🔒 Authentication and Security
Multi-Factor Authentication (MFA)
Enabled for all admin and staff accounts.
Password policies
Aligned with the standards of the relevant provider (e.g., Microsoft for Azure accounts).
Certificate and key rotation
All certificates and keys are rotated regularly, with many handled automatically by cloud providers. Manual credentials updated every 90 days.
BankID integration Planned
Stronger user authentication and identity verification in user application.
🌍 Data Hosting and Location
Primary infrastructure
CLVR Benefits runs on Microsoft Azure for virtual machines and managed storage.
Database backup and file storage
Database backups and file storage managed through Amazon AWS S3.
Geographic restrictions
All servers and data hosted exclusively within Europe. No customer data ever leaves the EU/EEA.
Compliance certifications
Both Azure and AWS hold industry-leading certifications (ISO 27001, SOC 2, GDPR compliance).
📦 Data at Rest
Database encryption
All customer data encrypted at rest using Azure built-in storage encryption (AES-256 with platform-managed keys).
Database backups
Automated every 24 hours, retained for 7 days. Stored in Amazon S3 with SSE-S3 server-side encryption.
Application-level encryption Planned
AES-GCM encryption for highly sensitive fields using keys in Key Vault.
🔒 Data in Transit
Network isolation
All app–database traffic restricted to internal network only. Postgres not exposed to internet; port 5432 blocked at Azure NSG.
Database TLS connections
All application–database traffic uses TLS with full certificate verification (sslmode=verify-full).
HTTPS enforcement
All web traffic encrypted using HTTPS.
Secure cookies
All cookies set with HttpOnly, Secure, and SameSite=strict flags to protect session integrity.
📋 Data Governance
Records of Processing Activities (RoPA)
Documented internally in codebase and reviewed during each release cycle.
Data retention policies
Deletion and anonymization rules documented internally and reviewed on each release cycle.
Data Processing Agreements (DPAs) In Progress
Tracked internally with all third-party vendors; documentation exists and is maintained, pending formal signatures.
👤 Data Subject Rights
Data subject request processes
Established processes for access, correction, deletion, and portability requests with 30-day response time. Contact gdpr@clvrbenefits.com for any requests.
Privacy Policy
Our privacy policy page is available here.
🛠️ Product Security
Secure source code access
Access restricted to authorized team members only. GitHub used with enforced account security.
Version control and release process
Structured Git workflow (git-flow). All changes tracked, reviewed, and merged into dedicated branches.
Environment separation
Separate development and staging environments ensure thorough testing before production deployment.
Test data management
Test data carefully selected, anonymized, and managed to avoid sensitive personal information in non-production.
Modern secure technology stack
Built with industry-standard web technologies, containerized infrastructure, and managed cloud services. Regularly updated with security patches.
Dependency and package vetting
All external packages reviewed before adoption. Monitor for vulnerabilities and update promptly.
🛡️ Security Operations
Access control
Internal access limited to authorized staff using principle of least privilege. Administrative access restricted.
Secrets management
Credentials injected as environment variables, never committed to code or stored in plaintext.
System patching
Regular patching of OS, Docker images, and PostgreSQL.
Application-level monitoring
Real-time error detection and anomaly monitoring via Sentry.
System-level monitoring Planned
Postgres authentication logs, firewall events (UFW), and system security logs with alerts for suspicious activity.
Incident response plan
72-hour breach notification process documented internally, available on request, reviewed after significant changes.