ClevAgent is in Early Access. Please contact us if you have any questions!
ClevAgent

Security

Last updated: April 4, 2026

At ClevAgent, security is foundational to our monitoring service. Here's how we protect your data.

Infrastructure

  • Hosting: Hetzner Cloud, Ashburn VA (US-East) — ISO 27001 certified datacenter
  • Encryption in transit: TLS 1.3 on all connections (Cloudflare Full Strict SSL)
  • Encryption at rest: PostgreSQL database on encrypted storage. Development and test environments use SQLite for local convenience.
  • Isolation: Isolated monitoring with shared infrastructure on Hetzner Cloud

Subprocessors

We use the following subprocessors to deliver our service:

SubprocessorPurposeData ProcessedLocation
Hetzner CloudInfrastructure hostingAll customer dataAshburn, VA (US-East)
CloudflareCDN & DDoS protectionIP addresses, request metadataGlobal edge (data stored US)
StripePayment processingBilling info (no card numbers stored by us)US
ResendTransactional emailEmail address, notification contentUS
SentryError trackingError stack traces, request metadataUS

Authentication

  • Credentials: Email + password authentication with bcrypt hashing. Password reset via secure email link.
  • OAuth: Google OAuth sign-in available as an alternative to email/password. OAuth tokens are never stored — only the authenticated identity is used.
  • Session security: HTTP-only, Secure, SameSite cookies
  • CSRF protection: Origin header validation on all state-changing requests.
  • Provider: Credentials and OAuth authentication with stateless HS256 JWT sessions backed by backend verification.

Data Protection

  • Backups: Automated database backups every 6 hours, retained for 7 days
  • Access control: Multi-tenant data isolation — project owners and explicitly invited project members can only access data allowed by their role.
  • Data collection: We store your email, monitoring configuration, and response time/availability metrics. Error tracking via Sentry (technical metadata only).

Monitoring & Incident Response

  • Error tracking: Sentry for real-time error detection
  • Self-monitoring: ClevAgent monitors its own availability using internal health checks
  • Uptime target: High availability with automated container restart

Security Headers

All pages are served with:

  • Strict-Transport-Security (HSTS)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy (camera, microphone, geolocation disabled)

Responsible Disclosure

If you discover a security vulnerability, please email [email protected]. We will respond within 48 hours.

Payment Security

Payment processing is handled entirely by Stripe (PCI DSS Level 1 compliant). We never store credit card information.

Your Data at ClevAgent

What data do you collect?

We store your agent names, heartbeat timestamps, token counts, and cost figures. We do not store or process the input or output text of your agents — only operational metadata.

How long is my data retained?

PlanRetention
Free7 days
Pro90 days
CustomContact us

Data older than your retention window is automatically purged.

What is the service level agreement (SLA)?

Need a custom SLA? Contact us.

How do I export my data?

Request a data export via [email protected]. Exports are delivered within 7 business days.

How do I delete my data?

Email [email protected] with your account email. We will delete all your data within 30 days and confirm by email.

Where is my data stored?

All data is stored on Hetzner Cloud in Ashburn, VA (US-East). All connections use TLS 1.3. The PostgreSQL database is encrypted at rest.

Who can access my data?

Account owners and explicitly invited project members can access project data according to their assigned role. ClevAgent staff do not access customer data except when required to resolve a support issue you have raised.