Trust & security
Security built for sensitive stories.
Mission-driven organizations trust StoryOS with footage of real people in real places. We protect it with encryption, strict access controls, and clear commitments about how AI touches your content. This page lays out exactly how.
How your data is protected
The controls below apply to every organization on StoryOS, on infrastructure that is independently audited to SOC 2 Type II.
Encryption everywhere
Your data is encrypted in transit with TLS 1.2+ and at rest with AES-256 across our infrastructure. For enterprise customers that require it, we can apply field-level encryption to specific sensitive fields.
Tenant isolation
Each organization's data is isolated by a permission layer enforced in our application code. Every request passes a role and resource-scope check before any query runs, and denied attempts are written to an audit log.
MFA and least privilege
Multi-factor authentication is required on every account that can reach production or customer data. Internal access follows least privilege and is reviewed regularly.
Tested backups
Our database supports continuous point-in-time recovery, and we test the restore process so a recovery works when it is needed.
A documented security program
We maintain a written information-security policy, a data-classification scheme, and an incident-response plan with a 48-hour breach-notification commitment.
Vendor diligence
Every infrastructure provider we rely on maintains SOC 2 Type II, each bound by a data-processing agreement.
Our AI commitments
AI makes your archive searchable and helps draft. These commitments are structural — they apply to every account and every piece of content.
Your content is never used to train AI models
We use providers' enterprise API tiers, whose terms prohibit training on customer content, and we lock this in by contract.
US-hosted models only
All AI inference runs on Google Gemini in the United States. We use no Chinese-hosted models — this is a hard rule across the entire stack.
Real footage
Source footage and anything presented as documentary content is always real. AI-generated imagery is limited to thumbnail graphics.
Human approval on every narrative surface
AI proposes and drafts. A person approves before anything reaches a client, donor, or audience. The suggest-and-approve gate is built into the platform itself.
AI logs exclude your content
We log the model, token counts, and cost of each AI call. We do not store the content of AI outputs.
Infrastructure & subprocessors
We build on a small set of providers, each maintaining SOC 2 Type II and each bound by a data-processing agreement. We notify customers at least 30 days before adding or changing a subprocessor.
- VercelApplication hostingView DPA →
- NeonDatabase (Postgres)View DPA →
- ClerkAuthentication & MFAView DPA →
- ShadeMedia storage & transcriptionView DPA →
- Twelve LabsVideo understandingView DPA →
- GoogleAI (Gemini)View DPA →
Where we stand on compliance
We are direct about what is in place today and what is on our roadmap.
SOC 2
Our infrastructure providers maintain SOC 2 Type II, so those controls are inherited today. Our own SOC 2 program is on a phased roadmap — Type I, then Type II — which we begin when an enterprise engagement requires it. We will state it as in progress and will not claim certification until an independent auditor has issued a report.
Data processing
We provide a standard Data Processing Addendum for customers to review and sign, with EU Standard Contractual Clauses where relevant. We execute back-to-back DPAs with each subprocessor so our commitments flow through to every provider.
Data residency
Our platform processes data in the United States by default. Enterprise deployments can keep your data in your own cloud region.
Incident response
We follow a documented incident-response runbook and notify affected customers of a personal-data breach without undue delay and within 48 hours of becoming aware.
Enterprise
Your cloud, your keys
For enterprise deployments, we provision a data lake in your own cloud account. Your media and audit logs stay in your account, encrypted under a key you hold, with an audit trail you control and the ability to revoke our access at any time. Your security team reviews and approves the design before anything is provisioned.
Talk to us about security
Security questions, a vendor review, or our Data Processing Addendum — reach us directly. Our DPA and subprocessor list are available on request.