Skip to main content
Back to Login

Security

Last updated: April 11, 2026

Our Commitment to Security

At Clienty, security isn't just a feature—it's the foundation of everything we build. As a multi-tenant SaaS platform handling sensitive client data, we've implemented enterprise-grade security measures to protect your information at every level. We employ a defense-in-depth strategy, combining multiple layers of security controls to ensure that even if one layer is compromised, your data remains protected.

Data Encryption

Encryption in Transit

  • TLS 1.3 encryption for all API communications
  • HTTPS enforced across all endpoints
  • WebSocket connections secured with WSS protocol

Encryption at Rest

  • AES-256 encryption for all files in AWS S3
  • AWS KMS managed encryption keys
  • Aurora PostgreSQL with storage encryption
  • End-to-end encryption for chat messages (XChaCha20-Poly1305)

AWS Infrastructure Security

Compute & Network

  • Virtual Private Cloud (VPC): All resources in isolated VPCs
  • Security Groups: Strict least-privilege access rules
  • Private Subnets: Database instances never publicly accessible
  • Load Balancer: Application Load Balancer with SSL termination

Data Storage

  • Amazon S3: Server-side encryption (SSE-S3) with AES-256
  • Amazon Aurora: Encrypted storage with automated backups
  • Backup Retention: 7-day automated backup with point-in-time recovery

Identity & Access

  • IAM Roles: Least-privilege access for all AWS services
  • IAM Policies: Granular permissions based on service requirements
  • No Root Account Usage: Administrative actions via MFA-enabled IAM users

Monitoring & Logging

  • AWS CloudTrail: Comprehensive audit logging of all API calls
  • Amazon CloudWatch: Real-time monitoring and alerting
  • VPC Flow Logs: Network traffic analysis and anomaly detection

Authentication & Access Control

User Authentication

  • AWS Cognito: Enterprise-grade identity management
  • Secure Password Policy: Minimum 8 characters with complexity requirements
  • JWT Tokens: Short-lived access tokens with automatic refresh
  • Session Management: Automatic logout on token expiration

Multi-Factor Authentication (MFA)

  • MFA support via authenticator apps (TOTP)
  • SMS-based verification as backup option
  • MFA enforcement available for organization administrators

Role-Based Access Control (RBAC)

  • Organization Isolation: Complete data separation between tenants
  • User Roles: Admin, Manager, Staff, and custom roles
  • Permission Granularity: Fine-grained access to features and data
  • Audit Trail: All access and changes are logged

Application Security

Secure Development

  • Input validation using Zod schemas
  • SQL injection prevention via TypeORM
  • XSS protection with React escaping
  • CSRF token-based validation

API Security

  • Rate limiting protection
  • Schema validation on all endpoints
  • Sanitized error messages
  • Strict CORS configuration

Dependency Management

  • Regular security audits
  • Automated vulnerability scanning
  • Immediate critical patching

Third-Party Integrations

Clienty integrates with trusted third-party services for payments and calendar sync. All API communication with these providers uses encrypted connections (TLS). We use OAuth for Microsoft calendar access and secure API keys for Stripe. Each provider maintains their own security and compliance controls. Trust ledger data (transaction records) is protected with the same encryption and access controls as other sensitive data in our database.

  • Stripe: Payment data is processed directly by Stripe; we do not store card numbers. API communication is encrypted.
  • Microsoft: Calendar access uses OAuth 2.0. We request only the scopes needed for calendar sync. Synced event data is stored in our encrypted database.

AI & Data Processing Security

Clienty's AI features use Anthropic (Claude) for conversational and generative tasks—including document summarization, AI Assistant chat, speedy trial rule lookup, scoresheet-related AI assists, and template generation where enabled. OpenAI is used only for text-to-speech audio for the "Listen" feature on summaries. All AI processing follows strict data isolation and minimization practices.

Data Isolation

  • All AI queries are scoped to the authenticated user's organization — no cross-organization data access is possible
  • AI Assistant conversations are scoped to individual users — other users in the same organization cannot access your conversations
  • Organization ID and user ID are validated from JWT tokens on every AI request

Anthropic (Claude) API

  • Chat completions and structured AI outputs are processed by Anthropic; handling of API data is governed by Anthropic's terms and privacy policy
  • All API communications encrypted via TLS 1.2+
  • Data minimization — for AI Assistant, only relevant context (matter details, recent notes, summaries) is sent; full document bodies are not sent to the assistant. Other tools send only the inputs required for that feature (e.g., state code for speedy trial lookup, scoresheet working data for scenario analysis).

OpenAI (Text-to-Speech only)

  • Summary text is sent to OpenAI's speech API only when you use Listen; audio is streamed to your browser and not stored on our servers
  • OpenAI API calls use TLS encryption

Case Law Search

  • Only search queries are sent to CourtListener — no client data, matter details, or organizational information
  • CourtListener is a public legal database operated by the Free Law Project, a 501(c)(3) nonprofit

Rate Limiting & Abuse Prevention

  • AI Assistant messages are rate-limited to 30 per minute per user
  • Conversations are capped at 50 messages to prevent abuse
  • Credit system ensures fair usage across all AI features

Compliance

  • CompliantGDPR (Data processing agreements available)
  • CompliantCCPA (California Consumer Privacy Act)

Incident Response

Response Process

  1. 1Detection: Automated monitoring and alerting
  2. 2Assessment: Severity classification and impact analysis
  3. 3Containment: Immediate isolation of affected systems
  4. 4Eradication: Root cause analysis and remediation
  5. 5Recovery: Service restoration with verification
  6. 6Post-Incident: Review and security improvements

Communication

  • Affected customers notified within 72 hours of confirmed breach
  • Status page updates during service disruptions
  • Post-incident reports for significant events

Data Retention & Deletion

Retention Policies

  • Active account data: Retained while account is active
  • Deleted data: Permanently removed within 30 days
  • Backups: Rolling 7-day retention
  • Audit logs: 90-day retention

Data Export

  • Full data export in JSON/CSV format
  • Self-service export through settings
  • Support-assisted export for large datasets

Account Deletion

  • Complete data deletion upon account closure
  • Confirmation email with deletion timeline
  • 30-day recovery period before permanent deletion

Reporting Security Issues

We welcome responsible disclosure of security vulnerabilities.

Contact

clientysupport@clienty.io

Scope

Our bug bounty program covers:

  • • Authentication/authorization bypasses
  • • Data exposure vulnerabilities
  • • Cross-site scripting (XSS)
  • • SQL injection
  • • Remote code execution

Response Time

We aim to acknowledge reports within 48 hours and provide updates within 5 business days.

For general security inquiries, contact our security team at clientysupport@clienty.io or reach out to your account representative.

Privacy PolicyTerms & ConditionsClienty CRM