Clienta.ai
Trust Center

Security & Trust

Your customers trust you with their data. We take that responsibility seriously. Here's how Clienta.ai protects it.

Security at a Glance

Built on certified infrastructure with defense-in-depth security controls.

Encryption Everywhere

TLS 1.3 in transit, AES-256 at rest. Raw card numbers never touch our servers.

PDPA Compliant

Full compliance with Thailand's Personal Data Protection Act. All data subject rights supported.

AI Data Safety

Your data is never used for AI training. OpenAI and Cohere process via API only.

Certified Infrastructure

All sub-processors are SOC 2 Type II certified. Database in Singapore (ap-southeast-1).

Security Tested

OWASP Top 10 aligned assessment. Zero critical vulnerabilities in production code.

Continuous Monitoring

Real-time error tracking, health monitoring, and security event logging with instant alerts.

Security Overview

Clienta.ai is an AI customer-service platform that handles your customers' conversations and your knowledge base content. We treat that data as the most sensitive asset in our system. Our security program is built on three principles:

  1. Least privilege — people and systems can only access what they need.
  2. Defense in depth — no single control is a single point of failure.
  3. Verify, don't trust — every request is authenticated and authorized; every change is reviewed and monitored.

Encryption

Encryption controls by layer
LayerControl
In transitTLS 1.3 (TLS 1.2 minimum). Plain HTTP is not served.
At restAES-256 for all customer data in database and file storage.
Payment dataRaw card numbers never touch our servers. Stripe (PCI DSS Level 1).
SecretsNo hardcoded secrets. Environment variables with zero-downtime rotation.

Access Control

  • Role-based access control (RBAC) — admin / member / agent roles enforced server-side.
  • Multi-tenant isolation — every query scoped to your organization ID.
  • Code review gates — all production changes require pull-request review and passing CI.

Infrastructure

Infrastructure components and providers
ComponentProviderLocation
Database & StorageSupabaseSingapore
API ServersRailwayUnited States
Web ApplicationVercelGlobal Edge
DNS & CDNCloudflareGlobal

Incident Response

When a security event occurs, we follow a documented process: detect and triage, contain, remediate, notify affected customers within 24 hours, and conduct a post-incident review. Report a suspected issue: security@clienta.ai.

Sub-processor List

Last updated: July 2026. We notify customers 30 days before adding a new sub-processor.

Sub-processor list with purpose, location, and DPA status
Sub-processor Purpose Location DPA
OpenAIChat response generation, embeddingUnited States
CohereSearch result reranking (optional)United States
SupabaseDatabase, auth, file storageSingapore
RailwayAPI hosting, Redis, job queueUnited States
VercelWeb hosting, edge functionsGlobal Edge
CloudflareDNS, CDN, DDoS protectionGlobal
StripePayment processingUnited States
SentryError monitoringUnited States
ResendTransactional emailUnited States

All sub-processors are bound by Data Processing Agreements with Standard Contractual Clauses (SCCs) providing safeguards per PDPA Section 29.

AI Data Processing Disclosure

AI Services Used

AI services used by Clienta.ai
ServiceProviderPurpose
Chat Response GenerationOpenAIAI-powered responses using your knowledge base
Text EmbeddingOpenAIVector search for semantic matching
Search RerankingCohereImproved search relevance (optional)

Data NOT Sent to AI Providers

  • Account credentials or passwords
  • Payment or billing data
  • Data from other organizations (strict tenant isolation)
  • Your complete knowledge base (only relevant chunks per query)
  • Organization settings or agent personal information

Your data is never used for AI training

Neither OpenAI nor Cohere uses your data for model training. OpenAI retains API data for 30 days (abuse monitoring), then permanently deletes. Cohere does not retain data after processing.

Detailed Security Documents

In-depth documentation for security teams and enterprise evaluation. Provide your business email to access.

Data Processing Agreement (DPA)

Template DPA with Standard Contractual Clauses for enterprise customers.

Request Access

Infrastructure Overview

Detailed architecture, data center locations, and network security controls.

Request Access

Security Assessment Report

OWASP Top 10 aligned assessment results with remediation status.

Request Access

Incident Response Policy

Our documented process for detecting, containing, and resolving security events.

Request Access

Data Retention Policy

Retention schedules, deletion processes, and data portability options.

Request Access

Business Continuity & DR Plan

Recovery objectives, backup strategy, and disaster scenarios.

Request Access

Service Level Agreement (SLA)

Uptime commitments, performance targets, and service credits.

Request Access

Enterprise Security

Need SOC 2 reports, a full penetration test, custom DPA terms, or a dedicated security review? Our team works with enterprise security and compliance teams.

Frequently Asked Questions

Where is my data stored?
Your primary data (conversations, documents, account info) is stored in Supabase PostgreSQL in Singapore (ap-southeast-1). AI processing happens in the United States via API calls to OpenAI and Cohere. All transfers are governed by Data Processing Agreements with Standard Contractual Clauses.
Is my data used to train AI models?
No. Neither OpenAI nor Cohere uses your data for model training. OpenAI retains API inputs/outputs for 30 days for abuse monitoring, then permanently deletes them. Cohere does not retain data after processing.
Does Clienta.ai comply with PDPA?
Yes. Clienta.ai complies with the Thailand Personal Data Protection Act (PDPA). We collect consent before processing, support all data subject rights (access, rectification, erasure, portability, objection), and disclose all cross-border transfers.
How do you handle a data breach?
We follow a documented incident response process. Affected customers are notified within 24 hours of becoming aware of a breach, enabling them to meet the 72-hour PDPC notification window under PDPA Section 37(4).
Can I export or delete my data?
Yes. You can export conversations (JSON/CSV), knowledge base documents (original files), and billing history from your account settings. Account deletion has a 14-day grace period, after which all personal data is permanently deleted.
Do you have SOC 2 certification?
Clienta.ai has not yet obtained its own SOC 2 certification, but all our sub-processors (Supabase, Railway, Vercel, Cloudflare, Stripe) are individually SOC 2 Type II certified. We plan to pursue SOC 2 certification as we scale.
What encryption do you use?
All data in transit uses TLS 1.3 (TLS 1.2 minimum for legacy clients). Data at rest is encrypted with AES-256. Payment data is handled by Stripe (PCI DSS Level 1) — raw card numbers never touch our servers.
How can I request a security review?
Enterprise prospects can request access to our full Security Assessment Report, Infrastructure Overview, DPA template, and other detailed documents via the email-gated downloads on this page, or contact security@clienta.ai directly.

Have a Security Question?

Our security team is here to help with questions about data protection, compliance, or vulnerability reports.

Get Started Free