Security
Practical safeguards for your footage and prompts
We protect creative work by enforcing authenticated access to every Supabase query, keeping raw media local until you opt in to sync, and documenting the integrations we rely on so teams know exactly where data flows.
Authenticated by default
Every API route uses the Supabase server client to read the active session from signed cookies before touching user data, so media operations always run on behalf of an authenticated account.
Scoped media handling
Generated assets upload into user and collection specific paths in Supabase Storage, while local editing leans on IndexedDB and OPFS so raw drafts never leave your device until you choose to sync.
Credit-aware automation
Credit validation runs before each AI request through stored procedures, ensuring only approved operations draw from your balance and failed jobs trigger refunds when needed.
How we maintain trust
Security is baked into the product stack: Supabase manages auth with row-level policies, Stripe handles sensitive billing details, and local-first storage keeps large assets under your control.
- Supabase server actions confirm the active user before reading or mutating tables.
- Media uploads include user-specific paths and optional dimension parsing for auditability.
- Credit services call stored procedures to prevent unapproved usage and support refunds.
Everyday security practices
- Account lifecycle. Users can trigger account deletion, which cascades through Supabase to cancel subscriptions and clean up related records so dormant data does not linger unnecessarily.
- Operational transparency. Usage queues, affiliate payouts, and storage uploads all log results or errors to the console for monitoring so we can replay requests or investigate issues quickly.
- Responsible integrations. CutScene only shares prompts or assets with the AI providers you select—such as Fal.ai or ElevenLabs—and payment details move directly through Stripe’s PCI-compliant APIs.