At Clayva, security is fundamental to everything we do. We employ industry-leading security practices and maintain rigorous compliance standards to ensure your data remains protected, private, and available when you need it.
Security Overview
Clayva implements a comprehensive, defense-in-depth security strategy that protects your data at every layer. Our security program is built on three core principles:
Certifications & Compliance
Clayva maintains certifications from independent third-party auditors to validate our security controls and compliance with international standards:
SOC 2 Type II
Annual audit of security, availability, and confidentiality controls
View Report →Infrastructure Security
Data Centers
Clayva's infrastructure is hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP), leveraging their world-class physical security:
- 24/7 physical security with biometric access controls
- Environmental monitoring and fire suppression systems
- Redundant power and cooling systems
- Geographic distribution across multiple availability zones
- Regular third-party security audits and certifications
Network Security
Our network architecture implements multiple layers of protection:
- Firewalls: Web application and network firewalls filter malicious traffic
- DDoS Protection: CloudFlare and AWS Shield protect against distributed attacks
- Network Segmentation: Isolated networks for different service tiers
- Private Networking: Internal services communicate via private VPC
- Traffic Monitoring: Real-time analysis and alerting for anomalies
Encryption
| Feature |
|---|
Application Security
Secure Development
We follow secure software development lifecycle (SSDLC) practices:
- Code Reviews: All code undergoes peer review before deployment
- Static Analysis: Automated scanning for security vulnerabilities
- Dependency Scanning: Regular updates and vulnerability patching
- Security Testing: Regular penetration testing and vulnerability assessments
- Bug Bounty Program: Rewarding security researchers for responsible disclosure
Authentication
- Multi-factor authentication (MFA) with TOTP/SMS/WebAuthn
- Single Sign-On (SSO) via SAML 2.0 and OAuth 2.0
- Passwordless authentication options
- Session management with automatic timeout
- Account lockout after failed attempts
Access Control
Granular access controls ensure users only access what they need:
- Role-Based Access Control (RBAC): Predefined roles with specific permissions
- Team Management: Organize users into teams with shared permissions
- API Key Scoping: Limited permissions for programmatic access
- IP Restrictions: Allowlist specific IP addresses or ranges
- Audit Logging: Complete trail of all access and changes
Data Security
Data Protection
Multiple layers of protection for your data:
- Data Classification: Automatic classification and appropriate handling
- Data Loss Prevention: Monitoring and prevention of unauthorized data export
- Backup Strategy: Regular encrypted backups with point-in-time recovery
- Data Isolation: Logical separation between customer data
Data Privacy
Privacy by design principles:
- Minimal data collection - only what's necessary
- Purpose limitation - data used only for stated purposes
- Data minimization and anonymization where possible
- User consent and control over personal data
- Regular privacy impact assessments
Data Retention
Data is retained according to your subscription plan and legal requirements. You can configure retention policies and request data deletion at any time through your account settings or by contacting support.
Operational Security
Our operational security practices ensure ongoing protection:
Employee Security
- Background checks
- Security training
- NDAs and confidentiality
- Principle of least privilege
Monitoring & Logging
- 24/7 security monitoring
- Centralized log management
- Real-time alerting
- Security metrics dashboard
Change Management
- Documented procedures
- Approval workflows
- Automated deployments
- Rollback capabilities
Vulnerability Management
- Regular scanning
- Patch management
- Risk assessments
- Remediation tracking
Incident Response
Our incident response plan ensures rapid detection and response to security events:
Detection
Automated monitoring and alerting systems
Assessment
Security team evaluates severity and impact
Containment
Immediate action to prevent spread
Remediation
Fix vulnerabilities and restore services
Communication
Notify affected parties as required
Review
Post-incident analysis and improvements
Business Continuity
Our business continuity plan ensures Clayva remains available during disruptions:
- High Availability: Multi-region deployment with automatic failover
- Disaster Recovery: RPO of 1 hour, RTO of 4 hours
- Data Backups: Automated daily backups with 30-day retention
- Regular Testing: Quarterly DR drills and failover tests
- Communication Plan: Status page and customer notification procedures
Vendor Management
We carefully evaluate and monitor all third-party vendors:
- Security assessment before engagement
- Contractual security requirements
- Regular security reviews
- Data processing agreements
- Minimal vendor access to systems
Contact Security Team
Report a Security Issue
If you discover a security vulnerability, please report it to our security team immediately:
Email: security@clayva.com
PGP Key: Download our PGP key
We appreciate responsible disclosure and offer a bug bounty program for qualifying vulnerabilities.
Bug Bounty Program →