Security
Built for confidential pre-release content.
Scripts, takes, and stems live in scoped storage. Watermarked previews are off by default and on by request. NDAs travel with the project.
Encryption in transit
TLS 1.2 minimum, TLS 1.3 preferred for every connection. HSTS enabled with a one-year max-age. Certificates managed by Cloudflare with automated renewal.
Encryption at rest
Audio assets in Cloudflare R2 use AES-256 server-side encryption with provider-managed keys. Postgres data on Supabase is encrypted at rest with AES-256. No customer content is stored on application servers.
Access scoping
Actors only see the character they were invited to. Supervisors see the full Project. No cross-tenant access. Asset URLs are short-TTL signed URLs scoped to the requesting session.
Audit log
Every download, role change, take approval, and stem export is logged with actor, timestamp, and IP. Retained for seven years. Exportable on request to enterprise customers.
NDA-friendly defaults
Reference video can be watermark-burned per actor. Public reel rights held back until the show ships. Confidentiality persists until commercial release.
Data residency
US-region storage by default. EU residency available for enterprise customers. Standard Contractual Clauses incorporated into our DPA for EU and UK transfers.
Compliance posture
OHEAR.AI is operated by LERFILM INC. We are not yet SOC 2 audited; the platform is built to a SOC 2 Type 2-ready posture (least privilege, hardware-backed admin MFA, change review, vulnerability scanning, encryption at rest and in transit, documented incident response). We will publish audit status here when complete. Customers under NDA can request the security questionnaire response in advance.
- GDPR + UK GDPR + CCPA / CPRA compliant data handling
- Standard Contractual Clauses available via signed DPA
- Penetration testing scheduled annually
- Vendor risk reviews before subprocessor onboarding
Subprocessors
We use a deliberately small vendor stack. Each handles a specific function and is bound by a written DPA.
| Vendor | Function | Region |
|---|---|---|
| Cloudflare | Edge, R2 object storage, email routing, web analytics | Global / US |
| Supabase | Postgres database, authentication | US (EU on request) |
| Fly.io | API and worker compute | US |
| Modal | Audio processing pipelines | US |
| Stripe | Payments and Connect Express payouts | US |
Vulnerability disclosure
Security researchers, customers, and the general public can report suspected vulnerabilities to [email protected]. Please include reproduction steps, affected URLs, and any proof-of-concept output. We acknowledge reports within 2 business days and aim to triage within 5. We will not pursue legal action against good-faith research that respects user privacy and avoids service disruption. Public credit is offered on request once a fix has shipped.
General security questions: [email protected].