Your code, your data, on infrastructure aligned with industry standards.
Your data, your control
Built to keep what's yours, yours.
Encrypted in transit
All traffic is encrypted over TLS. Sessions live in httpOnly, secure cookies.
OAuth sign-in
Sign in with Google or GitHub. No passwords stored. Sessions managed by Supabase.
Code is not used to train AI
Prompts and code are not used to train models. Providers retain logs briefly for abuse detection only.
Open source
Weblab is Apache-2.0 licensed. The full source is on GitHub — audit it, fork it, run it yourself.
Compliance
Compliance posture
We follow the controls behind the standards customers expect.
GDPR-aligned
Data minimization, right to access, right to erasure. Email us to exercise your rights.
CCPA-aligned
California residents may opt out of sale or sharing. We do not sell personal data.
Aligned with ISO 27001 controls
Access control, least-privilege secrets, encryption in transit, and incident response practices.
Modeled on SOC 2 practices
Change management, monitoring, vendor review, and access reviews follow SOC 2 trust criteria.
Open-source codebase
Anyone can review our code. Security through transparency, not obscurity.
Coordinated disclosure
Report vulnerabilities privately via GitHub Security Advisories. We respond within five business days.
Weblab is aligned with these frameworks but is not currently certified against ISO 27001 or SOC 2. Formal audits are on our roadmap.
Vs typical builders
How we compare
Weblab versus typical site builders — where your data stands.
| Feature | Weblab | Typical site builder |
|---|---|---|
| Your code | Yours — real React in your Git repo | Locked into a proprietary format |
| Source available | Apache-2.0, public on GitHub | Closed source |
| Export your project | Anytime, full source | Restricted or paid tier |
| AI training opt-out | Default — your code is never used | Opt-in by default |
| Open standards | Real Next.js, real Postgres | Proprietary stack |
| Region transparency | Subprocessors and regions listed | Often hidden |
Subprocessors
Vendors that process data on our behalf
Every external system that touches customer data, what it does, and where it runs.
| Name | Purpose | Region |
|---|---|---|
| Supabase | Auth + Postgres database | EU |
| OpenRouter | LLM routing for AI features | US |
| Stripe | Payment processing | US / EU |
| Railway | Application hosting | US |
| GitHub | OAuth sign-in + repository sync | US |
| PostHog* | Product analytics | EU |
| Gleap* | User feedback widget | EU |
| Resend* | Transactional email | EU |
* Active only when configured. Disabled integrations send no data to that subprocessor.
Last updated 2026-05-12
Contact
Talk to us about security
Questions, compliance reviews, or vulnerability reports — we read every message.
General security questions
Reach out for compliance reviews, DPA requests, or anything else.
Report a vulnerability
Use GitHub Security Advisories for coordinated disclosure. Responses within five business days.
Open a security advisory