🔒
SOC 2 Type II
Audited annually by an independent third party.
🛡
GDPR ready
EU data residency available. DPA on request.
📋
HIPAA on request
BAA available for healthcare-adjacent customers.
Encryption
- At rest: AES-256 encryption for all data on disk, including backups. Keys are managed by AWS KMS with regular rotation.
- In transit: TLS 1.3 for all client/server and server/server traffic. Older protocols (TLS 1.0/1.1, SSLv3) are disabled at the load balancer.
- Application secrets: Stored in AWS Secrets Manager. Never written to disk or logged in plaintext.
Infrastructure
- Hosted in AWS (us-east-1 default, eu-west-1 for EU customers).
- Multi-AZ deployments with automated failover.
- Hourly database backups with 30-day point-in-time recovery.
- Daily backup verification (restore tests run automatically).
- DDoS protection via AWS Shield Standard + Cloudflare.
Access control
- Role-based access: pre-built roles (Receiver, Picker, Packer, Manager, Admin) or build your own.
- SSO: SAML 2.0 (Okta, Azure AD, Google Workspace, OneLogin, JumpCloud) on Enterprise.
- SCIM provisioning for automated user lifecycle on Enterprise.
- Two-factor authentication available for all users on all plans.
- API keys are scoped, revocable, and tied to a single role.
Audit logging
Every action that mutates data — every scan, edit, adjustment, transfer, user permission change — is logged with timestamp, user ID, source IP, and device. Logs are immutable and exportable for compliance evidence.
Vendor security
We use a small set of carefully vetted subprocessors (AWS, Stripe, Sentry, Linear, Slack). The complete list is in our DPA, available on request. All subprocessors have signed DPAs with Klovio and are SOC 2 / ISO 27001 certified.
Vulnerability disclosure
We run a private bug bounty program with HackerOne. To report a vulnerability, email security@klovio.app with details. We respond within 24 hours and aim to remediate critical issues within 72 hours.
PGP key: FFAE 2E1B 7C3D 5A89 … (full key at klovio.app/.well-known/security.txt)
Incident response
We maintain a documented incident response plan reviewed quarterly. Customers affected by any security incident will be notified within 72 hours per our DPA. Public-facing service incidents are posted live to status.klovio.app.
Request our documents
Available on request from security@klovio.app:
- SOC 2 Type II report (under NDA)
- Data Processing Agreement (DPA)
- Subprocessor list
- Penetration test summary
- Business Associate Agreement (HIPAA, on request)