Clanner Back to home
Legal · Technical

Security at Clanner

Last updated · April 18, 2026

Your brand voice, your drafts, your audience data — that's sensitive stuff. Here's a plain, technical rundown of how we protect it. If you're doing a vendor review, jump to the sub-processors or responsible disclosure sections.

Encrypted at rest

AES-256 for all database storage. Backups encrypted separately with different keys.

Encrypted in transit

TLS 1.3 minimum, HSTS preloaded, modern cipher suites only. A+ on SSL Labs.

Role-based access control

Every internal access is logged. No one at Clanner accesses your content without an audit trail.

Penetration tested

Annual third-party pentests. Summary reports available under NDA for Studio customers.

99.5% uptime target

Published status page at status.clanner.com. Incident post-mortems within 7 days.

No AI training on you

Your content never trains a model — ours or any vendor's. Contractually enforced.

Infrastructure

Clanner runs on AWS Mumbai (ap-south-1) for compute and storage, with Cloudflare at the edge for CDN, DDoS protection, and WAF. Databases are managed by Turso (libSQL) with replication across multiple regions.

  • All production servers are hardened Linux VMs with minimal attack surface
  • No SSH over the public internet — access is through a bastion with hardware key (YubiKey / Secure Enclave)
  • Secrets live in AWS Secrets Manager; never in code, never in config files
  • Outbound traffic from production is allow-listed
  • Automated infrastructure provisioning via Terraform — no manual changes in production

Data protection

Encryption

  • At rest — AES-256 on all databases, file storage, and backups
  • In transit — TLS 1.3 (1.2 fallback disabled). HSTS preload submitted. Modern cipher suites only — no legacy SSL, no RC4, no CBC.
  • Application-layer — API tokens stored encrypted with per-tenant keys

Data segregation

Every brand gets a logically isolated data partition. Queries are strictly scoped by brand_id at the ORM layer — cross-brand leakage is a checked invariant in our test suite.

Backups

Daily encrypted backups retained for 30 days. Point-in-time recovery available for Studio customers. Quarterly disaster-recovery tests.

Access control

For Clanner staff

  • Production access limited to on-call engineers (currently 2 people)
  • Mandatory 2FA on all internal tooling (hardware key required)
  • Access reviews every 90 days
  • All admin actions logged immutably (append-only audit log)
  • Zero-trust network — all internal services require authenticated requests

For your account

  • Argon2id password hashing (never plain, never reversible)
  • Optional 2FA (TOTP) — recommended for Studio customers
  • Session tokens expire after 14 days of inactivity
  • Automatic lockout after 10 failed login attempts
  • Suspicious-IP alerts (login from a new country → email + required reverification)

AI & content handling

Clanner generates content using large language models (currently Google Gemini via the enterprise API). A few specifics:

  • Prompts and outputs are not used for model training — contractually enforced with our AI vendors
  • Prompts are discarded by the vendor within 24 hours (or shorter, depending on tier)
  • We don't cache your prompts or outputs on our vendor's side
  • Brand voice samples are processed in-memory — never sent to third parties except the AI API required for the specific generation

Testing & audits

  • Annual third-party penetration test — results summary available under NDA
  • Quarterly vulnerability scans — dependencies + infra
  • Continuous dependency scanning — Dependabot + Snyk on every commit
  • Automated security testing in CI — secret detection, SAST on every pull request
  • Bug bounty program — see disclosure below

Compliance & certifications

We're a young company — currently preparing for SOC 2 Type II (target: Q3 2026) and ISO 27001 (target: Q1 2027). In the meantime, we align internal controls to both frameworks and can share our security questionnaire responses on request.

FrameworkStatusTarget
GDPR (EU)Aligned
DPDP Act (India)Aligned
SOC 2 Type IIIn preparationQ3 2026
ISO 27001In preparationQ1 2027
CCPA (California)Aligned

Sub-processors

We keep the sub-processor list short and document every one. Current list:

ProviderPurposeLocation
AWSCompute, storage, object storageIndia (ap-south-1)
Turso (libSQL)Primary databaseGlobal edge
CloudflareCDN, DDoS, WAFGlobal edge
Google Cloud (Gemini)Content generationUS / EU
Stripe / RazorpayPayment processingUS / India
PostmarkTransactional emailUS
PlausiblePrivacy-respecting analyticsEU (Germany)
PostHog (self-hosted EU)Product analyticsEU
ImgBB / CloudinaryMedia storage & deliveryUS / Global edge

We notify existing customers by email when we add or remove a sub-processor, at least 30 days before the change takes effect.

Responsible disclosure

See something? Say something.

If you find a security vulnerability in Clanner, please send it to security@clanner.com with as much detail as you can share. We'll acknowledge within 24 hours, triage within 72 hours, and fix critical issues within 14 days.

We run a bounty program for material findings. Rewards range from a genuine public thank-you to ₹50,000–₹2,50,000 depending on severity and exploitability. We won't pursue legal action against researchers acting in good faith under this program.

In scope

  • clanner.com and app.clanner.com
  • The Clanner API (api.clanner.com)
  • Official mobile apps (when they ship)

Out of scope

  • Third-party platforms we integrate with (report to them directly)
  • Social-engineering or physical attacks on our team
  • Findings that require root/physical access to a victim's device
  • Denial-of-service attacks
  • Missing best-practice headers without demonstrable impact

Contact

Security-related questions, vulnerability reports, or requests for documentation: