Security & Privacy
How Clozup protects your data, ensures compliance, and maintains your trust.
Security is foundational to Clozup. We handle sensitive business data — contacts, deals, financial projections, and conversations — and we take that responsibility seriously. This page outlines our security architecture, data handling practices, and compliance posture.
Authentication
Clozup uses Clerk for authentication, providing enterprise-grade identity management:
- OAuth 2.0 / OIDC — Sign in with Google, Microsoft, or email/password
- Multi-Factor Authentication (MFA) — Optional for all users, enforceable by admins on Enterprise plans
- SSO / SAML — Enterprise plan: connect your identity provider (Okta, Azure AD, Google Workspace, OneLogin)
- Session Management — Configurable session timeouts with forced sign-out capabilities
- Brute-Force Protection — Automatic account lockout after failed login attempts
- Passwordless Login — Magic link and passkey support
Note
Clozup never stores passwords directly. All credential management is handled by Clerk's security infrastructure, which is SOC 2 Type II certified.
Data Encryption
In Transit
All data transmitted between your browser and Clozup's servers is encrypted using TLS 1.3. This applies to:
- Web application traffic (HTTPS only, HSTS enabled)
- API requests
- Webhook payloads
- Email sending (TLS with SMTP providers)
- Voice call signaling (encrypted WebRTC)
At Rest
All stored data is encrypted at rest:
- Database — AES-256 encryption for all data stored in PostgreSQL
- File Storage — Call recordings, attachments, and exports encrypted with AES-256
- Backups — Database backups are encrypted and stored in a separate geographic region
- Sensitive Fields — API keys, integration tokens, and credentials are additionally encrypted with application-level encryption
Infrastructure
Clozup's infrastructure is hosted on industry-leading cloud providers with robust security:
- Cloud Provider — AWS / EU region (eu-west-1, Ireland) for EU data residency
- Container Orchestration — Isolated container deployments with no shared resources between organizations
- Network Security — VPC isolation, security groups, and WAF protection
- DDoS Protection — Automatic DDoS mitigation at the infrastructure level
- Monitoring — 24/7 infrastructure monitoring with automated alerting
Data Isolation
Each Clozup organization's data is strictly isolated:
- Row-Level Security (RLS) — Database-level enforcement ensures queries can only access data belonging to the authenticated organization
- No Cross-Org Access — There is no mechanism — not even for support staff — to access one organization's data from another
- AI Isolation — AI models process data in-session and do not retain or learn from your data after the request completes
Your data is never used for training
Clozup's AI features use third-party LLM providers with strict data processing agreements. Your data is never used to train AI models — it's processed for your request only and not retained by the model provider.
GDPR Compliance
Clozup is designed for GDPR compliance from the ground up:
- Data Processing Agreement (DPA) — Available for all paid plans upon request
- Right to Access — Export all your data at any time from the Admin Panel
- Right to Deletion — Delete individual leads or entire organizations with full data purge
- Right to Portability — Export data in standard formats (CSV, JSON)
- Data Minimization — We only collect data necessary for platform functionality
- Consent Management — Unsubscribe handling and consent tracking for outreach
- EU Data Residency — Primary infrastructure in EU region (Ireland)
- Sub-Processor List — Available upon request, updated when sub-processors change
SOC 2
Clozup is pursuing SOC 2 Type II certification, expected by Q3 2026. Our current security practices align with SOC 2 Trust Service Criteria for:
- Security
- Availability
- Processing Integrity
- Confidentiality
Vulnerability Management
- Dependency Scanning — Automated scanning for known vulnerabilities in all dependencies
- Code Review — All code changes undergo peer review before deployment
- Penetration Testing — Annual third-party penetration testing
- Responsible Disclosure — We welcome security reports at [email protected]
Data Retention
| Data Type | Retention | After Deletion |
|---|---|---|
| Leads, Deals, Campaigns | While account is active | Purged within 30 days |
| Call recordings | 12 months (configurable) | Purged within 7 days |
| Audit logs | Plan-dependent (7d - 1yr) | Purged with organization |
| Backups | 30 days rolling | Purged within 30 days of deletion |
| Account after cancellation | 90 days grace period | Full purge after 90 days |
Note
If you need specific retention policies or custom DPAs, contact [email protected]. Enterprise customers can negotiate custom retention terms.
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly:
- Email: [email protected]
- Do not disclose publicly until we've had time to address the issue
- We acknowledge reports within 24 hours and provide regular updates
- We do not pursue legal action against good-faith security researchers