DocsData Security & Privacy

Data Privacy and Security

At Langfuse, we prioritize data privacy and security. We understand that the data you entrust to us is a vital asset to your business, and we treat it with the utmost care.

We take active steps to demonstrate our commitment to data security and privacy such as annual SOC2 Type 2 and ISO27001 audits.

With Langfuse Cloud, we handle:

  • Deployment
  • Scaling
  • Upgrades and security patches
  • Ensuring high availability:

Security Measures

Langfuse Cloud

  • We encrypt all data at rest and in transit using TLS.
  • Our database and application run on AWS infrastructure, partly managed by Supabase and Vercel.
  • We use Point-in-Time Recovery (PITR) with database backups and Write Ahead Log.
  • All users have access to SSO (Single Sign-On) through OAuth 2.0 with Google, GitHub, and Azure. We can enforce SSO for your organization (Team plan and above) to require 2FA (Two-Factor Authentication) and configure any custom SSO provider.
  • We do not use any of your data for model training and treat it confidentially (terms and conditions).
  • For security inquiries, please contact us at security@langfuse.com

Self-hosted Instances

Privacy Measures

  • For our Privacy Policy, see: Privacy Policy
  • For Data Subject Access Request Form, see: Data Subject Access Request Form
  • We can enter into a DPA (Data Processing Agreement) including a subprocessor list upon request. Please see our DPA Template here for your prior review. Please email us at privacy@langfuse.com with a signed copy, we will then counter-sign your request. Please note that we require users to be on a Pro, Team or Enterprise Plan when we enter into DPAs with them.
  • For privacy inquiries, please contact us at privacy@langfuse.com

Compliance Measures

FrameworkStatus (Langfuse Cloud)
GDPRCompliant. DPA available upon request on Pro and Team plan.
SOC 2 Type IICertified. Report available upon request on Team plan.
ISO 27001Certified. Certificate available upon request on Team plan.
HIPAANot compliant. However, compliance can be attained by self-hosting on own infrastructure/VPC.

For specific compliance requirements or questions, please contact us at compliance@langfuse.com

Responsible Disclosure of Security Vulnerabilities

We value the security community and prioritize system security. We encourage the disclosure of security vulnerabilities to help us protect the security and privacy of our users. Please send actionable vulnerability reports to security@langfuse.com. Please note that we currently do not operate a bug bounty program.

The following users identified security vulnerabilities which led to improvements of Langfuse.

Reported byPR with fixDescription
Ather Iqbal#4434Password complexity + block links in user name

Whistleblowing

We encourage employees and third parties to report breaches to us via email (legal@langfuse.com) or postal mail (address available here). You can contact us anonymously or request that we protect your privacy. For more information, employees can refer to Langfuse’s internal Responsible Disclosure Policy.

Notifications

If you want to notify Langfuse of any security-related matters. Please reach out to us via security@langfuse.com

FAQ

Was this page useful?

Questions? We're here to help

Subscribe to updates