Product

Help

Pricing

Blog

Login

Book a demo

Start free

Security and trust

Last updated: 2 September 2025

  1. Overview

  2. At a glance

  3. Data protection

  4. Infrastructure

  5. Access control

  6. Application security

  7. Logging & monitoring

  8. Incident response

  9. Business continuity & DR

  10. Compliance

  11. Sub-processors

  12. Data retention & deletion

  13. Customer controls

  14. Vulnerability disclosure

  15. Contact

Overview

Clevera secures data with a layered approach across people, process, and technology. We design for least-privilege access, encrypted data flows, and clear incident processes.

Related: Privacy PolicyTerms of Service

At a glance

  • Encryption: TLS in transit; server-side encryption at rest (AWS S3, databases).

  • Hosting: Laravel Cloud.

  • Storage: Amazon S3.

  • Compute: AWS Lambda.

  • CDN: AWS CloudFront.

  • Backups: Encrypted rolling backups with expiry windows.

  • Access: Role-based; admin MFA; least-privilege.

  • Audit: App/user activity logs and admin audit trails.

  • Compliance: GDPR/UK GDPR & CPRA aligned; SOC 2/ISO 27001 in progress (target: late 2025).

Data protection

  • Encryption in transit: TLS 1.2+ with HSTS where supported.

  • Encryption at rest: AWS-managed server-side encryption for object storage and databases (SSE-S3 / SSE-KMS).

  • Secrets management: Environment secrets stored outside VCS with restricted access.

  • Data minimization: We process only what’s needed to render narration, timing, zooms, captions, and translations.

  • AI vendors: Configured not to retain/train on Customer Content where controls exist.

Infrastructure

  • Cloud: Laravel Cloud (on AWS); Storage: S3; CDN: CloudFront; Compute: Lambda.

  • Network: Segmented services; hardened endpoints; rate limiting and WAF/CDN protections.

  • Data locations: Processing may occur in the UK, EEA, and US. Customer-selectable data residency is not currently offered.

Access control

  • Role-based access control (RBAC) in the product; admin actions audited.

  • Production access restricted to authorized staff with MFA and least-privilege.

  • Vendor access reviewed and time-boxed where applicable.

Application security

  • Secure SDLC practices (code review, dependency scanning, linting/tests).

  • Input validation and output encoding to reduce common web risks.

  • Secrets rotated when appropriate; least-privilege service credentials.

  • Periodic third-party testing planned as part of SOC 2 / ISO 27001 preparation.

Logging & monitoring

  • Application logs and key security events retained for operational troubleshooting and security review (typ. 30–90 days).

  • Usage metering via OpenMeter for billing/quotas; aggregate analytics for reliability and performance.

  • Alerting on abnormal errors and elevated failure rates.

Incident response

  • Documented triage, containment, and remediation procedures.

  • Customer notification without undue delay if a breach of personal data is confirmed, consistent with applicable law.

  • Contact: security@clevera.ai

Business continuity & disaster recovery

  • Automated, encrypted backups with retention windows; restore procedures tested periodically.

  • Stateless services designed for rapid redeploy; infrastructure as code for repeatability.

Compliance

  • GDPR / UK GDPR: Controller for website/marketing; processor for Customer Content under a DPA with SCCs/UK Addendum where required.

  • CPRA: We do not sell personal information or engage in cross-context behavioral advertising.

  • SOC 2 / ISO 27001: Program in progress; targeting late 2025.

DPA available on request: privacy@clevera.ai

Sub-processors

We use vetted providers to deliver the service:

  • Amazon Web Services (AWS) - storage (S3), CDN (CloudFront).

  • Laravel Cloud - hosting.

  • OpenAI, L.L.C. - LLM or TTS where selected.

  • Google LLC (Gemini / Cloud TTS) - LLM or TTS where selected.

  • ElevenLabs, Inc. - advanced text-to-speech voices where selected.

  • Lemon Squeezy - payments and invoicing.

  • OpenMeter - usage or analytics metering.

  • Featurebase - public changelog, roadmap, and feature requests (optional user interaction).

  • Support/CRM - Email and Slack channels.

We notify customers of material changes per our DPA. AI vendors are configured not to retain/train on Customer Content where controls exist.

Data retention & deletion

  • Customer Content retained for the subscription term.

  • Upon account closure, Customer Content is deleted within 90 days, except where retention is required by law or for dispute resolution.

  • Rolling backups expire automatically after their retention window.

Customer controls

  • Roles/permissions (admin, editor, viewer).

  • Audit logs for key actions.

  • Project-level sharing and access revocation.

  • Export and deletion on request (see Privacy Policy).

  • SSO/SAML: not currently supported; on roadmap.

Vulnerability disclosure

We operate a responsible disclosure program. If you believe you’ve found a security issue, email team@clevera.ai with details and steps to reproduce. Please avoid accessing data that isn’t yours, disrupting service, or using automated exploits. We’ll acknowledge, investigate, and remediate as appropriate.

Contact

Security & Trust
Email: team@clevera.ai