• Security questionnaire (pre-answered) — Pre-answered CAIQ-lite — ~50 questions. Procurement teams either accept this in lieu of their own questionnaire or copy-paste from it.
• Data Processing Agreement — Article 28 GDPR terms; downloadable; signed counterpart available on request.
• DPIA summary — Article 35 process and per-activity assessment outcomes, plus the voluntary light-touch DPIA for AI inference. Full register available under NDA.
• Record of Processing Activities (summary) — Article 30 register, public summary. Ten controller activities + two processor activities with lawful basis, retention, and transfer safeguards. Full internal register under NDA.
• Incident Response Plan (summary) — Severity tiers, 72-hour GDPR Article 33 customer notification, IMY filing path, post-mortem cadence (14d Sev 1 / 30d Sev 2). Honest about no 24×7 SOC.
• Sub-processor list — Category-based list with 30-day change notice.
• Privacy Policy — What we collect, lawful basis, retention, rights.
• Cookie Policy — Cookie categories and consent management.
• Terms of Service (umbrella) — Umbrella terms for lovex.dev and the products under it. Product-specific terms apply on top.
• Lova Terms of Service — Lova-specific terms — AI features, agent tokens, automation execution rights, seat-based pricing, plan tiers, workspace data export and deletion.
• Acceptable Use Policy — Standalone AUP — prohibited content, prohibited activities, AI-specific use, enforcement. Linkable from procurement portals that require a dedicated AUP URL.

Security reviews and questionnaires

We maintain a pre-answered questionnaire at /trust/security-questionnaire covering the ~50 most common procurement questions (CAIQ, SIG-Lite, custom). Most procurement teams either accept it in lieu of filling their own questionnaire or copy-paste from it. For custom questions or anything not covered, email security@lovex.dev with the questionnaire attached and the deal context; standard turnaround is five business days, faster for deals in active negotiation.

Custom DPAs, master services agreements, and signed counterparts of our published documents: legal@lovex.dev.

Contacts

• Security questions, vulnerability disclosure, incident reports. security@lovex.dev — Acknowledged within 1 business day.
• Privacy, data subject requests, DPO matters. privacy@lovex.dev — Substantive response within 30 days per GDPR Article 12.
• Legal, contracts, custom MSAs and DPAs. legal@lovex.dev — Acknowledged within 2 business days.

Roadmap

Where we are headed, with realistic timing rather than ship dates we cannot guarantee:

• SSO/SAML. Business-tier feature. Active development.
• Admin audit log surface. One-year retained, downloadable.
• SCIM provisioning. Paired with SSO.
• SOC 2 Type II readiness. Begins when a paying enterprise contract is contingent on it. We are happy to discuss timing as part of a deal.

Change history

We update this page when the underlying posture changes. The current version was last reviewed on 2026-05-17. Material changes are announced 30 days in advance for sub-processor additions and on publication for other changes.