Talk to our sales team
Tell us about your team’s identity provider, compliance requirements, and use case. We’ll set up an Enterprise workspace and walk through migration from your existing plan if needed.
At a glance
| Area | Covered by |
|---|---|
| Identity | SSO (OIDC and SAML 2.0), SCIM, 2FA, workspace groups, verified-domain provisioning |
| Governance | Roles, restricted projects, invitation controls, project transfer controls, publishing controls, app login methods, data opt-out |
| Security | Basic scan, Deep scan, scheduled Deep scans, Security center, sensitive data scanning, chat send protection, Aikido, Wiz |
| Auditability | Audit logs retained for 13 weeks (approximately 90 days), CSV exports, and SIEM forwarding via account team |
| Data and code control | GitHub Enterprise Cloud (data residency), GitHub Enterprise Server, GitLab, external hosting, build secrets |
| Compliance | SOC 2 Type II, ISO 27001:2022, GDPR, DPA, sub-processors |
Who Enterprise is for
Enterprise workspaces are designed for organizations that need to:- Centralize how the whole team signs in and gets provisioned
- Restrict who can build, publish, and share apps externally
- Detect and block sensitive data in chats before it leaves the workspace
- Schedule recurring security scans across every project automatically
- Keep an auditable record of every change across every project
- Keep code data inside a specific GitHub region or on self-hosted infrastructure
- Standardize design, components, and engineering knowledge across every project
- Set spend, security, and data-handling policies once and apply them everywhere
- Connect AI-built apps directly to existing data warehouses and enterprise systems
What Enterprise adds beyond Business
Business already includes workspace SSO, groups, the Security center, App login methods, design templates, branded app URLs, restricted projects, data opt-out, and workspace-level connector controls. Enterprise adds:- Identity and provisioning, SCIM provisioning, SCIM-managed member filtering, SCIM precedence over just-in-time (JIT) provisioning, group-to-role mappings, and bulk-provisioning users from a verified domain.
- Governance, restrict workspace invitations, project transfer controls, custom workspace member caps, and workspace deletion through your account team.
- Security and data protection, scheduled Deep security scans, sensitive data scanning, chat send protection, and block publishing with PII.
- Publishing controls, restrict who can publish externally and disable public preview links.
- Code and infrastructure, GitHub Enterprise Cloud with data residency, GitHub Enterprise Server, and build secrets.
- Team enablement and support, design systems, audit logs, SIEM forwarding via account team, dedicated account team, priority support, and custom onboarding.
Identity and access
Centralize how your team authenticates and gets access to Lovable.Workspace SSO
Business and Enterprise. Okta, Auth0, Microsoft Entra ID, or any OIDC or SAML 2.0 provider. Enforce SSO with 24h, 48h, or 7d session duration. JIT-provision users at a default role.
SCIM provisioning
Enterprise only. Automated user and group lifecycle from your identity provider. Group-to-role mappings, API-key rotation, SCIM precedence over JIT. SCIM-managed filter on the People tab.
Two-factor authentication
All plans. Authenticator-app or SMS 2FA on top of any sign-in method, including SSO. Configured per account.
Workspace groups
Business and Enterprise. Share projects, folders, and published-app access by group. SCIM groups sync from your identity provider.
Verified-domain provisioning
Business and Enterprise. Auto-add anyone signing up with a verified company email. Enterprise also supports bulk-provisioning every existing user on a domain in one action.
Roles and permissions
All paid plans. Owner, admin, editor, viewer, and external-collaborator.
Restrict workspace invitations
Enterprise only. Limit email invitations to admins and owners.
Workspace discovery
Business and Enterprise. Let employees with a verified company email find and request to join your workspace. Owners and admins can turn this off in Privacy & security.
Workspace governance and data protection
Set workspace-level policies once and apply them to every project. Most controls live in Settings → Security & compliance → Privacy & security.Privacy & security settings
Reference for workspace privacy and security settings, including default project and website access, invitation controls, external collaborator modes, publishing gates, app login methods, auto-fix scope, preview-link control, MCP access, data opt-out, sensitive-data scanning, and chat send protection.
App login methods
Business and Enterprise. Workspace-wide lock-down of end-user sign-in methods (Email, Phone, Google, Apple, SAML SSO) across every published app. Disabled methods can’t be re-enabled per project.
Data training opt-out
Business and Enterprise. Workspace toggle to ensure your code, projects, and workspace data are never used for AI model training or internal evaluation.
Sensitive data scanning and chat send protection
Enterprise only. Master switch for PII detection in chat history, Lovable Cloud databases, and storage. Chat send protection modes: Log only (default), Ask before sending, or Block original (original message discarded, not logged).
Block public storage buckets
All plans. Workspace-wide safeguard that forces every new Lovable Cloud storage bucket to private and prevents members from creating publicly accessible buckets.
Publishing and sharing controls
Govern how projects are shared inside the workspace and how published apps reach the outside world. Publishing settings are managed in the Privacy & security panel; project visibility and folder sharing are managed on each project or folder. App login methods apply to every published app in the workspace, see the Workspace governance section above.Default website access
Business and Enterprise. Default new publishes to
Publish to workspace so only authenticated workspace members can reach the live app, or lock sensitive apps down to specific members or groups.Who can publish externally
Enterprise only. Restrict external publishing to admins and owners, or owners only.
Disable public preview links
Enterprise only. Hide the Share preview button on every project workspace-wide.
Pre-publish security gates
All plans. Block publishing with critical findings, require Basic scan before first publish, and (Enterprise only) block publishing with unresolved PII findings.
Restricted projects
Business and Enterprise. Default new projects to Restricted so only the owner and invited collaborators can access them, at workspace and project level.
Personal folders and group folder sharing
Business and Enterprise. Organize projects into personal folders only you can see, or share folders with workspace members or groups so every project inside inherits the access.
Allow editors to transfer projects
Enterprise only. Control whether editors who own a project can transfer it to another workspace, including a personal workspace outside your organization. Disabled by default.
Domains and branding
Manage app rollout under a consistent, workspace-branded URL pattern and connect custom domains in-app.Branded app URLs
Business and Enterprise. Publish every app under a consistent
{app}.{workspace}.lovable.app pattern derived from your verified domain.Custom domains
All paid plans. Buy and connect domains in-app with Lovable handling DNS, SSL, and CDN front-ends.
Audit and monitoring
Keep an auditable record of activity across the workspace and a single place to track security posture across every project.Audit logs
Enterprise only. Searchable workspace activity logs for membership, roles, groups, SCIM, SSO, integrations, project lifecycle events, secrets, and prompts. Entries include actor, IP address, user agent, and structured JSON. Retained for 13 weeks (approximately 90 days). Longer retention and SIEM forwarding are available via your account team.
Workspace security center
Business and Enterprise. Workspace-wide dashboard for code analysis, dependency vulnerabilities, secrets, and scan coverage across every project. CSV export. Trigger scans without opening individual projects.
Application security
Every Lovable project is scanned automatically. Two built-in scanners, Basic scan and Deep scan, plus optional connectors provide defense in depth from configuration to code review.Security overview
Basic scan runs continuously and when the publish dialog opens: RLS policy linting, database schema review, dependency audits.
Deep scan
Optional agentic codebase review that adds access-control review, exposed-secret detection, unsafe input handling, and authorization-gap analysis.
Project security view
Per-project home for findings from every scanner, including Aikido and Wiz. Inline chat to fix any finding.
Schedule Deep security scans
Enterprise only. Weekly or monthly Deep scans across published projects or all projects. 1 credit per project per run.
Auto-fix security issues
Workspace default for auto-remediating eligible Basic-scan findings. Scopes: Selected project, Externally published, All published, or All project.
Aikido AI pentest
Agentic dynamic penetration testing with real attack payloads. Generates SOC 2 and ISO 27001-ready reports.
Wiz security scanning
Software composition analysis (SCA) and static application security testing (SAST) across every project. Connect your Wiz deployment with one OAuth flow.
Security best practices
Practical guidance for writing secure code in Lovable apps.
Code hosting, residency, and deployment control
Keep code data inside a specific GitHub region, on your own self-hosted infrastructure, or on hosting you operate yourself.GitHub Enterprise Cloud (data residency)
Enterprise only. Connect Lovable to GitHub Enterprise Cloud on a
*.ghe.com hostname so repository data and webhook traffic stay in your assigned region.GitHub Enterprise Server (self-hosted)
Enterprise only. Connect Lovable to your self-hosted GitHub Enterprise Server. You create the GitHub app inside your own organization; signing keys remain under your control.
GitLab (cloud and self-managed)
Sync projects to GitLab.com or your self-managed GitLab instance.
Hosting and ownership decisions
The recommended path for managing where code and data live. Start on Lovable Cloud, sync to GitHub, move components out only when you hit a real constraint.
Host outside Lovable Cloud
Move backend and database to infrastructure you operate (including self-hosted Supabase) when compliance, residency, or organizational policy requires it.
Enterprise integrations and developer controls
Connect Lovable to the tools your team already uses, plug into existing data warehouses, and drive Lovable programmatically from your own systems.App connectors catalog
50+ connectors (Linear, Slack, Twilio, Notion, Atlassian, HubSpot, Microsoft, Google Workspace, AWS S3, Stripe, Supabase, and more). Business and Enterprise workspaces can manage connector availability and choose who can create connections.
Data and analytics
First-class connectors for Databricks (service-principal OAuth), Snowflake (custom OAuth integration), BigQuery (Workload Identity Federation, no stored keys), and Gemini Enterprise for search and grounded answers across connected data sources.
Chat connectors (MCP)
Featured plus custom MCP servers. Workspace admins control Remote MCP connectors, Local desktop MCP servers, and Third-party MCP clients (disabled by default on Enterprise) under Privacy & security.
Lovable MCP server
Drive Lovable from external MCP clients (Claude Desktop, Cursor, Claude Code). Enterprise workspaces must explicitly enable third-party MCP client access.
Build with URL
Programmatically create Lovable projects from internal portals or workflow tooling.
Desktop and mobile
macOS desktop app, plus iOS and Android apps. Available on all plans.
Developer standards and reuse
Define design, components, engineering conventions, and project organization once so every new project starts from an approved baseline.Workspace knowledge
Coding standards, architecture rules, and preferred libraries that stay consistent across every project. Project-level overrides supported.
Design templates
Business and Enterprise. Mark any project as a reusable template. Set a workspace default template.
Design systems
Enterprise only. Define your React component library, styling rules, and setup once. Connected projects pick up updates on every new generation.
Cross-project referencing
@-mention other projects in the workspace and reuse implementations, files, and chat context.Build secrets
Enterprise only. Encrypted workspace-level environment variables for builds. Configured in Settings → Build & deploy → Build secrets.
Cost and spend controls
Cap per-member credit usage, track usage-based Cloud and AI costs separately, and customize commitments through your Enterprise contract.Per-member credit limits
Business and Enterprise. Workspace default plus per-member overrides. Resets the 1st of every month at 00:00 UTC.
Cloud and AI balance
Usage-based costs for hosting and in-app AI tracked separately from subscription credits. Auto-topup with monthly charge limits.
Custom commitments
Enterprise contracts can include custom credit commitments, custom seat caps, and annual billing terms.
Workspace member CSV export
Export the full member list with usage and credit limits for finance and provisioning audits.
Compliance
Lovable’s compliance program is published at the Trust portal and on the Security page.- SOC 2 Type II
- ISO 27001:2022
- GDPR, with a Data Processing Agreement
- Privacy Policy
- Current sub-processor list at trust.lovable.dev
Support
Enterprise workspaces include a commercial relationship beyond the product itself:- Dedicated account team, single point of contact for onboarding, growth, and escalations
- Priority support with response SLAs
- Custom onboarding tailored to your team’s roles and workflows
- Custom member caps to match procurement or licensing requirements
- SIEM integration for audit logs, work with your account team to forward audit events
- Workspace deletion, Enterprise workspaces are retired through your account team. See Delete a workspace.
Get started
Talk to our sales team
Tell us about your team’s identity provider, compliance requirements, and use case. We’ll set up an Enterprise workspace and walk through migration from your existing plan if needed.
FAQ
What's the difference between Business and Enterprise?
What's the difference between Business and Enterprise?
Business is the self-serve top tier with workspace SSO, groups, Security center, App login methods, design templates, branded app URLs, restricted projects, data opt-out, and workspace-level connector controls.Enterprise is a contract plan that adds SCIM provisioning, audit logs, scheduled Deep security scans, sensitive data scanning and chat send protection, block publishing with PII, design systems, build secrets, GitHub Enterprise Cloud (data residency) and Server connections, restrict-invitations and restrict-external-publishing controls, project transfer controls, disable-public-preview-link control, third-party MCP client gating, bulk domain provisioning, custom commitment credits, custom member caps, and a dedicated account team.
How do we move from Business to Enterprise?
How do we move from Business to Enterprise?
Contact our sales team. We’ll set up the Enterprise workspace, migrate your members and projects, and configure SCIM, audit logs, and any Enterprise-only controls you need.
Does Lovable support our identity provider?
Does Lovable support our identity provider?
Lovable supports any OIDC or SAML 2.0-compliant identity provider. Step-by-step guides are published for Okta, Auth0, and Microsoft Entra ID, plus generic instructions for other providers. SCIM is supported for Okta, Microsoft Entra ID (via SAML app), and any SCIM 2.0-compliant identity provider.
How often do security scans run?
How often do security scans run?
Basic scans run continuously as you build and automatically when the publish dialog opens.Deep scans are optional and on-demand from the Security view, Security center, or publish dialog.On Enterprise, admins can additionally schedule Deep scans weekly (Monday 08:00 workspace timezone) or monthly (1st 08:00) across published projects or all projects.Scheduled scans are billed at 1 credit per project per run; on-demand scans are free.
Can our security team detect or block sensitive data in chats?
Can our security team detect or block sensitive data in chats?
Yes, on Enterprise. Enable Sensitive data scanning in Privacy & security to turn on the workspace-wide master switch, then choose a Chat send protection mode:
- Log only (default): scans run and findings are recorded in the project’s Sensitive data tab; messages send without interruption.
- Ask before sending: detected PII pauses the message, the user edits, sends a redacted version, or sends the original.
- Block original: the original cannot be sent. The user must edit or redact. The original message is discarded and not logged.
Can workspace admins control which login methods published apps accept?
Can workspace admins control which login methods published apps accept?
Yes. App login methods under Privacy & security lets Business and Enterprise admins disable Email, Phone, Google, Apple, or SAML SSO across every published app in the workspace. Disabled methods can’t be re-enabled per project. This only affects how end users sign in to apps your workspace publishes, not how workspace members sign in to Lovable.
Can editors move projects outside our organization?
Can editors move projects outside our organization?
Not by default on Enterprise. Project transfer controls let admins decide whether editors who own a project can transfer it to another workspace, including a personal workspace outside your organization. For regulated environments, leave this disabled so only admins and owners can initiate project transfers and projects stay inside your governance boundary.
How long are audit logs retained?
How long are audit logs retained?
Audit logs are retained for 13 weeks, approximately 90 days in-product. For longer retention or SIEM forwarding, contact your account team.
Where is our code stored?
Where is our code stored?
By default, project code lives in Lovable’s managed infrastructure. On Enterprise you can keep code in GitHub Enterprise Cloud with data residency (so repository data and webhook traffic stay in a specific region) or in GitHub Enterprise Server running on your own infrastructure with credentials and signing keys under your control.
Is Lovable HIPAA-compliant?
Is Lovable HIPAA-compliant?
No. Lovable does not currently sign Business Associate Agreements and is not HIPAA-compliant. Do not upload protected health information or other restricted categories of data.
How does billing work for Enterprise?
How does billing work for Enterprise?
Enterprise plans use custom contractual pricing with annual commitments and optional custom credit commitments. Talk to sales for a quote.