Security & Trust
Your customers trust you with their data. We take that responsibility seriously. Here's how Clienta.ai protects it.
Security at a Glance
Built on certified infrastructure with defense-in-depth security controls.
Encryption Everywhere
TLS 1.3 in transit, AES-256 at rest. Raw card numbers never touch our servers.
PDPA Compliant
Full compliance with Thailand's Personal Data Protection Act. All data subject rights supported.
AI Data Safety
Your data is never used for AI training. OpenAI and Cohere process via API only.
Certified Infrastructure
All sub-processors are SOC 2 Type II certified. Database in Singapore (ap-southeast-1).
Security Tested
OWASP Top 10 aligned assessment. Zero critical vulnerabilities in production code.
Continuous Monitoring
Real-time error tracking, health monitoring, and security event logging with instant alerts.
Public Documents
Security and privacy documentation available to everyone.
Security Overview
How Clienta.ai protects customer data across our platform.
Privacy Policy
How we collect, use, and protect your information.
Terms of Service
Our terms of service agreement.
Sub-processor List
Third-party services that process customer data.
AI Data Processing Disclosure
Exactly what AI services we use and how your data is protected.
Cookie Policy
What cookies we use and how to control them.
Security Overview
Clienta.ai is an AI customer-service platform that handles your customers' conversations and your knowledge base content. We treat that data as the most sensitive asset in our system. Our security program is built on three principles:
- Least privilege — people and systems can only access what they need.
- Defense in depth — no single control is a single point of failure.
- Verify, don't trust — every request is authenticated and authorized; every change is reviewed and monitored.
Encryption
| Layer | Control |
|---|---|
| In transit | TLS 1.3 (TLS 1.2 minimum). Plain HTTP is not served. |
| At rest | AES-256 for all customer data in database and file storage. |
| Payment data | Raw card numbers never touch our servers. Stripe (PCI DSS Level 1). |
| Secrets | No hardcoded secrets. Environment variables with zero-downtime rotation. |
Access Control
- Role-based access control (RBAC) — admin / member / agent roles enforced server-side.
- Multi-tenant isolation — every query scoped to your organization ID.
- Code review gates — all production changes require pull-request review and passing CI.
Infrastructure
| Component | Provider | Location |
|---|---|---|
| Database & Storage | Supabase | Singapore |
| API Servers | Railway | United States |
| Web Application | Vercel | Global Edge |
| DNS & CDN | Cloudflare | Global |
Incident Response
When a security event occurs, we follow a documented process: detect and triage, contain, remediate, notify affected customers within 24 hours, and conduct a post-incident review. Report a suspected issue: security@clienta.ai.
Sub-processor List
Last updated: July 2026. We notify customers 30 days before adding a new sub-processor.
| Sub-processor | Purpose | Location | DPA |
|---|---|---|---|
| OpenAI | Chat response generation, embedding | United States | ✓ |
| Cohere | Search result reranking (optional) | United States | ✓ |
| Supabase | Database, auth, file storage | Singapore | ✓ |
| Railway | API hosting, Redis, job queue | United States | ✓ |
| Vercel | Web hosting, edge functions | Global Edge | ✓ |
| Cloudflare | DNS, CDN, DDoS protection | Global | ✓ |
| Stripe | Payment processing | United States | ✓ |
| Sentry | Error monitoring | United States | ✓ |
| Resend | Transactional email | United States | ✓ |
All sub-processors are bound by Data Processing Agreements with Standard Contractual Clauses (SCCs) providing safeguards per PDPA Section 29.
AI Data Processing Disclosure
AI Services Used
| Service | Provider | Purpose |
|---|---|---|
| Chat Response Generation | OpenAI | AI-powered responses using your knowledge base |
| Text Embedding | OpenAI | Vector search for semantic matching |
| Search Reranking | Cohere | Improved search relevance (optional) |
Data NOT Sent to AI Providers
- Account credentials or passwords
- Payment or billing data
- Data from other organizations (strict tenant isolation)
- Your complete knowledge base (only relevant chunks per query)
- Organization settings or agent personal information
Your data is never used for AI training
Neither OpenAI nor Cohere uses your data for model training. OpenAI retains API data for 30 days (abuse monitoring), then permanently deletes. Cohere does not retain data after processing.
Cookie Policy
Essential Cookies (Always Active)
| Cookie | Purpose | Duration |
|---|---|---|
| __Secure-next-auth.* | Authentication session, CSRF protection | Session / 30 days |
| NEXT_LOCALE | Language preference | Session |
| clienta_cookie_consent | Cookie consent preferences | Persistent |
Analytics (Consent Required)
We use Vercel Analytics (privacy-focused, cookie-less). No personal data collected, no cross-site tracking. Only activated after you click "Accept All" on the cookie banner.
Marketing Cookies
Clienta.ai does not use any marketing or advertising cookies.
Detailed Security Documents
In-depth documentation for security teams and enterprise evaluation. Provide your business email to access.
Data Processing Agreement (DPA)
Template DPA with Standard Contractual Clauses for enterprise customers.
Request AccessInfrastructure Overview
Detailed architecture, data center locations, and network security controls.
Request AccessSecurity Assessment Report
OWASP Top 10 aligned assessment results with remediation status.
Request AccessIncident Response Policy
Our documented process for detecting, containing, and resolving security events.
Request AccessData Retention Policy
Retention schedules, deletion processes, and data portability options.
Request AccessBusiness Continuity & DR Plan
Recovery objectives, backup strategy, and disaster scenarios.
Request AccessService Level Agreement (SLA)
Uptime commitments, performance targets, and service credits.
Request AccessEnterprise Security
Need SOC 2 reports, a full penetration test, custom DPA terms, or a dedicated security review? Our team works with enterprise security and compliance teams.
Frequently Asked Questions
Where is my data stored?
Is my data used to train AI models?
Does Clienta.ai comply with PDPA?
How do you handle a data breach?
Can I export or delete my data?
Do you have SOC 2 certification?
What encryption do you use?
How can I request a security review?
Have a Security Question?
Our security team is here to help with questions about data protection, compliance, or vulnerability reports.