Skip to main content
Back to Login

Security

Last updated: January 2025

Our Commitment to Security

At Clienty, security isn't just a feature—it's the foundation of everything we build. As a multi-tenant SaaS platform handling sensitive client data, we've implemented enterprise-grade security measures to protect your information at every level. We employ a defense-in-depth strategy, combining multiple layers of security controls to ensure that even if one layer is compromised, your data remains protected.

Data Encryption

Encryption in Transit

  • TLS 1.3 encryption for all API communications
  • HTTPS enforced across all endpoints
  • WebSocket connections secured with WSS protocol

Encryption at Rest

  • AES-256 encryption for all files in AWS S3
  • AWS KMS managed encryption keys
  • Aurora PostgreSQL with storage encryption
  • End-to-end encryption for chat messages (XChaCha20-Poly1305)

AWS Infrastructure Security

Compute & Network

  • Virtual Private Cloud (VPC): All resources in isolated VPCs
  • Security Groups: Strict least-privilege access rules
  • Private Subnets: Database instances never publicly accessible
  • Load Balancer: Application Load Balancer with SSL termination

Data Storage

  • Amazon S3: Server-side encryption (SSE-S3) with AES-256
  • Amazon Aurora: Encrypted storage with automated backups
  • Backup Retention: 7-day automated backup with point-in-time recovery

Identity & Access

  • IAM Roles: Least-privilege access for all AWS services
  • IAM Policies: Granular permissions based on service requirements
  • No Root Account Usage: Administrative actions via MFA-enabled IAM users

Monitoring & Logging

  • AWS CloudTrail: Comprehensive audit logging of all API calls
  • Amazon CloudWatch: Real-time monitoring and alerting
  • VPC Flow Logs: Network traffic analysis and anomaly detection

Authentication & Access Control

User Authentication

  • AWS Cognito: Enterprise-grade identity management
  • Secure Password Policy: Minimum 8 characters with complexity requirements
  • JWT Tokens: Short-lived access tokens with automatic refresh
  • Session Management: Automatic logout on token expiration

Multi-Factor Authentication (MFA)

  • MFA support via authenticator apps (TOTP)
  • SMS-based verification as backup option
  • MFA enforcement available for organization administrators

Role-Based Access Control (RBAC)

  • Organization Isolation: Complete data separation between tenants
  • User Roles: Admin, Manager, Staff, and custom roles
  • Permission Granularity: Fine-grained access to features and data
  • Audit Trail: All access and changes are logged

Application Security

Secure Development

  • Input validation using Zod schemas
  • SQL injection prevention via TypeORM
  • XSS protection with React escaping
  • CSRF token-based validation

API Security

  • Rate limiting protection
  • Schema validation on all endpoints
  • Sanitized error messages
  • Strict CORS configuration

Dependency Management

  • Regular security audits
  • Automated vulnerability scanning
  • Immediate critical patching

Third-Party Integrations

Clienty integrates with trusted third-party services for payments, electronic signatures, and calendar sync. All API communication with these providers uses encrypted connections (TLS). We use OAuth for Microsoft calendar access and secure API keys for Stripe and HelloSign (Dropbox Sign). Each provider maintains their own security and compliance controls. Trust ledger data (transaction records) is protected with the same encryption and access controls as other sensitive data in our database.

  • Stripe: Payment data is processed directly by Stripe; we do not store card numbers. API communication is encrypted.
  • HelloSign (Dropbox Sign): Documents are transmitted via encrypted API. Signed PDFs are stored in your organization's isolated AWS S3 bucket.
  • Microsoft: Calendar access uses OAuth 2.0. We request only the scopes needed for calendar sync. Synced event data is stored in our encrypted database.

Compliance

  • CompliantGDPR (Data processing agreements available)
  • CompliantCCPA (California Consumer Privacy Act)

Incident Response

Response Process

  1. 1Detection: Automated monitoring and alerting
  2. 2Assessment: Severity classification and impact analysis
  3. 3Containment: Immediate isolation of affected systems
  4. 4Eradication: Root cause analysis and remediation
  5. 5Recovery: Service restoration with verification
  6. 6Post-Incident: Review and security improvements

Communication

  • Affected customers notified within 72 hours of confirmed breach
  • Status page updates during service disruptions
  • Post-incident reports for significant events

Data Retention & Deletion

Retention Policies

  • Active account data: Retained while account is active
  • Deleted data: Permanently removed within 30 days
  • Backups: Rolling 7-day retention
  • Audit logs: 90-day retention

Data Export

  • Full data export in JSON/CSV format
  • Self-service export through settings
  • Support-assisted export for large datasets

Account Deletion

  • Complete data deletion upon account closure
  • Confirmation email with deletion timeline
  • 30-day recovery period before permanent deletion

Reporting Security Issues

We welcome responsible disclosure of security vulnerabilities.

Contact

clientysupport@clienty.io

Scope

Our bug bounty program covers:

  • • Authentication/authorization bypasses
  • • Data exposure vulnerabilities
  • • Cross-site scripting (XSS)
  • • SQL injection
  • • Remote code execution

Response Time

We aim to acknowledge reports within 48 hours and provide updates within 5 business days.

For general security inquiries, contact our security team at clientysupport@clienty.io or reach out to your account representative.

Privacy PolicyTerms & ConditionsClienty CRM