Compliance FAQ

This page addresses frequently asked questions and common compliance topics for Langfuse. Please refer to security FAQs for details on security topics.

If you don’t find a solution to your issue here, try using Ask AI for instant answers or reach out to security@langfuse.com

Compliance & Certifications

Which audits and attestations are in place?

Langfuse Cloud is SOC 2 Type II and ISO 27001 compliant; GDPR & HIPAA controls are implemented. See compliance overview for more details.

Which policies does Langfuse have in place?

Langfuse maintains a list of policies to meet or exceed requirements from the SOC 2 Type II and ISO 27001 certifications. See Policy overview for a full list of policies.

What policies do you have in place for data protection and privacy?

We have policies in place data protection, classification, and retention. See privacy FAQ for more details.

How often are third‑party pen tests performed, and are results shareable?

Independent penetration tests occur annually, plus continuous vulnerability scans. See penetration testing for more details and past results.

How does Langfuse manage risk?

Langfuse manages risk through a formal process of identifying threats and vulnerabilities to our assets. We then assess the potential impact and likelihood of each risk to calculate a score, which determines its priority. All high and critical risks must be treated, and our entire risk management framework is reviewed at least annually to adapt to new threats.

How does Langfuse manage its vendors?

Langfuse maintains an inventory of all vendors and classify them by risk level based on the data they access. For all third parties, especially high-risk vendors, we enforce strict contractual requirements covering security and privacy. We verify their compliance by reviewing security documentation, such as SOC 2 or ISO 27001 reports, to ensure their practices align with our standards.

Sub‑processors & Third‑Party Risk

Which sub‑processors have access to customer data?

The live list is published here.

How does Langfuse manage its vendors?

Governance, People & Culture

How does the Acceptable Use Policy look like?

Our policy ensures that all personnel undergo background checks (ID and reference calls), agree to our terms, and receive security awareness training to handle data responsibly. It mandates strict security measures such as whole-disk encryption on laptops, protection against malware, and rules for the proper handling of sensitive information. The policy governs the entire employee lifecycle, from secure onboarding to offboarding, to protect company and customer data.

How does the code of conduct look like?

Our Code of Conduct establishes the highest standards of ethical business conduct, requiring all employees and contractors to act with integrity and comply with the law. It outlines our commitment to a safe, supportive, and inclusive work environment, with strict prohibitions against harassment, discrimination, and conflicts of interest. The policy provides clear channels for reporting concerns without fear of retaliation and details our procedures for protecting confidential information and company assets.

How does Langfuse manage physical security?

Our Berlin and San Francisco office are to be treated as a shared space with controlled after-hours access, treated similarly to a co-working environment. Consequently, all personnel are required to follow a strict clean desk policy, utilizing lockable storage and shredders to ensure no sensitive information is left unattended. As we do not operate our own data center, all physical security for our data centers is managed by our third-party cloud providers.

Who owns security inside Langfuse?

Langfuse CTO leads security efforts at Langfuse and reviews risk quarterly and drives continuous improvement. See SOC 2 compliance for more details.

HIPAA DPA

Was this page helpful?

Support