// Trust & Security Report

    Lovable (Lovable Labs) logo

    Lovable (Lovable Labs)

    AI app builder / vibe-coding platform (text-to-app, full-stack web app and website generation)

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    SOC 2 Type 1 certification signed by Prescient Assurance verifies that our security controls are designed the right way to keep your data safe. ... Published June 10, 2026. (Trust Center also lists: 'SOC 2 Type I - 2026' and 'SOC 2 Bridge Letter')

    Verify on trust.lovable.dev
    SOC 2 Type II
    HELD

    Conflicting signals. The Trust Center Certifications section lists 'SOC 2 Type II' and 'SOC 2 Bridge Letter', and an Aug 13, 2025 vendor X/Twitter post states Lovable is 'officially SOC 2 Type 2 compliant'. However, the most recent dated primary source (Trust Center Compliance update, June 10, 2026) says: 'Keep an eye open; the Type 2 will hit the Trust Center by end of August if everything plays well, including 6 months of control effectiveness.' Because the latest authoritative statement describes Type II as forthcoming, the report is not independently confirmed as issued as of the verification date. Held marked unknown pending a confirmed report.

    Verify on trust.lovable.dev
    ISO 27001:2022
    HELD

    We've successfully renewed our ISO 27001 certification ... Published May 20, 2026. (Trust Center also lists 'ISO 27001:2022 - Certificate of Registration')

    Verify on trust.lovable.dev
    GDPR
    HELD

    Trust Center Compliance section lists 'GDPR' alongside a published Privacy Policy, Data Processing Agreement, and Transfer Impact Assessment. Primary data region for customer applications/databases is EU (Google Cloud Platform - EU).

    Verify on trust.lovable.dev

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer applications and databases hosted on Google Cloud Platform (EU). Some subprocessors are US-based: Anthropic/Claude (US), AWS S3/SES/Bedrock (US). Cloudflare edge is global.

    Per the DPA, Lovable does not use Customer Personal Data to train, retrain, or fine-tune AI/ML models; it may use only de-identified, aggregated Service Data for statistics/security/operations. Business and Enterprise workspaces can additionally enable a 'Data collection opt out' (Settings > Privacy & security) so proprietary code/projects are never used for training or internal evaluation. Note: opt-out being a workspace toggle implies non-enterprise/free usage may feed product-improvement analytics by default, though not model training of personal data. Underlying model providers are subprocessors (Anthropic/Claude, AWS Bedrock).

    // Security controls

    Penetration testing

    Lovable partners with Aikido to offer AI/agentic pentesting of user projects, with reports structured for SOC 2 / ISO 27001. This is a feature offered to builders for their own apps; internal pentest of Lovable's own platform is implied by SOC2/ISO scope but not separately published.

    lovable.dev

    Bug bounty / vulnerability disclosure

    Vulnerability Disclosure Program on HackerOne (lovable-vdp). Currently no paid bounty; vendor states a private bug bounty is being prepared. Reports also accepted at vulnerability-disclosure@lovable.dev.

    hackerone.com

    Encryption / key management

    Trust Center lists 'Key management implemented', 'Data protection assessment', 'Data retention procedures', backup/recovery and access-restriction controls.

    trust.lovable.dev

    Subprocessors (transparency)

    Published subprocessor list: Google Cloud Platform (EU), Cloudflare (global), Anthropic/Claude (US), AWS (US), plus Castle.io (bot/fraud) and Turbopuffer (source-code indexing) added 2026.

    trust.lovable.dev

    Public security incident (2026)

    A BOLA / object-level authorization vulnerability allowed access to data in user-built projects; reported via the disclosure program. Lovable patched it for new projects but reportedly left existing projects exposed for ~48 days and closed a follow-up report as duplicate. Vendor characterized some exposure as intentional/expected behavior of public projects. Material trust signal for procurement.

    thenextweb.com

    // Products & data scope

    Lovable (Free / Pro consumer)AI app builder

    data: Prompts, generated code, uploaded screenshots/docs; processed via AI subprocessors (Anthropic, AWS Bedrock). Personal data not used for model training, but product-improvement data collection opt-out is gated to Business/Enterprise.

    Generated apps default to publicly accessible deployments; users are responsible for adding auth/RLS. Source of the 2026 data-exposure concerns.

    Lovable Teams / BusinessCollaborative AI app builder

    data: Workspace-level controls; can enable 'Data collection opt out' so code/projects are never used for training or internal evaluation. DPA available.

    SOC 2 / ISO 27001 controls and DPA apply.

    Lovable EnterpriseEnterprise AI app builder

    data: Enterprise terms + DPA, workspace data-collection opt-out, EU data residency for apps/DBs, access to SOC 2 (Type I confirmed; Type II once issued) and ISO 27001 reports under NDA on request.

    Strongest compliance posture tier; separate Enterprise terms.

    // What to watch

    • SOC 2 Type II status is ambiguous: an Aug 2025 vendor social-media post claims 'SOC 2 Type 2 compliant', but the June 10, 2026 Trust Center update says Type II is expected end of August 2026 after 6 months of control effectiveness. Marked unknown until report is confirmed.
    • Public 2026 security incident (BOLA / exposed user projects for ~48 days, follow-up report closed as duplicate). Relevant procurement signal for apps built ON Lovable.
    • Generated apps default to public deployment; security of end-user apps depends on the builder configuring auth/RLS correctly.
    • Product-improvement data-collection opt-out is gated to Business/Enterprise workspaces; free/Pro users cannot opt out via that control (though personal data is still not used for model training per the DPA).

    // At a glance

    Pricing model

    Freemium SaaS with paid Pro, Teams/Business, and Enterprise tiers (credit/usage based)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Lovable (Lovable Labs)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.lovable.dev

    > Browse all vendor trust reports