> ## Documentation Index > Fetch the complete documentation index at: https://docs.lovable.dev/llms.txt > Use this file to discover all available pages before exploring further. # Lovable for Enterprise > Build and ship AI-generated apps at organizational scale with the security, governance, identity, and compliance controls your security team expects. Lovable Enterprise plan gives organizations a governed environment to build AI-generated applications at scale, with centralized identity, granular access controls, workspace-wide security oversight, scheduled Deep scans, audit logs, regional code hosting, and a dedicated commercial relationship. Features marked **Business and Enterprise** are also available on the self-serve Business plan. Features marked **Enterprise only** require a contract. Tell us about your team's identity provider, compliance requirements, and use case. We'll set up an Enterprise workspace and walk through migration from your existing plan if needed. ## At a glance | Area | Covered by | | :------------------------ | :------------------------------------------------------------------------------------------------------------------------------- | | **Identity** | SSO (OIDC and SAML 2.0), SCIM, 2FA, workspace groups, verified-domain provisioning | | **Governance** | Roles, restricted projects, invitation controls, project transfer controls, publishing controls, app login methods, data opt-out | | **Security** | Basic scan, Deep scan, scheduled Deep scans, Security center, sensitive data scanning, chat send protection, Aikido, Wiz | | **Auditability** | Audit logs retained for 13 weeks (approximately 90 days), CSV exports, and SIEM forwarding via account team | | **Data and code control** | GitHub Enterprise Cloud (data residency), GitHub Enterprise Server, GitLab, external hosting, build secrets | | **Compliance** | SOC 2 Type II, ISO 27001:2022, GDPR, DPA, sub-processors | ## Who Enterprise is for Enterprise workspaces are designed for organizations that need to: * Centralize how the whole team signs in and gets provisioned * Restrict who can build, publish, and share apps externally * Detect and block sensitive data in chats before it leaves the workspace * Schedule recurring security scans across every project automatically * Keep an auditable record of every change across every project * Keep code data inside a specific GitHub region or on self-hosted infrastructure * Standardize design, components, and engineering knowledge across every project * Set spend, security, and data-handling policies once and apply them everywhere * Connect AI-built apps directly to existing data warehouses and enterprise systems ## What Enterprise adds beyond Business Business already includes workspace SSO, groups, the Security center, App login methods, design templates, branded app URLs, restricted projects, data opt-out, and workspace-level connector controls. Enterprise adds: * **Identity and provisioning**, SCIM provisioning, SCIM-managed member filtering, SCIM precedence over just-in-time (JIT) provisioning, group-to-role mappings, and bulk-provisioning users from a verified domain. * **Governance**, restrict workspace invitations, project transfer controls, require workspace editor role for editing, custom workspace member caps, and workspace deletion through your account team. * **Security and data protection**, Workspace insights, scheduled Deep security scans, sensitive data scanning, chat send protection, and block publishing with PII. * **Publishing controls**, restrict who can publish externally and disable public preview links. * **Code and infrastructure**, GitHub Enterprise Cloud with data residency, GitHub Enterprise Server, and build secrets. * **Team enablement and support**, design systems, audit logs, SIEM forwarding via account team, dedicated account team, priority support, and custom onboarding. ## Identity and access Centralize how your team authenticates and gets access to Lovable. **Business and Enterprise.** Okta, Auth0, Microsoft Entra ID, or any OIDC or SAML 2.0 provider. Enforce SSO with 24h, 48h, or 7d session duration. JIT-provision users at a default role. **Enterprise only.** Automated user and group lifecycle from your identity provider. Group-to-role mappings, API-key rotation, SCIM precedence over JIT. SCIM-managed filter on the People tab. **All plans.** Authenticator-app or SMS 2FA on top of any sign-in method, including SSO. Configured per account. **Business and Enterprise.** Share projects, folders, and published-app access by group. SCIM groups sync from your identity provider. **Business and Enterprise.** Auto-add anyone signing up with a verified company email. Enterprise also supports bulk-provisioning every existing user on a domain in one action. **All paid plans.** Owner, admin, editor, viewer, and external-collaborator. **Enterprise only.** Limit email invitations to admins and owners. **Business and Enterprise.** Let employees with a verified company email find and request to join your workspace. Owners and admins can turn this off in Privacy & security. ## Workspace governance and data protection Set workspace-level policies once and apply them to every project. Most controls live in **Settings → Security & compliance → Privacy & security**. Reference for workspace privacy and security settings, including default project and website access, invitation controls, external collaborator modes, publishing gates, app login methods, auto-fix scope, preview-link control, MCP access, data opt-out, sensitive-data scanning, and chat send protection. **Business and Enterprise.** Workspace-wide lock-down of end-user sign-in methods (Email, Phone, Google, Apple, SAML SSO) across every published app. Disabled methods can't be re-enabled per project. **Business and Enterprise.** Workspace toggle to ensure your code, projects, and workspace data are never used for AI model training or internal evaluation. **Enterprise only.** Master switch for PII detection in chat history, Lovable Cloud databases, and storage. Chat send protection modes: **Log only** (default), **Ask before sending**, or **Block original** (original message discarded, not logged). **All plans.** Workspace-wide safeguard that forces every new Lovable Cloud storage bucket to private and prevents members from creating publicly accessible buckets. ## Publishing and sharing controls Govern how projects are shared inside the workspace and how published apps reach the outside world. Publishing settings are managed in the [Privacy & security panel](/features/privacy-and-security-settings); project visibility and folder sharing are managed on each project or folder. App login methods apply to every published app in the workspace, see the [Workspace governance](#workspace-governance-and-data-protection) section above. **Business and Enterprise.** Default new publishes to `Publish to workspace` so only authenticated workspace members can reach the live app, or lock sensitive apps down to specific members or [groups](/features/groups). **Enterprise only.** Restrict external publishing to admins and owners, or owners only. **Enterprise only.** Hide the **Share preview** button on every project workspace-wide. **All plans.** Block publishing with critical findings, require Basic scan before first publish, and (Enterprise only) block publishing with unresolved PII findings. **Business and Enterprise.** Default new projects to **Restricted** so only the owner and invited collaborators can access them, at workspace and project level. **Business and Enterprise.** Organize projects into personal folders only you can see, or share folders with workspace members or [groups](/features/groups) so every project inside inherits the access. **Enterprise only.** Control whether editors who own a project can transfer it to another workspace, including a personal workspace outside your organization. Disabled by default. **Enterprise only.** Enforce a read-only baseline for viewers and external collaborators. When enabled, only members with the editor role or higher can edit projects, regardless of how project access was granted (direct, folder, or group). Disabled by default. ## Domains and branding Manage app rollout under a consistent, workspace-branded URL pattern and connect custom domains in-app. **Business and Enterprise.** Publish every app under a consistent `{app}.{workspace}.lovable.app` pattern derived from your verified domain. **All paid plans.** Buy and connect domains in-app with Lovable handling DNS, SSL, and CDN front-ends. ## Audit and monitoring Keep an auditable record of activity across the workspace and a single place to track security posture across every project. **Enterprise only.** Searchable workspace activity logs for membership, roles, groups, SCIM, SSO, integrations, project lifecycle events, secrets, and prompts. Entries include actor, IP address, user agent, and structured JSON. Retained for 13 weeks (approximately 90 days). Longer retention and SIEM forwarding are available via your account team. **Business and Enterprise.** Workspace-wide dashboard for code analysis, dependency vulnerabilities, secrets, and scan coverage across every project. CSV export. Trigger scans without opening individual projects. **Enterprise only.** Portfolio-level view of every project, combining security findings, PII findings, ownership, lifecycle, publish status, and activity into a single review priority. Quick filters for projects with PII, abandoned projects, security findings, and projects with no owner. CSV export. ## Application security Every Lovable project is scanned automatically. Two built-in scanners, **Basic scan** and **Deep scan**, plus optional connectors provide defense in depth from configuration to code review. Basic scan runs continuously and when the publish dialog opens: RLS policy linting, database schema review, dependency audits. Optional agentic codebase review that adds access-control review, exposed-secret detection, unsafe input handling, and authorization-gap analysis. Per-project home for findings from every scanner, including Aikido and Wiz. Inline chat to fix any finding. **Enterprise only.** Weekly or monthly Deep scans across published projects or all projects. 1 credit per project per run. Workspace default for auto-remediating eligible Basic-scan findings. Scopes: Selected project, Externally published, All published, or All project. Agentic dynamic penetration testing with real attack payloads. Generates SOC 2 and ISO 27001-ready reports. Software composition analysis (SCA) and static application security testing (SAST) across every project. Connect your Wiz deployment with one OAuth flow. Practical guidance for writing secure code in Lovable apps. Leaked-password protection using Have I Been Pwned (HIBP) for end-user email sign-in and conversational security review in chat are both available alongside the scanners, see [Security overview](/features/security). ## Code hosting, residency, and deployment control Keep code data inside a specific GitHub region, on your own self-hosted infrastructure, or on hosting you operate yourself. **Enterprise only.** Connect Lovable to GitHub Enterprise Cloud on a `*.ghe.com` hostname so repository data and webhook traffic stay in your assigned region. **Enterprise only.** Connect Lovable to your self-hosted GitHub Enterprise Server. You create the GitHub app inside your own organization; signing keys remain under your control. Sync projects to GitLab.com or your self-managed GitLab instance. The recommended path for managing where code and data live. Start on Lovable Cloud, sync to GitHub, move components out only when you hit a real constraint. Move backend and database to infrastructure you operate (including self-hosted Supabase) when compliance, residency, or organizational policy requires it. ## Enterprise integrations and developer controls Connect Lovable to the tools your team already uses, plug into existing data warehouses, and drive Lovable programmatically from your own systems. 50+ connectors (Linear, Slack, Twilio, Notion, Atlassian, HubSpot, Microsoft, Google Workspace, AWS S3, Stripe, Supabase, and more). **Business and Enterprise** workspaces can manage connector availability and choose who can create connections. First-class connectors for [Databricks](/integrations/databricks) (service-principal OAuth), [Snowflake](/integrations/snowflake) (custom OAuth integration), [BigQuery](/integrations/bigquery) (Workload Identity Federation, no stored keys), and [Gemini Enterprise](/integrations/gemini-enterprise) for search and grounded answers across connected data sources. Featured plus custom MCP servers. Workspace admins control **Remote MCP connectors**, **Local desktop MCP servers**, and **Third-party MCP clients** (disabled by default on Enterprise) under Privacy & security. Drive Lovable from external MCP clients (Claude Desktop, Cursor, Claude Code). Enterprise workspaces must explicitly enable third-party MCP client access. Programmatically create Lovable projects from internal portals or workflow tooling. [macOS desktop app](/integrations/desktop-app), plus [iOS and Android apps](/integrations/lovable-mobile-app). Available on all plans. ## Developer standards and reuse Define design, components, engineering conventions, and project organization once so every new project starts from an approved baseline. Coding standards, architecture rules, and preferred libraries that stay consistent across every project. Project-level overrides supported. **Business and Enterprise.** Mark any project as a reusable template. Set a workspace default template. **Enterprise only.** Define your React component library, styling rules, and setup once. Connected projects pick up updates on every new generation. `@`-mention other projects in the workspace and reuse implementations, files, and chat context. **Enterprise only.** Encrypted workspace-level environment variables for builds. Configured in **Settings → Build & deploy → Build secrets**. ## Cost and spend controls Set per-member credit limits, track workspace usage, and customize commitments through your Enterprise contract. **Business and Enterprise.** Workspace default plus per-member overrides. Resets the 1st of every month at 00:00 UTC. Track Build usage, Cloud usage, and AI gateway usage from **Settings → Plans & credit usage**. View credit balances, usage details, and credit history in one place. Enterprise contracts can include custom credit commitments, custom seat caps, and annual billing terms. Export the full member list with usage and credit limits for finance and provisioning audits. ## Compliance Lovable's compliance program is published at the [Trust portal](https://trust.lovable.dev) and on the [Security page](https://lovable.dev/security). * **SOC 2 Type II** * **ISO 27001:2022** * **GDPR**, with a [Data Processing Agreement](https://lovable.dev/data-processing-agreement) * [Privacy Policy](https://lovable.dev/privacy) * Current sub-processor list at [trust.lovable.dev](https://trust.lovable.dev) ## Support Enterprise workspaces include a commercial relationship beyond the product itself: * **Dedicated account team**, single point of contact for onboarding, growth, and escalations * **Priority support** with response SLAs * **Custom onboarding** tailored to your team's roles and workflows * **Custom member caps** to match procurement or licensing requirements * **SIEM integration for audit logs**, work with your account team to forward audit events * **Workspace deletion**, Enterprise workspaces are retired through your account team. See [Delete a workspace](/introduction/delete-workspace). ## Get started Tell us about your team's identity provider, compliance requirements, and use case. We'll set up an Enterprise workspace and walk through migration from your existing plan if needed. ## FAQ Business is the self-serve top tier with workspace SSO, groups, Security center, App login methods, design templates, branded app URLs, restricted projects, data opt-out, and workspace-level connector controls. Enterprise is a contract plan that adds SCIM provisioning, audit logs, scheduled Deep security scans, sensitive data scanning and chat send protection, block publishing with PII, design systems, build secrets, GitHub Enterprise Cloud (data residency) and Server connections, restrict-invitations and restrict-external-publishing controls, project transfer controls, disable-public-preview-link control, third-party MCP client gating, bulk domain provisioning, custom commitment credits, custom member caps, and a dedicated account team. Contact our sales team. We'll set up the Enterprise workspace, migrate your members and projects, and configure SCIM, audit logs, and any Enterprise-only controls you need. Lovable supports any **OIDC** or **SAML 2.0**-compliant identity provider. Step-by-step guides are published for **Okta**, **Auth0**, and **Microsoft Entra ID**, plus generic instructions for other providers. SCIM is supported for Okta, Microsoft Entra ID (via SAML app), and any SCIM 2.0-compliant identity provider. **Basic scans** run continuously as you build and automatically when the publish dialog opens. **Deep scans** are optional and on-demand from the Security view, Security center, or publish dialog. On Enterprise, admins can additionally **schedule Deep scans** weekly (Monday 08:00 workspace timezone) or monthly (1st 08:00) across published projects or all projects. Scheduled scans are billed at **1 credit per project per run**; on-demand scans are free. Yes, on Enterprise. Enable **Sensitive data scanning** in Privacy & security to turn on the workspace-wide master switch, then choose a **Chat send protection** mode: * **Log only** (default): scans run and findings are recorded in the project's Sensitive data tab; messages send without interruption. * **Ask before sending**: detected PII pauses the message, the user edits, sends a redacted version, or sends the original. * **Block original**: the original cannot be sent. The user must edit or redact. The original message is discarded and **not logged**. Sensitive data scanning also unlocks on-demand scans of chat history, Lovable Cloud databases, and storage, plus the **Block publishing with PII** gate. Yes. **App login methods** under Privacy & security lets Business and Enterprise admins disable Email, Phone, Google, Apple, or SAML SSO across every published app in the workspace. Disabled methods can't be re-enabled per project. This only affects how end users sign in to apps your workspace publishes, not how workspace members sign in to Lovable. Not by default on Enterprise. **Project transfer controls** let admins decide whether editors who own a project can transfer it to another workspace, including a personal workspace outside your organization. For regulated environments, leave this disabled so only admins and owners can initiate project transfers and projects stay inside your governance boundary. Audit logs are retained for **13 weeks, approximately 90 days** in-product. For longer retention or SIEM forwarding, contact your account team. By default, project code lives in Lovable's managed infrastructure. On Enterprise you can keep code in **GitHub Enterprise Cloud with data residency** (so repository data and webhook traffic stay in a specific region) or in **GitHub Enterprise Server** running on your own infrastructure with credentials and signing keys under your control. No. Lovable does not currently sign Business Associate Agreements and is not HIPAA-compliant. Do not upload protected health information or other restricted categories of data. Enterprise plans use custom contractual pricing with annual commitments and optional custom credit commitments. Talk to sales for a quote.