Trust & Security

Trust & security, built in and stated plainly.

How CloviTek keeps your data safe — per-tenant isolation, secure practices, and privacy-first handling across every build and business service. We describe what we actually do, and we're explicit about what's on the roadmap versus in place today.

Security overview

Security posture, without the theatre.

We build and run software for founders, so your data — and your customers' data — sits at the center of how we operate. Below is our real posture: how data is handled, how tenants are isolated, who our subprocessors are, and where our compliance work honestly stands. We say “aligned with” and “on roadmap” where that is the truth — we never claim a certification we don't hold.

Our posture

What's actually in place.

The controls and practices we operate today, described honestly.

🔒

Data handling & encryption

Data is encrypted in transit (TLS) and at rest. We collect only what a build or service needs, and we don't repurpose customer data to train shared models.

Per-tenant data isolation

Our strongest control, and we lead with it: every account is scoped to its own data. New accounts start empty, every endpoint is scoped to the signed-in user, and there are no global or shared data files across tenants.

🔑

Access control & authentication

Access is authenticated and least-privilege. Secrets live in a central secrets store, never in code or repositories, and administrative access is limited and reviewed.

Incident response

Automated monitoring watches health continuously; anomalies are triaged and escalated to a human. If an incident affects your data, we investigate, remediate, and notify affected customers.

Privacy & data rights

We operate with GDPR and CCPA principles in mind — access, correction, and deletion on request. A Data Processing Addendum is available to customers on request.

Availability & monitoring

Platforms are monitored 24/7 by automated systems. We publish reliability against a status page rather than committing a hard uptime number in marketing copy; contractual SLAs are offered at the enterprise tier.

Subprocessors

Who we rely on, and why.

We use established infrastructure and service providers to deliver CloviTek. This is the core set and what each is used for.

SubprocessorPurposeRegion
Amazon Web ServicesHosting, storage (S3), CDN (CloudFront)US / EU
CloudflareDNS, edge caching, TLS, DDoS protectionGlobal edge
Google CloudAI model APIs (Gemini), OAuthUS
Model providersLLM inference (OpenAI, Anthropic, and others)US
Stripe / ChargebeeBilling and subscription managementUS / EU

This list reflects our core infrastructure. A current, complete subprocessor list is available to customers on request via the security contact below.

Compliance status

Honest about where we are.

We are early-stage and building our formal compliance program. We describe this accurately rather than displaying a badge we haven't earned.

SOC 2 — practices aligned, certification on roadmapISO 27001 — practices aligned, certification on roadmapGDPR / CCPA principles appliedDPA available on request

We model our controls on SOC 2 and ISO 27001 practices and intend to pursue formal certification as we grow. Until then, we will not claim to hold either — only that our practices are aligned with them.

Security contact

Responsible disclosure

Found a vulnerability, or have a security or privacy question? Reach the team directly and we'll respond. We welcome responsible disclosure.

[email protected]
FAQ

Questions we get asked

Your data is encrypted in transit and at rest, scoped to your own tenant, and never used to train shared models. Access is least-privilege and secrets are held in a central store, never in code.
Through per-tenant isolation: every account is scoped to its own data, new accounts start empty, and every endpoint is scoped to the signed-in user. There are no global or shared data files across tenants.
We are early-stage and do not yet hold SOC 2 or ISO 27001 certification. Our practices are aligned with both, and formal certification is on our roadmap. We will never display a badge we haven't earned.
Every build passes a security gate before it ships — automated checks for unauthenticated endpoints, hardcoded secrets, injection risks, and open CORS — with a human accountable at the gate. Security is enforced by process, not assumed.
Keep exploring

Related capabilities

Every technology below is delivered by the same composed engineering team.

Ready when you are

Have a security or privacy question?

Talk to us about how we'd handle your data. We'll walk you through isolation, subprocessors, and our compliance roadmap — honestly.

Start a project →