Security & subprocessors

Last updated: 14 July 2026

A plain-language summary of how Furlen handles your data and who we rely on to run the service. For the legal detail see our Privacy policy and Terms.

Encryption

All traffic to Furlen is encrypted in transit over HTTPS/TLS. Data at rest — your files, stories, and account data — is stored with providers (Supabase, Vercel, Railway) that encrypt storage at rest. Signed download links for exports expire automatically.

Access control

Your workspace is scoped to you and the people you invite. Database access is enforced with row-level security so one account can't read another's data. Application secrets and third-party keys live server-side, never in the browser.

Subprocessors

We use the following processors to run the service. We don't sell your data or permit these providers to train models on it under our terms.

ProviderPurposeData
SupabaseDatabase, auth, and file storageAccount data, uploaded files, generated stories
VercelWebsite + API hostingRequests, in-transit data
RailwayVideo render workerStory specs + rows during a render
AnthropicAI story text (copywriter)Column names, statistics, insights — not your full raw file
ElevenLabsVoiceover synthesis (optional)Only the narration script text, when enabled
Dodo PaymentsMerchant of record / billingPayment + subscription status (we never see card data)
PostHogProduct analyticsAnonymous-by-default usage events
SentryError monitoringTechnical error details when something breaks

Data retention & deletion

Delete a project and its data goes with it immediately. Want everything gone, account included? Email us and we'll erase it within 30 days. A summary of your data (not the full raw file) is sent to our AI provider only at the moment you generate a story, to write the text.

Product security

Furlen treats uploaded data as data, never as code: spreadsheet formulas are shown inert (never executed), and pasted HTML/scripts are rendered as text. Every numeric claim in a story is recomputed from your source rows before export, so the output reflects your data rather than model guesswork.

Data processing agreement (DPA) & reporting

Need a DPA, a subprocessor-change notification, or want to report a security issue? Email amitsharma@furlen.pro and we'll respond within 30 days (faster for security reports). Please don't include exploit details in a first email — ask for a secure channel.

What we don't claim (yet)

Furlen is an early-stage product operated by an individual proprietor. We do not currently hold formal certifications such as SOC 2 or ISO 27001, and we won't imply that we do. If your organisation requires one before adopting a tool, tell us — it helps us prioritise.