Data Security at Heartex

Security and privacy are at our core.

At Heartex, we blend security seamlessly into development and operations workflows to build safe applications that allow our customers to scale while giving them the flexibility to respond to important changes in their business objectives.

Download Security Brief

Download the PDF

How we secure your data

When using cloud storage the app enables restricted access to the storage keys and credentials as well as limited access through pre-signed URLs.

In the case of a custom data provider (non-cloud storage), the app enables restricted access to the data URI stored in a database. The data access requests are verified and proxied with BasicAuth headers to the specified endpoints. This prevents the URI from being accessed elsewhere by unauthorized users. In this way, the app enables restricted access to the credentials.

API tokens can be reset at any time.

All data is encrypted at rest, sensitive data is encrypted in transit. Passwords are additionally hashed.

TLS connection is enforced across all product services including:


Establishing secure connection by connection by enforcing HTTPS protocol, including secured cookies.


SSL mode is enabled with certificates required.


TLS/SSL is supported and requires client to be authenticated with a valid certificate.

The Heartex Deployment Model

Data and control planes are separate entities
Data is loaded directly into the annotator browser, bypassing our servers
Heartex doesn’t need access to the data and doesn’t store the data
Optionally enable the VPN connection to protect URLs
Once connected TLS encryption is used for data in transit (when connecting and reading the URLs from bucket and sending annotations back to cloud storage)

Secure User Management

Label Studio Enterprise supports single sign-on using SAML to manage access to Label Studio using your existing Identity Provider, or with LDAP authentication. Label Studio Enterprise supports the following identity providers:

Microsoft Active Directory
Ping Federate & Ping Identity & PingOne
Others that use SAML assertions

Label Studio Enterprise also supports System for Cross-domain Identity Management (SCIM) version 2.0, a popular protocol to manage access for services and applications across an organization.

SCIM interacts with our customer’s SSO integration (for example, Okta), allowing them to manage access to Label Studio Enterprise workspaces, and grant roles to individual users and groups.

See how Label Studio Enterprise can work at your organization.

Request a demo from one of our experts, or try our 14-day free trial.