Multi-factor auth
TOTP authenticator apps. Optional enforcement at workspace level.
Security
A secure AI video platform, built to pass procurement.
AES-256 at rest, TLS 1.2+ in transit, GDPR self-serve deletion, and SOC 2 Type I targeted Q3 2026. MFA, audit logs, tenant isolation by record rules, rate limiting, geo-blocking, and a hardened upload path — the same module already runs production workloads.
Account security
Defense in depth on every login
Strong auth, session hygiene, and brute-force protection.
SSO
Native SSO; SAML and OIDC for Enterprise via standard connectors.
Rate limiting
Per-account and per-IP throttles on login, API, and signup endpoints.
Data protection
Yours stays yours
Tenant isolation, encrypted secrets, and GDPR-compliant deletion paths.
Tenant isolation
Record rules scope by workspace and user. Cross-tenant reads are impossible by design.
Encrypted at rest
AES-256 on object storage. Secrets stored write-only — never echoed to the browser.
Encrypted in transit
TLS 1.2+ on all external endpoints. HSTS preload-ready.
GDPR deletion
Self-serve account deletion. Hard-delete pass within 30 days, audit-logged.
Geo-blocking
Region allow/deny lists at the workspace level for residency compliance.
Data isolation
Each tenant's storage path uses a per-tenant prefix; one bucket policy per environment.
Hardened uploads
Nothing untrusted lands without validation
MIME sniffing, magic-byte checks, size limits, and CSP-scoped delivery.
MIME validation
Server checks magic bytes — the extension lie does not pass.
CSP & CORS
Strict CSP per route; CDN origins allow-listed via the storage resolver.
Quota walls
Per-plan file size and request caps. 413/429 with clear remediation.
Audit & observability
Every meaningful action, logged
Mail thread on records + structured audit table for high-volume events.
Per-record audit
Edits, approvals, renders, publishes — actor + timestamp on every model.
AI cost telemetry
Per-call tokens and cost stored immutably. Detect anomalies before invoice surprises.
Voice cloning policy
Custom voices require consent
A custom voice ID may only be created and used with the voice owner's explicit permission.
Explicit consent
A voice may only be cloned or used with the explicit, documented consent of the voice owner. You are responsible for holding that consent before uploading or generating a custom voice.
Prohibited use
Impersonation, fraud, and any deceptive or non-consensual use of a cloned voice are not permitted. The same applies to voices created without the owner's consent.
Enforcement
We may suspend accounts for voice-cloning misuse. Report a suspected violation to security@studiocut.video.
Compliance posture
Where we stand
GDPR-aligned today; SOC 2 in progress.
GDPR
DPA available on request. EU data residency option on Enterprise.
CCPA
Self-serve data export and deletion meet "right to know" + "right to delete".
SOC 2
Type I targeted Q3 2026. Type II following 12-month observation period.
Security & compliance — procurement questions
Is StudioCut.Video GDPR compliant?
Yes. StudioCut.Video is GDPR-aligned with self-serve data export and deletion. Personal data is deletable on request through the account settings, and the same wording applies across our privacy policy.
Are you SOC 2 certified?
SOC 2 Type I is targeted for Q3 2026, with Type II following a 12-month observation period. We can share our current security posture and controls during procurement.
How is my data encrypted?
Data is encrypted with AES-256 at rest on object storage and TLS 1.2+ in transit. Secrets are stored write-only and never echoed back to the browser.
How are tenants isolated?
Tenant data is isolated by record rules scoped to each account, backed by an immutable AI cost telemetry and audit log so every action is traceable.
Report a vulnerability
Found something? Email security@studiocut.video. PGP key on request. We respond within one business day and credit disclosures with permission.