Security
Your audio. Your control.
How Levels Flow keeps the audio you upload, the contracts you send, and the receipts you photograph in your hands — and out of everyone else's. No security theatre, just the facts.
How we keep your audio yours.
Your audio, on infrastructure you'd recognise.
Files live on Supabase Storage, which sits on AWS S3. Every row is locked to your account by row-level security — no other studio can read your buckets, even via a stray API call. Signed download URLs are issued per-listener and expire on a clock you control.
Encrypted in transit, encrypted at rest.
Every request runs over TLS — your clients open share links over HTTPS, you sign in over HTTPS, the dashboard talks to the database over HTTPS. Audio at rest sits inside AWS S3 with server-side AES-256 encryption. No long-tail of unencrypted backups.
Auth that doesn't pass passwords around.
Login is Supabase Auth — short-lived session tokens, refresh tokens scoped to the device, plus a magic-link option for the password-averse. Hashing is bcrypt; we never see plaintext passwords. Two-factor authentication is on the roadmap.
Share links are signed, scoped, and revocable.
Every public listen URL is a signed token tied to a single song or project. Revoke a link from the song page in one click and the token stops working immediately. Studio+ adds time-limited expiry; Pro adds watermarked previews so leaks self-identify.
Backups you don't have to think about.
Supabase runs daily automated backups of the database with point-in-time recovery on the production project. Your audio sits in S3 with the same durability guarantees AWS gives every other piece of music on the internet. Your masters stay your job.
Your data is yours — in writing.
Export everything from /api/export/me as a JSON archive any time. Delete your account from Settings and the rows go with it. Your audio is yours, not a training corpus, not a partner's data lake.
We don't read your email — only the attachments matter.
When you forward to your Levels Flow alias, the classifier looks at envelope metadata (sender, subject, attachment list) and runs only the genuinely ambiguous cases past Claude Haiku to decide if there's music in the envelope. Bodies stay on the wire long enough to classify and are not retained as searchable text. Discarded mail is soft-deleted with the row; the file goes nowhere. We don't archive your inbox, we don't index your conversations, and the AI doesn't train on your email.
What we don't do
The negative space matters more than the checkmarks.
Anyone can list what their product does. The shorter list is the one we hold to: the things we will never do with your files or your clients' attention.
- We don't run advertising in the product. Ever.
- We don't sell or share your data with third parties.
- We don't load tracking pixels on the share pages your clients open.
- We don't train AI on your audio. Not ours, not anyone else's.
- We don't read your inbox. The email classifier only sees what your forwarder sends, and only stores what's musically relevant.
Where we are with formal compliance
Honest, because pretending is worse than missing.
We run on infrastructure that carries its own audits. AWS (S3, behind Supabase Storage) is SOC 2 and ISO 27001 certified. Supabase is GDPR-aligned and runs the database backbone with row-level security on every table. HTTPS is enforced everywhere.
We have not yet completed an independent SOC 2 or ISO 27001 audit at the Levels Flow company level. Doing one well takes months; doing one poorly is theatre. If your label or agency requires a signed report from us, talk to us about Enterprise and we'll work toward what you need.
Found a security issue? Email security@levelsflow.app. We respond within one business day; coordinated disclosure is welcome.
Bring your sessions. We'll keep them yours.
Free during beta. Your clients still don't need an account.