Security

Last updated: March 27, 2026

At ClevAgent, security is foundational to our monitoring service. Here's how we protect your data.

Infrastructure

Hosting: Hetzner Cloud, Ashburn VA (US-East) — ISO 27001 certified datacenter
Encryption in transit: TLS 1.3 on all connections (Cloudflare Full Strict SSL)
Encryption at rest: PostgreSQL database on encrypted storage
Isolation: Isolated monitoring with shared infrastructure on Hetzner Cloud

Subprocessors

We use the following subprocessors to deliver our service:

Subprocessor	Purpose	Data Processed	Location
Hetzner Cloud	Infrastructure hosting	All customer data	Ashburn, VA (US-East)
Cloudflare	CDN & DDoS protection	IP addresses, request metadata	Global edge (data stored US)
Stripe	Payment processing	Billing info (no card numbers stored by us)	US
Resend	Transactional email	Email address, notification content	US
Sentry	Error tracking	Error stack traces, request metadata	US
Plausible	Anonymous analytics	Page views (anonymized, no PII)	EU

Authentication

Credentials: Email + password authentication with bcrypt hashing. Password reset via secure email link.
Session security: HTTP-only, Secure, SameSite cookies
Provider: Credentials-based authentication with stateless HS256 JWT sessions backed by backend credential verification.

Data Protection

Backups: Automated database backups every 6 hours, retained for 7 days
Access control: Multi-tenant data isolation — project owners and explicitly invited project members can only access data allowed by their role.
Data collection: We store your email, monitoring configuration, and response time/availability metrics. Analytics via Plausible (privacy-first, no cookies). Error tracking via Sentry (technical metadata only).

Monitoring & Incident Response

Error tracking: Sentry for real-time error detection
Self-monitoring: ClevAgent monitors its own availability using internal health checks
Uptime target: High availability with automated container restart

Security Headers

All pages are served with:

Strict-Transport-Security (HSTS)
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy (camera, microphone, geolocation disabled)

Responsible Disclosure

If you discover a security vulnerability, please email [email protected]. We will respond within 48 hours.

Payment Security

Payment processing is handled entirely by Stripe (PCI DSS Level 1 compliant). We never store credit card information.

Your Data at ClevAgent

What data do you collect?

We store your agent names, heartbeat timestamps, token counts, and cost figures. We do not store or process the input or output text of your agents — only operational metadata.

How long is my data retained?

Plan	Retention
Free	7 days
Starter	30 days
Pro	90 days
Enterprise	1 year

Data older than your retention window is automatically purged.

What is the service level agreement (SLA)?

Custom SLA on Enterprise — contact us for details.

How do I export my data?

Request a data export via [email protected]. Exports are delivered within 7 business days.

How do I delete my data?

Email [email protected] with your account email. We will delete all your data within 30 days and confirm by email.

Where is my data stored?

All data is stored on Hetzner Cloud in Ashburn, VA (US-East). All connections use TLS 1.3. The PostgreSQL database is encrypted at rest.

Who can access my data?

Account owners and explicitly invited project members can access project data according to their assigned role. ClevAgent staff do not access customer data except when required to resolve a support issue you have raised.