Security
Effective date: April 3, 2026
Security is foundational to Cleve. Here's exactly how we protect your data.
Overview
- All data encrypted at rest (AES-256) and in transit (TLS 1.2+).
- AI providers operate under Zero Data Retention — your prompts are not stored after a response is returned.
- No AI provider trains on your data.
- All services that process personal data are SOC 2 Type II certified.
- Payment processing is PCI DSS Level 1 certified via Stripe — we never see or store card numbers.
- Enterprise-grade DDoS protection, bot detection, and rate limiting on every plan.
Encryption
At rest — AES-256
All data stores use AES-256 encryption at rest: Convex (primary database), Neon (Postgres), Vercel Blob (file storage), Clerk (authentication), and Stripe (payments).
In transit — TLS 1.2+
All connections use TLS 1.2 or higher — including client traffic, internal service calls, and AI provider API calls. HTTPS is enforced with HSTS and a strict referrer policy via Nosecone middleware.
AI & Your Data
Zero Data Retention
AI calls are routed through our secure gateway with Zero Data Retention (ZDR) enabled. Providers do not store your prompts or outputs after returning a response.
No model training
All AI providers — Anthropic, OpenAI, Google, Groq, Perplexity, Cohere, and Nebius — are contractually or policy-restricted from using your content to train or improve their models. Cleve does not train models on your data either.
Minimum context
Only the minimum necessary context from your request is sent to an AI provider. Diagnostic logs used for reliability and abuse prevention are short-lived and cleared on a rolling basis.
Infrastructure
Hosting
Cleve runs on Vercel (SOC 2 Type II, ISO 27001), deployed globally across AWS infrastructure. Data is stored in the US by default; EU data residency is available for enterprise customers.
Database isolation
Customer data is isolated at the database level with unique credentials per deployment via Convex. Data is replicated across multiple physical availability zones for resilience.
DDoS protection
Vercel provides automatic L3/L4/L7 DDoS mitigation on all plans. Arcjet provides in-process bot detection (600+ bot signatures), rate limiting, and shield protection. Upstash provides serverless rate limiting as a secondary layer.
Application Security
- Account security: CSRF protection, breached password detection, and account lockout after repeated failed attempts via Clerk.
- HTTP security headers: HSTS, X-Frame-Options, strict referrer policy, and Content Security Policy enforced on all responses.
- Payments: processed by Stripe (PCI DSS Level 1). We never handle or store raw card data.
- Error monitoring: Sentry (SOC 2 Type II, ISO 27001) with sensitive field masking.
- Dependency management: dependencies are kept up to date and monitored for known vulnerabilities.
Subprocessors
All services that process personal data are contractually bound to act only on our instructions and maintain appropriate security standards.
| Provider | Purpose | Certifications |
|---|---|---|
| Convex | Primary database | SOC 2 II, HIPAA |
| Neon | Postgres database | SOC 2 II, ISO 27001 |
| Clerk | Authentication | SOC 2 II |
| Vercel | Hosting, file storage, AI gateway | SOC 2 II, ISO 27001 |
| Stripe | Payments | SOC 2 II, PCI DSS Level 1 |
| Liveblocks | Real-time collaboration | SOC 2 II, HIPAA |
| Anthropic | Claude AI models | SOC 2 II, ISO 27001 |
| OpenAI via Azure | GPT models | SOC 2 II, ISO 27001 |
| Google Vertex AI | Gemini models | SOC 2 II, ISO 27001 |
| Groq | Audio transcription | SOC 2 II |
| Perplexity | Web search | SOC 2 II |
| Cohere | RAG reranking | SOC 2 II, ISO 27001 |
| Nebius | AI inference | SOC 2 II, ISO 27001 |
| PostHog | Product analytics | SOC 2 II |
| Sentry | Error monitoring | SOC 2 II, ISO 27001 |
| BetterStack | Logging & uptime | SOC 2 II |
| Resend | Transactional email | SOC 2 II |
| Upstash | Rate limiting | SOC 2 II |
| Svix | Webhook delivery | SOC 2 II, PCI-DSS, HIPAA |
| Knock | Notifications | SOC 2 II, HIPAA |
Compliance
- SOC 2 Type II: all services that process personal data are independently audited. Cleve itself is not yet SOC 2 certified.
- GDPR: Data Processing Agreements are available for enterprise customers. We support data access, correction, deletion, and portability. See our Privacy Policy for details.
- CCPA: we do not sell personal data. California residents can request access, deletion, or opt-out.
- PCI DSS Level 1: payment processing via Stripe. We never store card data.
Vulnerability Disclosure
If you discover a security vulnerability in Cleve, please report it responsibly to support@cleve.ai. Please include a description of the issue, steps to reproduce, and your assessment of the potential impact. We will acknowledge your report within 48 hours and keep you updated as we investigate.
We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it.