We answer every question truthfully — including the ones where the answer is “not today.” A small EU team with honest gaps is a better long-term vendor than a polished questionnaire that hides them.
1. Organization and governance
What is the legal entity providing the service?
Lovex AB, a Sweden (EU) entity. Disputes are governed by Swedish law with exclusive jurisdiction in Stockholm District Court.
Do you have a written information security policy?
Yes. Internal policy covers access control, encryption, vendor management, incident response, secure development, and personnel security. Available under NDA on request to security@lovex.dev.
Are personnel subject to confidentiality obligations?
Yes. Every team member and contractor is bound by written confidentiality obligations covering customer data, source code, security configuration, and trade secrets.
Do you perform background checks on personnel with access to customer data?
We verify identity, eligibility to work, and reference history for personnel with production access. Criminal background checks are conducted where required by jurisdiction and customer contract; not run by default for the EU-headquartered team where doing so would conflict with Swedish employment law.
Is security awareness training provided?
Yes — security and data protection training is part of onboarding for everyone with system access, with refreshers when material changes occur (new vendor, new regulatory requirement, post-incident).
2. Data handling and residency
Where is customer data stored?
Primary application data sits in the European Union. International transfers to U.S. sub-processors (AI inference, edge hosting, transactional email) are covered by EU-U.S. Data Privacy Framework certification plus Standard Contractual Clauses with supplementary measures per Schrems II. Detailed breakdown by data category at /trust.
Is customer data segregated by tenant?
Yes. Row-level security policies at the database layer enforce per-team and per-project scoping. Application code applies the same scoping in every query path as defense in depth.
What are your data retention defaults?
Active account content is retained while the customer is active. Decaying telemetry (activity feed, notifications, project chat) is pruned on a daily cron with category-specific TTLs. Account deletion is processed immediately on request — there is no user-facing recovery window. Backups containing personal data are overwritten by the backup rotation, typically within 30 days, after which the data is no longer accessible. Accounting records are retained for seven years as required by Swedish bookkeeping law (this is a legal floor that overrides GDPR deletion for those records specifically). Public retention policy is summarized at /privacy; the internal source of truth is reviewed quarterly.
Do you support data export?
Yes — self-service at /api/account/export — machine-readable JSON of all data tied to the user.
Do you support data deletion / right to be forgotten?
Yes. Self-service at /api/account/delete. The deletion is immediate — there is no user-facing recovery window. Personal-data tables (profile, notifications, push subscriptions, preferences) are hard-deleted via FK cascade. Authored content in shared workspaces (comments, chat messages, projects, tasks) is anonymized by setting user_id to NULL so teammates are not left with confusing gaps. Backups containing personal data are overwritten on the backup rotation, typically within 30 days, after which the data is no longer accessible by any means. Accounting records are retained for seven years as required by Swedish bookkeeping law (legal floor that overrides GDPR deletion for those records specifically).
Do you classify data?
Yes. Functional classification at the schema layer — every table is one of six classes: public, account-personal, organization-content, billing, operational telemetry, or audit. The class determines RLS policy shape, encryption posture, retention behavior, audit-event scope, export inclusion, and deletion behavior. Full policy with per-class handling rules and mapping to ISO 27001 A.5.12 / A.5.13 / A.8.15 and SOC 2 CC6.1 / CC7.2 / C1.1 is in our internal org/legal/data-classification.md, available under NDA on request to security@lovex.dev.
3. Encryption
Is data encrypted in transit?
Yes. TLS 1.2+ on every public endpoint. HSTS enabled. No plaintext fallback.
Is data encrypted at rest?
Yes. AES-256 encryption at rest is provided by our managed database and storage sub-processors. Backups are encrypted in an EU region. Customer-managed encryption keys (BYOK) are not offered today; on the roadmap for Enterprise once a paying contract requires it.
How are encryption keys managed?
Provider-managed via the sub-processor's KMS. Keys are rotated on the sub-processor's published schedule. We do not currently operate our own HSM or customer-controlled key material.
4. Identity and access management
Is multi-factor authentication available for end users?
Yes — magic-link and OAuth (Google, GitHub) are first-class today. Password-based sign-in with TOTP MFA is on the roadmap. End-user MFA enforcement is configurable per workspace once SSO ships.
Is multi-factor authentication mandatory for administrative access?
Yes. Every administrator account on every infrastructure provider (hosting, database, payments, email, source control, secrets) is MFA-enforced. Hardware-backed credentials are used where available.
Do you support SAML / SSO?
Not today. SSO/SAML is on the roadmap for the Business tier; ship date depends on enterprise demand. Today we offer OAuth-based federation (Google, GitHub) which covers identity federation for most customers without a custom IdP requirement.
Do you support SCIM provisioning?
Not today. SCIM is paired with SSO on the roadmap. Until then, user provisioning happens via the invite flow inside the product or via the agent API.
Do you have role-based access control inside the product?
Yes — two roles today (Lead, Member) at the team level. Finer-grained custom roles are on the roadmap for the Business tier.
Are access reviews performed?
Yes. Administrative-access review on personnel change (offboarding triggers immediate revocation). Periodic review of administrative-access lists across all vendor consoles at least quarterly.
Is session management configurable?
Sessions rotate on a rolling 30-day window. Forced sign-out (single user and workspace-wide) is on the roadmap; sign out of all sessions today by deleting the account session in the product.
Do you support IP allowlisting?
Not today. On the roadmap for the Enterprise tier alongside SSO. Customers with strict network requirements should mention this during a security review so we can prioritize accordingly.
5. Application and network security
How do you protect against common web application vulnerabilities?
Input validation at server-action and API-route boundaries. Parameterized queries throughout (no string concatenation into SQL). React's default XSS-safe rendering for all user content. CSRF protection on state-changing endpoints. Rate limiting on authenticated and unauthenticated routes. Strict cookie attributes (Secure, HttpOnly, SameSite).
Do you have a WAF / DDoS protection?
Yes, provided by our edge sub-processor. DDoS mitigation operates at the edge before traffic reaches application servers.
How is your code reviewed and deployed?
All changes go through version control with peer review (a second pair of eyes, human or AI-assisted), automated lint/typecheck/test gates, and staged rollout. Migrations are versioned in-repo and applied via a gated deployment workflow that requires a reviewer approval in the production environment.
Do you perform dependency vulnerability scanning?
Yes — continuous dependency scanning in CI. Critical advisories are patched on a defined SLA. Direct dependencies are reviewed before adoption.
Do you perform penetration testing?
Not annually by an external firm yet. Internal review and static analysis are continuous. Third-party penetration testing is available as part of enterprise security review on customer request; we will commission a test against the customer's scope and share the report under NDA.
Do you operate a bug bounty program?
Not formally. Coordinated disclosure at security@lovex.dev — we acknowledge within one business day and prioritize valid findings. A paid bounty program is planned once the product reaches Beta.
Where are secrets stored?
In managed secret stores at our infrastructure providers. Never in source control. Rotation on personnel changes and on suspected exposure.
6. AI-specific
Do you use customer data to train models?
No. We do not use customer content to train our own models. Our AI providers are contractually prohibited from using customer content to train their general-purpose models, where they offer that commitment.
Which AI providers do you use?
Categories of providers are listed at /subprocessors. Specific vendor identities are shared under NDA on request to security@lovex.dev.
Is AI output presented as authoritative or as a draft?
Outputs are drafts. The user accepts, edits, or rejects every AI-generated piece of content. Human-in-the-loop is the default. AI features that mutate the workspace are labeled and reversible.
Do you comply with the EU AI Act?
We meet limited-risk AI system requirements as they apply from February 2025 — transparency labels on AI-generated content, human oversight paths, and exclusion from prohibited categories (social scoring, real-time biometric ID, manipulative AI, workplace emotion recognition). We do not build in high-risk categories (hiring, credit scoring, education assessment, critical infrastructure). A light-touch DPIA documenting the assessment for our AI inference processing is maintained in our internal org/legal/dpia.md, available under NDA on request to security@lovex.dev.
7. Incident response and breach notification
Do you have a documented incident response plan?
Yes — internal runbook covers detection, containment, triage, notification, remediation, and post-mortem. Available under NDA to enterprise prospects during security review. Severity-high events get a written post-mortem within 14 days.
How quickly do you notify customers of a personal data breach?
Within 72 hours of becoming aware, per Article 33 GDPR — committed in the DPA at /dpa.
Do you maintain a status page?
Not today as a separate page. Incidents are communicated by direct email to affected workspace owners within 30 minutes of detection. A public status page is in development.
Do you support customer audits of your security controls?
Yes, under the audit rights clause of the DPA and MSA: no more than once per twelve-month period, 30 days’ written notice, during business hours, subject to confidentiality, at the customer’s expense.
8. Business continuity and backups
Are production databases backed up?
Yes. Automated, encrypted backups in an EU region with periodic restore tests.
What is your Recovery Time Objective (RTO)?
Target: under 4 hours for the core control plane on a major regional outage. Real-world RTO depends on the failure mode and the responsiveness of upstream providers.
What is your Recovery Point Objective (RPO)?
Target: under 15 minutes — managed Postgres provides point-in-time recovery within this window. Customer-visible data loss in a worst-case database failure is bounded by this objective.
Where are backups stored?
European Union region. Backups never leave the EEA.
9. Sub-processors and vendor management
Do you maintain a public list of sub-processors?
Yes — at /subprocessors, organized by category rather than vendor name so the list stays stable when we change providers for equivalent functionality. Specific vendor identities under NDA.
Do you give notice of sub-processor changes?
30days’ written notice before adding or replacing a sub-processor, with the customer’s right to object on reasonable data protection grounds (DPA §6).
Have you signed DPAs with all sub-processors?
Yes — every sub-processor processing personal data on our behalf is bound by a written DPA aligned to Article 28 GDPR, plus the relevant Standard Contractual Clauses for international transfers.
10. Certifications and audit
Are you SOC 2 Type II certified?
No. Not pursued pre-enterprise demand. We will start formal preparation when a paying enterprise contract is contingent on it; readiness window is 3-6 months from kickoff. In the interim we welcome a written security review against our published controls.
Are you ISO 27001 certified?
No. Same posture as SOC 2 — pursued on real enterprise demand. We can map our controls to the standard during a security review.
Are you HIPAA-compliant?
No. We are not a HIPAA business associate today and do not accept Protected Health Information. Customers should not submit PHI to the Service.
Are you PCI-DSS compliant?
We do not handle cardholder data directly — payment processing flows through a PCI-DSS Level 1 certified payment sub-processor. Full card data never reaches our systems.
Are you GDPR compliant?
Yes. Operating model is GDPR-native: EU-resident primary data, Article 28 DPA published at /dpa, sub-processor list at /subprocessors, Article 13 disclosures at /privacy, data subject rights (access, erasure, portability) implemented as self-service inside the Service.
Are you covered by the EU-U.S. Data Privacy Framework?
Where customer data flows to U.S. sub-processors, those sub-processors are DPF-certified. We also rely on Standard Contractual Clauses with supplementary measures.
11. Contracts and contacts
Will you sign our DPA?
Our published DPA at /dpa covers Article 28 requirements comprehensively. We can sign a counterpart on request. Customer-drafted DPAs are reviewed by legal@lovex.dev; reasonable changes accepted, redlines tracked.
Will you sign our MSA?
Our published MSA at /msa is the framework we sign by default. Customer-drafted MSAs are reviewed by legal@lovex.dev; reasonable changes accepted, redlines tracked. Liability cap is twelve months of Fees per Order Form by default.
Will you sign a custom NDA?
Yes, on request to legal@lovex.dev.
Where do we direct security questions, vulnerability reports, and incident reports?
security@lovex.dev.
Where do we direct privacy and data subject requests?
privacy@lovex.dev.
Where do we direct contractual questions?
legal@lovex.dev.