Security posture at a glance
- Encryption in transit: TLS 1.2+ on every endpoint. HTTPS-only, HSTS preloaded.
- Encryption at rest: Database volumes encrypted via cloud provider. Bank account details additionally encrypted at the application layer using AES-256 (Fernet) with a rotated key.
- Authentication: Bcrypt (12 rounds) password hashing. JWT sessions with 24-hour expiry. Rate-limited login (5 attempts per 15 min → lockout).
- Authorisation: RBAC with strict role separation — Admin ≠ Manager ≠ Creator. Pod-scoped visibility for managers.
- Segregation of duties: Creators cannot edit invoices, cannot access other creators' data, cannot connect inboxes.
- Audit logging: Every mutation (invoice paid, batch generated, PII decryption) is logged. Retention: 30 days.
Data classification
We classify data into three tiers:
| Tier | Examples | Controls |
|---|---|---|
| P0 – Highly sensitive | Bank account numbers, tax IDs | App-layer AES-256, purged 30 days after batch closure |
| P1 – Sensitive | Passwords, JWT secrets, OAuth tokens | Bcrypt / environment secrets / never logged |
| P2 – Business data | Campaigns, invoices, emails metadata | Volume encryption, RBAC, audit-logged access |
Automatic PII purge
Sensitive payout data — encrypted bank account numbers, routing codes, SWIFT, IBAN — is automatically purged from PayoutLine records 30 days after the parent batch is fully paid or cancelled. A daily cron job (payout_retention_purge) runs at 03:00 UTC, and admins can trigger it on-demand via POST /api/cron/run-payout-purge.
The batch's business-summary fields (creator name, amount, currency, status) are preserved for audit and tax purposes. Only the account-identifying fields are wiped.
Gmail OAuth security
When you connect a Gmail account:
- OAuth tokens are stored encrypted at rest.
- We use the minimum scope needed:
https://www.googleapis.com/auth/gmail.readonly— read only. - Refresh tokens are used to re-mint access tokens without ever asking you for your Google password.
- We do not use the
gmail.modifyorgmail.composescopes. We never send email from your Gmail address. - You can revoke ClaraOP's access instantly from your Google Account → Security → Third-party access. Doing so does not delete your already-processed campaigns; those you must remove from within ClaraOP.
Employee & engineer access
Access to production data by ClaraOP staff is:
- Granted on a strict need-to-know basis, and only for defined operational reasons (customer support ticket, incident response, security investigation).
- Logged in an immutable audit trail — every read is attributable to a named engineer.
- Time-boxed — access expires when the ticket closes.
- Never used to read the content of your emails outside investigations where you've filed a specific complaint that requires it, or where required by law.
Vulnerability management
We patch high/critical vulnerabilities in our dependencies within 7 days of a fix being released. Automated dependency scanning runs on every deploy.
Discovered a vulnerability? Please report it responsibly to security@claraop.dev — we acknowledge within 48 hours and don't take legal action against good-faith researchers.
Incident response
If a security incident affects your data we will:
- Contain and remediate the issue as our first priority.
- Notify affected users by email within 72 hours of confirming impact.
- Report to the relevant supervisory authority as required by law (GDPR: 72 hours; state AGs per US state law).
- Publish a post-incident summary on our status page.
Data deletion — how it actually works
Account deletion is not a soft-flag. When you delete your account:
- You enter a 30-day grace period (you can reactivate in that window).
- After 30 days: your user row, profile, all campaigns, invoices, proofs, scanned emails, agency memberships, and OAuth tokens are permanently removed from the primary database.
- Backups are rotated on a 90-day cycle — after that window, all backup copies age out and are also gone.
- Tax-mandated records (invoices you issued) may be retained in aggregated form only if required by law; personal identifiers are removed.
Compliance & certifications
ClaraOP is designed to help you comply with:
- EU/UK GDPR (data-subject rights, breach notification, DPA available on request)
- California Consumer Privacy Act (CCPA/CPRA) — including opt-out of sale (we do not sell data)
- Australia Privacy Act 1988 (Australian Privacy Principles)
Formal certifications (SOC 2 Type II, ISO 27001) are on our 2026 roadmap. Contact security@claraop.dev for our current control mapping if you're a compliance-conscious buyer.
Contact
Security team: security@claraop.dev (PGP key on request)
Responsible disclosure: Same address. Please include reproduction steps and a target contact address for follow-up.
