Data Privacy and Security
At Langfuse, we prioritize data privacy and security. We understand that the data you entrust to us is a vital asset to your business, and we treat it with the utmost care.
We take active steps to demonstrate our commitment to data security and privacy such as annual SOC2 Type 2 and ISO27001 audits.
With Langfuse Cloud, we handle:
- Deployment
- Scaling
- Upgrades and security patches
- Ensuring high availability:
Security Measures
Langfuse Cloud
- We encrypt all data at rest and in transit using TLS.
- Our database and application run on AWS infrastructure, partly managed by Supabase and Vercel.
- US data region (https://us.cloud.langfuse.com): Northern California (AWS us-west-1) & Virginia (AWS us-east-1)
- EU data region (https://cloud.langfuse.com): Germany/Frankfurt (AWS eu-central-1) & Ireland (AWS eu-west-1)
- We use Point-in-Time Recovery (PITR) with database backups and Write Ahead Log.
- All users have access to SSO (Single Sign-On) through OAuth 2.0 with Google and GitHub. We can enforce SSO for your organization (Team plan and above) to require 2FA (Two-Factor Authentication).
- For security inquiries, please contact us at [email protected]
Self-hosted Instances
- For installation and configuration, see: Self-hosting guide
- For architecture/component diagram, see: CONTRIBUTING.md
- For basic telemetry, see: README.md
- For security inquiries, please contact us at [email protected]
Privacy Measures
- For our Privacy Policy, see: Privacy Policy
- For Data Subject Access Request Form, see: Data Subject Access Request Form
- We can enter into a DPA (Data Processing Agreement) including a subprocessor list upon request. Please see our DPA Template here for your prior review. Please email us at [email protected] with a signed copy, we will then counter-sign your request. Please note that we require users to be on a Pro, Team or Enterprise Plan when we enter into DPAs with them.
- For privacy inquiries, please contact us at [email protected]
Compliance Measures
Framework | Status (Langfuse Cloud) |
---|---|
GDPR | Compliant. DPA available upon request on Pro and Team plan. |
SOC 2 Type II | Certified. Report available upon request on Team plan. |
ISO 27001 | Certified. Certificate available upon request on Team plan. |
HIPAA | Not compliant. However, compliance can be attained by self-hosting on own infrastructure/VPC. |
For specific compliance requirements or questions, please contact us at [email protected]
Responsible Disclosure of Security Vulnerabilities
We value the security community and prioritize system security. We encourage the disclosure of security vulnerabilities to help us protect the security and privacy of our users. Please send actionable vulnerability reports to [email protected]. Please note that we currently do not operate a bug bounty program.
The following users identified security vulnerabilities which led to improvements of Langfuse.
Reported by | PR with fix | Description |
---|---|---|
Ather Iqbal | #4434 | Password complexity + block links in user name |
Whistleblowing
We encourage employees and third parties to report breaches to us via email ([email protected]) or postal mail (address available here). You can contact us anonymously or request that we protect your privacy. For more information, employees can refer to Langfuse’s internal Responsible Disclosure Policy.
Notifications
If you want to notify Langfuse of any security-related matters. Please reach out to us via [email protected]