Data Privacy and Security
At Langfuse, we prioritize data privacy and security. We understand that the data you entrust to us is a vital asset to your business, and we treat it with the utmost care.
With Langfuse Cloud, we handle:
- Deployment
- Scaling
- Upgrades and security patches
- Ensuring high availability:
Security Measures
Langfuse Cloud
- We encrypt all data at rest and in transit using TLS.
- Our database and application run on AWS infrastructure, managed by Supabase and Vercel.
- Default data regions:
- US, Northern California (AWS us-west-1), https://us.cloud.langfuse.com (opens in a new tab)
- Europe, Frankfurt, Germany (AWS eu-central-1), https://cloud.langfuse.com (opens in a new tab)
- Default data regions:
- We use Point-in-Time Recovery (PITR) with database backups and Write Ahead Log.
- All users have access to SSO (Single Sign-On) through OAuth 2.0 with Google and GitHub. We can enforce SSO for your organization (Team plan and above) to require 2FA (Two-Factor Authentication).
- For security inquiries, please contact us at security@langfuse.com
Self-hosted Instances
- For installation and configuration, see: Self-hosting guide
- For architecture/component diagram, see: CONTRIBUTING.md (opens in a new tab)
- For basic telemetry, see: README.md (opens in a new tab)
- For security inquiries, please contact us at security@langfuse.com
Privacy Measures
- For our Privacy Policy, see: Privacy Policy (opens in a new tab)
- For Data Subject Access Request Form, see: Data Subject Access Request Form (opens in a new tab)
- We can provide a DPA (Data Processing Agreement) and subprocessor list upon request.
- For privacy inquiries, please contact us at privacy@langfuse.com
Compliance Measures
| Framework | Status (Langfuse Cloud) |
|---|---|
| GDPR | Compliant. DPA available upon request on Pro and Team plan. |
| SOC 2 | In progress, all controls in place. |
| ISO 27001 | In progress, all controls in place. |
| HIPAA | Not compliant. However, compliance can be attained by self-hosting on own infrastructure/VPC. |
For specific compliance requirements or questions, please contact us at compliance@langfuse.com
Responsible Disclosure of Security Vulnerabilities
We value the security community and prioritize system security. We encourage the disclosure of security vulnerabilities to help us protect the security and privacy of our users. Please send actionable vulnerability reports to security@langfuse.com. Please note that we currently do not operate a bug bounty program.
Whistleblowing
We encourage employees and third parties to report breaches to us via email (legal@langfuse.com) or postal mail (address available here). You can contact us anonymously or request that we protect your privacy. For more information, employees can refer to Langfuse's internal Responsible Disclosure Policy.
Notifications
If you want to notify Langfuse of any security-related matters. Please reach out to us via security@langfuse.com