0 incidents · 365 daysReviewed quarterly
Per-tenant key isolationHSM-backed KMS
Security · Trust by architecture

Quiet by default.
Hardened by design.

The infrastructure layer beneath every Clientia workspace — encryption everywhere, least privilege by default, and an audit trail your general counsel will actually trust.

Uptime
99.99%
Encryption
AES-256 · TLS 1.3
Recovery
RPO 5m · RTO 1h
Residency
EU · US
The four quiet principles

Trust, written into the architecture.

Security is most often a culture problem dressed up as a technical one. These are the four ideas every architectural decision is measured against.

  1. 01Least privilege

    Access is a privilege, not a default.

    Every role, every key, every endpoint defaults to closed. Access is granted explicitly, scoped narrowly, and reviewed on a quarterly cadence — not when something breaks.

  2. 02Encryption everywhere

    No plaintext, anywhere it travels.

    AES-256 at rest with per-tenant key isolation. TLS 1.3 in flight. Field-level encryption for the small set of columns where it actually matters — credentials, tokens, payment metadata.

  3. 03Continuous monitoring

    Watching, so you don't have to.

    Anomaly detection on auth, API surface and data egress. 24/7 paging on the rare event that warrants it. Logs are append-only, signed, and retained for the term of your contract.

  4. 04Auditability

    Boring infrastructure. Trustworthy receipts.

    Every meaningful action is recorded with actor, target, timestamp and request context. Exportable in SIEM-friendly formats. The kind of trail your general counsel will actually trust.

Architecture & data residency

Where your data lives, and how it's held.

The shape of the system, plainly described — because the boring infrastructure layer is where most of our attention goes.

Data residency
EU
FrankfurtPrimary
3 AZs · p50 21 ms
US
VirginiaDR
3 AZs · p50 34 ms
Both regions healthy · status.clientia.app

You choose the region your workspace lives in at provisioning. Your data is stored in that region. Backups replicate asynchronously to a DR replica in the partner region.

The controls, in detail

The boring layer, plainly described.

If your security team needs a paragraph for the spreadsheet, here's a paragraph. The full questionnaire is one click away.

Datasheet · v2026.04Updated quarterly
  1. 01Access

    Identity & access management

    Single sign-on, multi-factor by default, role-based permissions scoped to the team and the workspace.

    • SAML 2.0 SSO · Okta, Azure AD, Google Workspace
    • SCIM 2.0 provisioning & deprovisioning
    • WebAuthn / passkeys for admin actions
    • Session inactivity timeouts & device records
  2. 02Encryption

    Keys, certificates & secrets

    HSM-backed key management with per-tenant isolation. Secrets never live alongside the code that uses them.

    • AES-256 envelope encryption at rest
    • TLS 1.3 in flight, end-to-end
    • Per-tenant data encryption keys
    • Quarterly automated key rotation
  3. 03Monitoring

    Detection & response

    Anomalies are surfaced as they happen — auth failures, unusual API patterns, data egress at the wrong shape.

    • 24/7 anomaly detection on auth & egress
    • Append-only audit log, signed and exportable
    • Pager rotation with documented escalation
    • Quarterly tabletop exercises
  4. 04Resilience

    Backups, recovery & uptime

    Replicated across availability zones, with point-in-time recovery, and DR drills the team actually runs.

    • Point-in-time recovery · 5 min granularity
    • Cross-AZ synchronous replication
    • Cross-region asynchronous DR replica
    • DR drills tested quarterly & documented
  5. 05Vulnerability

    Hardening & patching

    Continuous dependency scanning, code review on every change, and a bounty programme for the rest.

    • Dependency scanning on every CI build
    • Mandatory peer review & signed commits
    • Coordinated disclosure · security@clientia.app
  6. 06Privacy

    Data handling & retention

    You decide what we keep, where it lives, and when it leaves. One-click export and a documented deletion path.

    • GDPR & CCPA-aligned subject requests
    • Configurable retention & soft-delete windows
    • DPAs & sub-processor list available on request
    • One-click export · CSV, JSON, SFTP
Compliance & attestations

The certifications, plainly listed.

The shorthand your procurement team is looking for. Detailed reports are available under NDA — request the security packet from the contact form.

GDPR aligned
Self-attested
DPA on request
CCPA aligned
Self-attested
30-day SLA
PCI DSS · SAQ-A
Self-attested
Tokenized · never stored

Reports and the latest sub-processor list available under NDA — see the security packet below.

Incident response

When something does go wrong, this is the path.

Nothing is more important than what we do when something goes wrong. The path from detection to written post-mortem, on the record.

  1. T+0 · Detect
    Anomaly is surfaced.
    Continuous monitoring flags the deviation — auth, egress, latency, or a customer signal. The on-call engineer is paged within minutes.
  2. T+15 · Triage
    Severity is named, owners assigned.
    On-call confirms scope and impact, opens the incident channel, and assigns commander, comms and customer-liaison roles.
  3. T+30 · Contain
    Stop the bleeding, preserve the trail.
    Isolate the affected surface, revoke credentials if applicable, and snapshot logs and state for the post-mortem.
  4. T+1h · Notify
    Affected customers hear from us first.
    If your data is involved, you get a written note from a human within the hour, with what we know and what we don't, and a follow-up channel.
  5. T+72h · Resolve
    Root cause, eradicate, restore.
    Patch shipped, monitoring updated, and a written status page entry. Service restored under a verified-clean state.
  6. Within 14 days
    Public, blameless post-mortem.
    Timeline, root cause, customer impact, and the concrete changes we're making — published, signed, and on the record.
Security FAQ

The technical details.

The questions procurement and security teams ask most often before signing.

Where does our data live, and can we choose?
You choose between EU (Frankfurt, primary) and US (Virginia, primary) at provisioning. Your data is stored exclusively in the chosen region. Backups replicate asynchronously to a DR replica in the partner region.
Do you support SAML SSO and SCIM?
Yes. SAML 2.0 SSO and SCIM 2.0 provisioning ship on Atelier and Maison plans, with verified integrations for Okta, Azure AD and Google Workspace. We can support custom IdPs for Maison engagements.
How are encryption keys managed?
We use envelope encryption with AES-256, keys held in an HSM-backed KMS. Per-tenant data encryption keys are isolated and rotated on a quarterly cadence. We support customer-managed keys (BYOK) on Maison.
What happens if there's a security incident?
If your data is involved, you'll hear from a human within one hour of confirmed impact, with what we know and what we don't. A written, blameless post-mortem follows within 14 days — published with timeline, root cause and the concrete changes we're making.
Can we delete or export our data?
Always. Export is one click from the workspace admin — CSV, JSON, or scheduled SFTP. Deletion follows a documented soft-delete window (default 30 days) before being purged from primary and replica storage. Subject requests under GDPR and CCPA are handled within 30 days.
How do we report a vulnerability?
Email security@clientia.app with the details — please don't open a public ticket. We follow coordinated disclosure: we'll acknowledge within one business day, work on a fix, and credit you publicly if you'd like.
For procurement & security teams

Need the full security packet?

DPA and sub-processor list — bundled, signed, and routed within one business day.

  • 01Data Processing Addendum
  • 02Sub-processor list