CLVR Benefits Logo
Home
/
Trust Center
Updated 2025-09-17

Trust Center

Our commitment to data protection and responsible operations.

trust@clvrbenefits.com
    Authentication and Security
    Data Hosting and Location
    Data at Rest
    Data in Transit
    Data Governance
    Data Subject Rights
    AI and Automation
    Product Security
    Security Operations

🔒 Authentication and Security

  • Multi-Factor Authentication (MFA)

    Enabled for all admin and staff accounts.

  • Password policies

    Aligned with the standards of the relevant provider (e.g., Microsoft for Azure accounts).

  • Certificate and key rotation

    All certificates and keys are rotated regularly, with many handled automatically by cloud providers. Manual credentials updated every 90 days.

  • BankID integration Planned

    Stronger user authentication and identity verification in user application.

🌍 Data Hosting and Location

  • Primary infrastructure

    CLVR Benefits runs on Microsoft Azure for virtual machines and managed storage.

  • Database backup and file storage

    Database backups and file storage managed through Amazon AWS S3.

  • Geographic restrictions

    All servers and data hosted exclusively within Europe. No customer data ever leaves the EU/EEA.

  • Compliance certifications

    Both Azure and AWS hold industry-leading certifications (ISO 27001, SOC 2, GDPR compliance).

📦 Data at Rest

  • Database encryption

    All customer data encrypted at rest using Azure built-in storage encryption (AES-256 with platform-managed keys).

  • Database backups

    Automated every 24 hours, retained for 7 days. Stored in Amazon S3 with SSE-S3 server-side encryption.

  • Application-level encryption Planned

    AES-GCM encryption for highly sensitive fields using keys in Key Vault.

🔒 Data in Transit

  • Network isolation

    All app–database traffic restricted to internal network only. Postgres not exposed to internet; port 5432 blocked at Azure NSG.

  • Database TLS connections

    All application–database traffic uses TLS with full certificate verification (sslmode=verify-full).

  • HTTPS enforcement

    All web traffic encrypted using HTTPS.

  • Secure cookies

    All cookies set with HttpOnly, Secure, and SameSite=strict flags to protect session integrity.

📋 Data Governance

  • Records of Processing Activities (RoPA)

    Documented internally in codebase and reviewed during each release cycle.

  • Data retention policies

    Deletion and anonymization rules documented internally and reviewed on each release cycle.

  • Data Processing Agreements (DPAs) In Progress

    Tracked internally with all third-party vendors; documentation exists and is maintained, pending formal signatures.

👤 Data Subject Rights

  • Data subject request processes

    Established processes for access, correction, deletion, and portability requests with 30-day response time. Contact gdpr@clvrbenefits.com for any requests.

  • Privacy Policy

    Our privacy policy page is available here.

🤖 AI and Automation

  • AI receipt scanning

    Optional feature for expense report uploads. When enabled by the company, receipt images are sent to Claude (Anthropic) for extraction of vendor, date, amount, and VAT. Only the receipt image and benefit category names are sent. No employee names, emails, or other personal data. Processing is ephemeral and not used to train models. Companies can disable this feature in HR General Settings.

🛠️ Product Security

  • Secure source code access

    Access restricted to authorized team members only. GitHub used with enforced account security.

  • Version control and release process

    Structured Git workflow (git-flow). All changes tracked, reviewed, and merged into dedicated branches.

  • Environment separation

    Separate development and staging environments ensure thorough testing before production deployment.

  • Test data management

    Test data carefully selected, anonymized, and managed to avoid sensitive personal information in non-production.

  • Modern secure technology stack

    Built with industry-standard web technologies, containerized infrastructure, and managed cloud services. Regularly updated with security patches.

  • Dependency and package vetting

    All external packages reviewed before adoption. Monitor for vulnerabilities and update promptly.

🛡️ Security Operations

  • Access control

    Internal access limited to authorized staff using principle of least privilege. Administrative access restricted.

  • Secrets management

    Credentials injected as environment variables, never committed to code or stored in plaintext.

  • System patching

    Regular patching of OS, Docker images, and PostgreSQL.

  • Application-level monitoring

    Real-time error detection and anomaly monitoring via PostHog.

  • System-level monitoring Planned

    Postgres authentication logs, firewall events (UFW), and system security logs with alerts for suspicious activity.

  • Incident response plan

    72-hour breach notification process documented internally, available on request, reviewed after significant changes.

Make the Switch to Flexible Benefits Start your journey with CLVR today.

CLVR Benefits Logo

©2026 CLVR Benefits AB

CLVR Benefits is not a bank or financial services provider. We are an employee benefits platform based in Stockholm, Sweden. All services are designed to support employers in offering flexible, compliant, and localized benefits to their teams.

Platform

  • CLVR Webapp
  • Why CLVR benefits?
  • Trust Center
  • Privacy Policy
  • Terms & Conditions

Resources

  • Blog
  • Events & Webinar
  • ROI Calculator
  • 2025 Strategic Benefits Guide

Company

  • Our Story
  • LinkedIn