Security at Framevo

Authentication runs through Firebase Authentication. Passwords are never stored by Framevo; the auth provider handles hashing, rate-limiting, and session management. We support email + password, Google, and any other providers enabled on your workspace.

API keys generated from the dashboard are hashed (SHA-256) before storage. We store only the hash plus a short prefix (e.g. ak_live_a1b2c3d4) for display. The plaintext key is shown to you exactly once at creation time — store it somewhere safe.

All project content lives in Google Cloud — Firestore for documents, Cloud Storage for video files, sidecar JSON, and exports. Both services encrypt data at rest using Google-managed keys.

Access is enforced by Firestore security rules and Cloud Storage rules:

• Every project document lives under users/{uid}/projects/{id} and can only be read or written by the owning account.
• API keys live under users/{uid}/apiKeys — readable by the owner, never client-writable.
• The API key index is server-locked. Clients cannot read or write it.
• Storage objects (videos, interactions JSON, exports) are scoped to the owning account's path and gated by the same rules.

All connections between your browser and Framevo run over TLS. Connections from our servers to Firebase, Google Gemini, and Lemon Squeezy run over their providers' TLS endpoints.

Screen capture and microphone access run entirely in your browser through standard getDisplayMedia and getUserMedia APIs. Capture only happens after you grant the browser permission, and only for the surface you select.

When you record a browser tab, Framevo additionally captures coarse interaction events (click positions, scroll, hover, idle stretches) and, where available, the bounding rectangle of the element you clicked. We do not capture the URL, the DOM, page text, role attributes, or keystrokes outside an explicit typing event.

For external (window or monitor) captures, the bounding-rect field is stripped before upload because it would otherwise refer to Framevo's own UI rather than the captured surface.

Video analysis is performed by Google Gemini. We send the uploaded video and a short prompt; we receive structured JSON back (sections, narrative beats, gap-fill labels). Gemini may retain inputs per Google's own retention and usage policy.

We do not pass your account email, name, or any user-identifying metadata to Gemini.

Payment details — card numbers, billing addresses, tax data — are handled entirely by Lemon Squeezy. Framevo only receives plan state, subscription identifiers, and webhook events. We never see or store card data.

• Server-side routes verify the caller's Firebase ID token before reading or writing project data.
• Plan gates run server-side; client UI mirrors the plan but cannot override it.
• Diagnostic logs are retained for up to 30 days and access is limited to engineering staff.
• Dependencies are tracked and patched as upstream advisories arrive.

If you find a vulnerability, please email support@framevo.app with reproduction steps. We will acknowledge within three business days and work with you on a remediation timeline.

Please give us reasonable time to patch before public disclosure, avoid accessing data that isn't yours, and don't run scanners that could degrade service for other users.

We're honest about the gaps. Framevo does not yet offer SOC 2, ISO 27001, HIPAA, or any other formal compliance certification. If you need any of these for your use case, talk to us at support@framevo.app before bringing Framevo into a regulated workflow.