Skip to content
Clonvo
Product
Solutions
Developers
Resources
Pricing
Sign inBook a 15-min demo

Trust

Security

A practical look at how we protect your data, and your customers'.

Encryption

  • TLS 1.2+ in transit on every endpoint (Amplify, Supabase, EC2 workers, S3).
  • AES-256-GCM at rest for channel-provider API keys and LLM credentials.
  • Authenticated encryption. Every secret is sealed with an authentication tag, so tampering is detected on decrypt.
  • Key-rotation support via ENCRYPTION_KEY_PREVIOUS for zero-downtime re-encryption (lazy migration on read).

Access control

  • Clerk email-OTP and SSO sign-in. No shared passwords.
  • Role-based access with platform-staff and business-user separation. Platform staff cannot read customer messages by default. Access is audit-logged and only granted for explicit support cases.
  • Per-tenant data isolation enforced in every database query and every vector-store namespace.
  • 2FA enforced for Clonvo staff; available for all customers.

Infrastructure

  • Postgres on Supabase with point-in-time recovery and daily encrypted backups (30-day retention).
  • Object storage in private S3 buckets. Public access is blocked at the bucket policy; downloads use short-lived signed URLs.
  • Background workers on EC2 inside a private security group; Redis and Qdrant ports closed to the public internet.
  • BullMQ idempotency at the storage layer. A unique (org, provider, external_message_id) index makes message replay safe.

Sub-processors

We share the minimum necessary data with vetted sub-processors whose security posture is at least equivalent to ours. The complete list, region and policy URL is in our Privacy Policy and our DPA.

Breach notification

On confirmation of a Personal Data breach affecting a customer's data, we notify the customer in writing without undue delay and in any event within 72 hours (GDPR Art. 33), with a description of the incident, the data affected, our containment steps, and recommended actions.

Backups & disaster recovery

  • Daily encrypted Postgres backups with 30-day retention.
  • Vector store snapshots taken nightly to S3.
  • Recovery Time Objective (RTO): 4 hours · Recovery Point Objective (RPO): 24 hours on Starter/Growth, 1 hour on Scale/Enterprise.

Logging & monitoring

  • Structured request and worker logs with PII redaction for phone numbers and email addresses; retained 30 days.
  • Security-relevant events (failed logins, role changes, secret decrypts) logged to audit_log for 12 months.

Vulnerability management

  • Dependency vulnerability scanning on every deploy.
  • We track upstream advisories for our runtime (Node 20 LTS), framework (Next.js 15), and direct dependencies, and patch high/critical CVEs within 7 days.

Responsible disclosure

Found a vulnerability? Please email security@clonvo.chat. We acknowledge within 2 business days, do not pursue researchers acting in good faith, and credit reporters in our hall of fame on request.

Compliance

  • GDPR & UK GDPR. See Privacy and DPA.
  • CCPA / CPRA. See Privacy §11.
  • EU AI Act Art. 50. AI disclosure built into the product and policies.
  • Meta WhatsApp Business Messaging Policy & Commerce Policy, enforced via the Acceptable Use Policy.