Skip to content
Milk&Ink
Trust Center

What we've built.
What we're building. Honestly.

This page is the truthful version of our security posture — not a wall of compliance logos. Every row marks live, planned, or on request. We do not claim certifications we haven't earned.

Our stance

  • Your canon is yours.We don't train on your uploads, we don't resell your content, and training capture is opt-in at the workspace level.
  • Infrastructure inherits Supabase SOC 2 Type II and Stripe PCI DSS Level 1. Our own SOC 2 audit is in planning — target Q3 2026 for Type I, Q1 2027 for Type II.
  • Enterprise = your cloud. The whole stack (web, workers, DB, object storage, auth) runs in your Supabase project and your Railway environment. We never see a frame.

Security

  • Live

    Data encryption in transit (TLS 1.2+)

  • Live

    Data encryption at rest (Supabase Postgres + object storage)

  • Live

    Workspace-scoped access enforced by centralized membership guards on every authenticated API route

    Application-layer enforcement via assertWorkspaceMember / assertProjectAccess / assertShotAccess / assertReleaseAccess; covered by automated IDOR regression tests

  • Planned

    Database-layer row-level security (Postgres RLS) as defense-in-depth

    Belt-and-suspenders on top of the application-layer guards above. Target ahead of SOC 2 Type I (Q3 2026)

  • Live

    Webhook payloads signed with HMAC-SHA256 per customer secret

  • Live

    Audit ledger: workspace-scoped, append-only, hash-chained, exportable

  • Live

    Provenance manifests on every release: HMAC-SHA256-signed payload + per-shot signatures + audit-ledger digest linkage

    NLE export files themselves are not byte-signed — the signature attests to the manifest (canon snapshot + provider job IDs + per-shot signatures), which auditors verify against the exported files via the public /api/provenance endpoints

  • Planned

    Asymmetric (public-key) provenance signing for offline distributor verification

    Current HMAC-SHA256 is symmetric — distributors must call our verify API or hold a shared key. Ed25519 upgrade ahead of Enterprise BYOK rollout

  • Live

    Constant-time secret comparison on cron + admin endpoints (timing-attack hardened)

  • Live

    Automated provider failover with per-provider health tracking + cooldown

  • Live

    Per-user + per-workspace rate limits on expensive endpoints (generation, LoRA training, checkout)

  • Live

    Monthly + daily + hourly spend ceilings per workspace (defense against runaway loops + compromised keys)

  • On request

    Bring-your-own-cloud (Enterprise) — full stack in your Supabase/Railway

    Ask us

  • Planned

    SOC 2 Type I

    Target Q3 2026

  • Planned

    SOC 2 Type II

    Target Q1 2027

Authentication & Access

  • Live

    Email + password via Supabase Auth

  • Live

    Google OAuth / GitHub OAuth

  • Live

    Password reset via signed email link

  • Live

    Canonical-email dedupe + disposable-domain blocklist for anti-abuse

  • Live

    Card-on-file verification (Stripe SetupIntent, never charged)

  • On request

    SAML / OIDC SSO (Okta, Azure AD, Google Workspace)

    Enterprise only

  • Planned

    SCIM provisioning + deprovisioning

    Enterprise, target Q4 2026

Privacy & Data Handling

  • Live

    We never train models on your uploads by default (opt-in only)

  • Live

    We never resell your canon, characters, or generated content

  • Live

    Training opt-in is workspace-scoped and revocable at any time

  • Live

    Right-to-delete: workspace deletion purges all owned data within 30 days

  • On request

    Data residency (EU-only / US-only) for Enterprise

  • On request

    HIPAA / GDPR DPA available on request

Subprocessors

Third-party services that process customer data on our behalf. We notify customers of material changes 30 days before they take effect.

VendorPurposeRegionDPA
SupabaseDatabase, object storage, auth, transactional emailUS East / EU WestLink
RailwayApplication + cron hostingUS East / EU WestLink
StripePayments, card verification (PCI DSS Level 1)GlobalLink
fal.aiVideo / image / audio model inference (Wan, Kling, Seedance, Veo, Nano Banana, Stable Audio, MMAudio, Flux LoRA)GlobalLink
RunwayVideo model inference (Gen-4 via direct API)GlobalLink
ElevenLabsTTS (Eleven v3), Music (compose + video-to-music), SFXGlobalLink
Sync.soLipsync — audio + video alignmentGlobalLink
GroqLLM inference (script planner, suggestions) — default copilot modelUSLink
Google (Gemini via AI Studio)Vision + LLM (continuity scoring, multimodal review) — default vision modelUS / EULink
PostHogProduct analytics (opt-out available)US / EULink
SentryError monitoringUS / EULink

Incident response

  • Detection: Sentry alerts on application errors; Supabase and Railway alerts on infrastructure events.
  • Triage: Severity levels SEV-1 through SEV-4. SEV-1 (data exposure, auth bypass) acknowledged within 1 hour, 24/7.
  • Notification: Affected workspace admins are emailed within 72 hours of confirmed exposure, per GDPR article 33 standard — regardless of jurisdiction.
  • Post-mortem: Public blameless write-up for every SEV-1/SEV-2 incident within 14 days.

Procurement or security review?

Email security@milkink.studio and we'll respond within one business day with a security questionnaire pack, DPA draft, and subprocessor list tailored to your jurisdiction.

Read Privacy PolicyRead Terms of Service