How CloviTek keeps your data safe — per-tenant isolation, secure practices, and privacy-first handling across every build and business service. We describe what we actually do, and we're explicit about what's on the roadmap versus in place today.
Every request scoped to the signed-in user. New accounts start empty — no shared or global data.
We build and run software for founders, so your data — and your customers' data — sits at the center of how we operate. Below is our real posture: how data is handled, how tenants are isolated, who our subprocessors are, and where our compliance work honestly stands. We say “aligned with” and “on roadmap” where that is the truth — we never claim a certification we don't hold.
The controls and practices we operate today, described honestly.
Data is encrypted in transit (TLS) and at rest. We collect only what a build or service needs, and we don't repurpose customer data to train shared models.
Our strongest control, and we lead with it: every account is scoped to its own data. New accounts start empty, every endpoint is scoped to the signed-in user, and there are no global or shared data files across tenants.
Access is authenticated and least-privilege. Secrets live in a central secrets store, never in code or repositories, and administrative access is limited and reviewed.
Automated monitoring watches health continuously; anomalies are triaged and escalated to a human. If an incident affects your data, we investigate, remediate, and notify affected customers.
We operate with GDPR and CCPA principles in mind — access, correction, and deletion on request. A Data Processing Addendum is available to customers on request.
Platforms are monitored 24/7 by automated systems. We publish reliability against a status page rather than committing a hard uptime number in marketing copy; contractual SLAs are offered at the enterprise tier.
We use established infrastructure and service providers to deliver CloviTek. This is the core set and what each is used for.
| Subprocessor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Hosting, storage (S3), CDN (CloudFront) | US / EU |
| Cloudflare | DNS, edge caching, TLS, DDoS protection | Global edge |
| Google Cloud | AI model APIs (Gemini), OAuth | US |
| Model providers | LLM inference (OpenAI, Anthropic, and others) | US |
| Stripe / Chargebee | Billing and subscription management | US / EU |
This list reflects our core infrastructure. A current, complete subprocessor list is available to customers on request via the security contact below.
We are early-stage and building our formal compliance program. We describe this accurately rather than displaying a badge we haven't earned.
We model our controls on SOC 2 and ISO 27001 practices and intend to pursue formal certification as we grow. Until then, we will not claim to hold either — only that our practices are aligned with them.
Found a vulnerability, or have a security or privacy question? Reach the team directly and we'll respond. We welcome responsible disclosure.
[email protected] →Every technology below is delivered by the same composed engineering team.
Talk to us about how we'd handle your data. We'll walk you through isolation, subprocessors, and our compliance roadmap — honestly.
Start a project →