01Data protection
- In transit. TLS 1.2 minimum, with TLS 1.3 negotiated by all modern browsers. HSTS enabled with a 2-year max-age and preload. Certificate transparency monitored.
- At rest. AES-256 on the database (Supabase-managed), AES-256 on file storage (S3), separate KMS keys for backups. Card numbers never touch our disks — Stripe holds them.
- Database isolation. Every row is tagged with a tenant_id. Postgres row-level security enforces it; the app can't accidentally read across tenants because the database refuses.
- Backups. Daily, encrypted, kept 35 days. We rehearse restore from cold backup quarterly.
02Access control
- Customer side. Role-based access (admin, owner, manager, office, employee) plus per-tech permissions for sensitive views like job costing. Optional SSO is on the Business plan roadmap (Google Workspace + Microsoft Entra).
- Claver staff. SSO + MFA mandatory. No shared accounts. Production access is named and limited to the on-call rotation. Every read of customer data is logged with reason. Quarterly access review removes anyone who doesn't need it.
03Application security
- Code review on every change. No direct pushes to main.
- Dependency scanning (npm audit, Dependabot) on every commit; high-severity findings block merge.
- Secrets scanned in CI; if one ends up in a commit, it's revoked within the hour.
- Annual third-party penetration test. Findings fixed before the report is shared.
- Public bug-bounty program — see "Responsible disclosure" below.
- Content Security Policy + Subresource Integrity on all third-party scripts.
04Hosting & network
- Web hosting: Vercel (edge) for the marketing site and app shell. Origin servers in the U.S.
- Database + storage: Supabase (US-East-1).
- CDN + DDoS + WAF: Cloudflare.
- Internal services on private subnets. No production database is reachable from the public internet.
- Rate limiting on all auth endpoints. Brute-force lockouts after 10 failed attempts.
05Payment security
All card capture happens in a Stripe-hosted iframe. We never see, log, or store card numbers. Claver inherits Stripe's PCI DSS Level 1 attestation by virtue of using their elements; we file SAQ A as the merchant of record for our own subscription billing.
06Incidents
If we discover a personal-data breach, we'll notify affected customer admins within 72 hours via the email on the account, plus post a status-page incident. Notice will include what happened, what data was affected, what we're doing about it, and what you should do. We don't make excuses or blame Cloudflare.
We track every incident with a written post-mortem (timeline, root cause, what changed). Customers can request the post-mortem under NDA.
07Business continuity
- RPO (recovery point objective): 24 hours. Realistic recovery during a regional outage: under 4 hours from the latest backup.
- RTO (recovery time objective): 4 hours.
- If the company itself fails, you can export everything as CSV any time. Source-code escrow is on the roadmap for Business-tier customers.
08Audits & certifications
- SOC 2 Type II — observation period in progress; report expected 2026 Q4. Available under NDA when ready.
- PCI DSS — SAQ A filed annually for subscription billing.
- HIPAA — not in scope. Claver is not a HIPAA business associate; don't store PHI here.
- ISO 27001 — not yet. We'll evaluate after SOC 2.
09Responsible disclosure
Found a vulnerability? Don't tweet it. Email [email protected] with PoC. We acknowledge within 24 hours and respond within 5 business days.
Safe harbor: good-faith research that complies with this policy is authorized. We won't pursue legal action against researchers who follow it. Out-of-scope: physical attacks on staff, social engineering of customers, DoS, automated scans that overwhelm services.
Bounties: rewards for valid findings range from $50 (low) to $5,000 (critical), paid via Stripe.
10Contact
Security: [email protected] · security.txt
Abuse / TCPA / spam: [email protected]
Legal: [email protected]