Security
Last updated: June 10, 2026
At ClevAgent, security is foundational to our supervised terminal workstation. Here's how we protect your data.
Infrastructure
- Hosting: Hetzner Cloud, Ashburn VA (US-East), an ISO 27001 certified datacenter
- Encryption in transit: TLS 1.3 on all connections
- Local-first design: Your agents run on your own workstation. Only operational telemetry syncs to our servers.
Subprocessors
We use the following subprocessors to deliver our service:
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Hetzner Cloud | Infrastructure hosting | All customer data | Ashburn, VA (US-East) |
| Cloudflare | CDN & DDoS protection | IP addresses, request metadata | Global edge (data stored US) |
| Stripe | Payment processing | Billing info (no card numbers stored by us) | US |
| Resend | Transactional email | Email address, notification content | US |
| Sentry | Error tracking | Error stack traces, request metadata | US |
If you enable an optional alert channel (such as Telegram), alert notifications are delivered to that service using credentials you provide.
Authentication
- Credentials: Email + password authentication with bcrypt hashing. Password reset via secure email link.
- OAuth: Google OAuth sign-in available as an alternative to email/password. OAuth tokens are never stored; only the authenticated identity is used.
- Session security: HTTP-only, Secure, SameSite cookies
- CSRF protection: Origin header validation on all state-changing requests.
Data Protection
- Backups: Automated database backups every 6 hours with an offsite copy, retained for 7 days. Backup failures alert us immediately.
- Access control: Multi-tenant data isolation; project owners and explicitly invited project members can only access data allowed by their role.
Reliability
Our infrastructure is continuously monitored with automated health checks, real-time error tracking, and automated service recovery on failure.
Responsible Disclosure
If you discover a security vulnerability, please email [email protected]. We will respond within 2 business days.
Payment Security
Payment processing is handled entirely by Stripe (PCI DSS Level 1 compliant). We never store credit card information.
Your Data at ClevAgent
What data do you collect?
We store your session identifiers, token counts, and cost figures. We do not store or process the input or output text of your agents; only operational metadata.
How long is my data retained?
| Plan | Retention |
|---|---|
| Free | 7 days |
| Pro | 90 days |
| Custom | Contact us |
Data older than your retention window is automatically purged.
How do I export my data?
Request a data export via [email protected]. Exports are delivered within 7 business days.
How do I delete my data?
Email [email protected] with your account email. We will delete all your data within 30 days and confirm by email.
Where is my data stored?
All data is stored on Hetzner Cloud in Ashburn, VA (US-East). All connections use TLS 1.3.
Who can access my data?
Account owners and explicitly invited project members can access project data according to their assigned role. ClevAgent staff do not access customer data except when required to resolve a support issue you have raised.