Security & Trust

Last updated: 2 September 2025

1. Overview

Clevera secures data with a layered approach across people, process, and technology. We design for least-privilege access, encrypted data flows, and clear incident processes.

Related: Privacy PolicyTerms of Service

2. At a glance

  • Encryption: TLS in transit; server-side encryption at rest (AWS S3, databases).
  • Hosting: Laravel Cloud.
  • Storage: Amazon S3.
  • Compute: AWS Lambda.
  • CDN: AWS CloudFront.
  • Backups: Encrypted rolling backups with expiry windows.
  • Access: Role-based; admin MFA; least-privilege.
  • Audit: App/user activity logs and admin audit trails.
  • Compliance: GDPR/UK GDPR & CPRA aligned; SOC 2/ISO 27001 in progress (target: late 2025).

3. Data protection

  • Encryption in transit: TLS 1.2+ with HSTS where supported.
  • Encryption at rest: AWS-managed server-side encryption for object storage and databases (SSE-S3 / SSE-KMS).
  • Secrets management: Environment secrets stored outside VCS with restricted access.
  • Data minimization: We process only what’s needed to render narration, timing, zooms, captions, and translations.
  • AI vendors: Configured not to retain/train on Customer Content where controls exist.

4. Infrastructure

  • Cloud: Laravel Cloud (on AWS); Storage: S3; CDN: CloudFront; Compute: Lambda.
  • Network: Segmented services; hardened endpoints; rate limiting and WAF/CDN protections.
  • Data locations: Processing may occur in the UK, EEA, and US. Customer-selectable data residency is not currently offered.

5. Access control

  • Role-based access control (RBAC) in the product; admin actions audited.
  • Production access restricted to authorized staff with MFA and least-privilege.
  • Vendor access reviewed and time-boxed where applicable.

6. Application security

  • Secure SDLC practices (code review, dependency scanning, linting/tests).
  • Input validation and output encoding to reduce common web risks.
  • Secrets rotated when appropriate; least-privilege service credentials.
  • Periodic third-party testing planned as part of SOC 2 / ISO 27001 preparation.

7. Logging & monitoring

  • Application logs and key security events retained for operational troubleshooting and security review (typ. 30–90 days).
  • Usage metering via OpenMeter for billing/quotas; aggregate analytics for reliability and performance.
  • Alerting on abnormal errors and elevated failure rates.

8. Incident response

  • Documented triage, containment, and remediation procedures.
  • Customer notification without undue delay if a breach of personal data is confirmed, consistent with applicable law.
  • Contact: security@clevera.ai

9. Business continuity & disaster recovery

  • Automated, encrypted backups with retention windows; restore procedures tested periodically.
  • Stateless services designed for rapid redeploy; infrastructure as code for repeatability.

10. Compliance

  • GDPR / UK GDPR: Controller for website/marketing; processor for Customer Content under a DPA with SCCs/UK Addendum where required.
  • CPRA: We do not sell personal information or engage in cross-context behavioral advertising.
  • SOC 2 / ISO 27001: Program in progress; targeting late 2025.

DPA available on request: privacy@clevera.ai

11. Sub-processors

We use vetted providers to deliver the service:

  • Amazon Web Services (AWS) - storage (S3), CDN (CloudFront).
  • Laravel Cloud - hosting.
  • OpenAI, L.L.C. - LLM or TTS where selected.
  • Google LLC (Gemini / Cloud TTS) - LLM or TTS where selected.
  • ElevenLabs, Inc. - advanced text-to-speech voices where selected.
  • Lemon Squeezy - payments and invoicing.
  • OpenMeter - usage or analytics metering.
  • Featurebase - public changelog, roadmap, and feature requests (optional user interaction).
  • Support/CRM - Email and Slack channels.

We notify customers of material changes per our DPA. AI vendors are configured not to retain/train on Customer Content where controls exist.

12. Data retention & deletion

  • Customer Content retained for the subscription term.
  • Upon account closure, Customer Content is deleted within 90 days, except where retention is required by law or for dispute resolution.
  • Rolling backups expire automatically after their retention window.

13. Customer controls

  • Roles/permissions (admin, editor, viewer).
  • Audit logs for key actions.
  • Project-level sharing and access revocation.
  • Export and deletion on request (see Privacy Policy).
  • SSO/SAML: not currently supported; on roadmap.

14. Vulnerability disclosure

We operate a responsible disclosure program. If you believe you’ve found a security issue, email team@clevera.ai with details and steps to reproduce. Please avoid accessing data that isn’t yours, disrupting service, or using automated exploits. We’ll acknowledge, investigate, and remediate as appropriate.

15. Contact

Security & Trust

Email: team@clevera.ai