🔒 Authentication and Security

Control	Status
Multi-Factor Authentication (MFA) Enabled for all admin and staff accounts.
Password policies Aligned with the standards of the relevant provider (e.g., Microsoft for Azure accounts).
Certificate and key rotation All certificates and keys are rotated regularly, with many handled automatically by cloud providers. Manual credentials updated every 90 days.
BankID integration Stronger user authentication and identity verification in user application.	Planned

🌍 Data Hosting and Location

Control	Status
Primary infrastructure CLVR Benefits runs on Microsoft Azure for virtual machines and managed storage.
Database backup and file storage Database backups and file storage managed through Amazon AWS S3.
Geographic restrictions All servers and data hosted exclusively within Europe. No customer data ever leaves the EU/EEA.
Compliance certifications Both Azure and AWS hold industry-leading certifications (ISO 27001, SOC 2, GDPR compliance).

📦 Data at Rest

Control	Status
Database encryption All customer data encrypted at rest using Azure built-in storage encryption (AES-256 with platform-managed keys).
Database backups Automated every 24 hours, retained for 7 days. Stored in Amazon S3 with SSE-S3 server-side encryption.
Application-level encryption AES-GCM encryption for highly sensitive fields using keys in Key Vault.	Planned

🔒 Data in Transit

Control	Status
Network isolation All app–database traffic restricted to internal network only. Postgres not exposed to internet; port 5432 blocked at Azure NSG.
Database TLS connections All application–database traffic uses TLS with full certificate verification (sslmode=verify-full).
HTTPS enforcement All web traffic encrypted using HTTPS.
Secure cookies All cookies set with HttpOnly, Secure, and SameSite=strict flags to protect session integrity.

📋 Data Governance

Control	Status
Records of Processing Activities (RoPA) Documented internally in codebase and reviewed during each release cycle.
Data retention policies Deletion and anonymization rules documented internally and reviewed on each release cycle.
Data Processing Agreements (DPAs) Tracked internally with all third-party vendors; documentation exists and is maintained, pending formal signatures.	In Progress

👤 Data Subject Rights

Control	Status
Data subject request processes Established processes for access, correction, deletion, and portability requests with 30-day response time. Contact hello@clvrbenefits.com for any requests.
Privacy Policy Our privacy policy page is available here.

🔗 Sub-processors

Control	Status
Amazon Web Services (AWS) Cloud storage for uploaded files and encrypted database backups, hosted in EU regions.
Microsoft (Entra ID and Azure) Hosting infrastructure and the identity provider used for organisational sign-in (OAuth).
Anthropic (Claude) Optional AI receipt scanning and expense auto-approval. Only receipt images and category names are sent, and your data is not used to train models.
PostHog Product analytics used to understand and improve how the platform is used.
Close Customer relationship management for sales and marketing contacts.

🤖 AI and Automation

Control	Status
AI receipt scanning Optional feature for expense report uploads. When enabled by the company, receipt images are sent to Claude (Anthropic) for extraction of vendor, date, amount, and VAT. Only the receipt image and benefit category names are sent. No employee names, emails, or other personal data. We do not use your data to train models. We retain only what is necessary for the feature and for audit compliance. Companies can disable this feature in AI Settings.
AI automated expense evaluation Optional feature that evaluates wellness expense reports (e.g. gym memberships) for automatic approval or decline. When enabled, the AI reviews uploaded receipts and form data against category-specific criteria. HR retains full oversight: all AI decisions are visible to HR with confidence scores and reasoning, and any decision can be reverted at any time. Employees are notified when AI declines an expense and can edit and resubmit. Expenses where AI confidence is below 85% are automatically deferred to human review. If enabled, the AI may also read company policy documents (PDFs, Word files) uploaded to Company Files to better understand company-specific expense policies. We do not use your data to train models. We retain only what is necessary for these features and for audit compliance. All decisions are logged with full audit trail.

🛠️ Product Security

Control	Status
Secure source code access Access restricted to authorized team members only. GitHub used with enforced account security.
Version control and release process Structured Git workflow (git-flow). All changes tracked, reviewed, and merged into dedicated branches.
Environment separation Separate development and staging environments ensure thorough testing before production deployment.
Test data management Test data carefully selected, anonymized, and managed to avoid sensitive personal information in non-production.
Modern secure technology stack Built with industry-standard web technologies, containerized infrastructure, and managed cloud services. Regularly updated with security patches.
Dependency and package vetting All external packages reviewed before adoption. Monitor for vulnerabilities and update promptly.

🛡️ Security Operations

Control	Status
Access control Internal access limited to authorized staff using principle of least privilege. Administrative access restricted.
Secrets management Credentials injected as environment variables, never committed to code or stored in plaintext.
System patching Regular patching of OS, Docker images, and PostgreSQL.
Application-level monitoring Real-time error detection and anomaly monitoring via PostHog.
System-level monitoring Postgres authentication logs, firewall events (UFW), and system security logs with alerts for suspicious activity.	Planned
Incident response plan 72-hour breach notification process documented internally, available on request, reviewed after significant changes.