Infrastructure
Clanner runs on AWS Mumbai (ap-south-1) for compute and storage, with Cloudflare at the edge for CDN, DDoS protection, and WAF. Databases are managed by Turso (libSQL) with replication across multiple regions.
- All production servers are hardened Linux VMs with minimal attack surface
- No SSH over the public internet, access is through a bastion with hardware key (YubiKey / Secure Enclave)
- Secrets live in AWS Secrets Manager; never in code, never in config files
- Outbound traffic from production is allow-listed
- Automated infrastructure provisioning via Terraform, no manual changes in production
Data protection
Encryption
- At rest, AES-256 on all databases, file storage, and backups
- In transit, TLS 1.3 (1.2 fallback disabled). HSTS preload submitted. Modern cipher suites only, no legacy SSL, no RC4, no CBC.
- Application-layer, API tokens stored encrypted with per-tenant keys
Data segregation
Every brand gets a logically isolated data partition. Queries are strictly scoped by
brand_id at the ORM layer, cross-brand leakage is a checked invariant in our
test suite.
Backups
Daily encrypted backups retained for 30 days. Point-in-time recovery available for Studio customers. Quarterly disaster-recovery tests.
Access control
For Clanner staff
- Production access limited to on-call engineers (currently 2 people)
- Mandatory 2FA on all internal tooling (hardware key required)
- Access reviews every 90 days
- All admin actions logged immutably (append-only audit log)
- Zero-trust network, all internal services require authenticated requests
For your account
- Argon2id password hashing (never plain, never reversible)
- Optional 2FA (TOTP), recommended for Studio customers
- Session tokens expire after 14 days of inactivity
- Automatic lockout after 10 failed login attempts
- Suspicious-IP alerts (login from a new country → email + required reverification)
AI & content handling
Clanner generates content using large language models (currently Google Gemini via the enterprise API). A few specifics:
- Prompts and outputs are not used for model training, contractually enforced with our AI vendors
- Prompts are discarded by the vendor within 24 hours (or shorter, depending on tier)
- We don't cache your prompts or outputs on our vendor's side
- Brand voice samples are processed in-memory, never sent to third parties except the AI API required for the specific generation
Testing & audits
- Annual third-party penetration test, results summary available under NDA
- Quarterly vulnerability scans, dependencies + infra
- Continuous dependency scanning, Dependabot + Snyk on every commit
- Automated security testing in CI, secret detection, SAST on every pull request
- Bug bounty program, see disclosure below
Compliance & certifications
We're a young company, currently preparing for SOC 2 Type II (target: Q3 2026) and ISO 27001 (target: Q1 2027). In the meantime, we align internal controls to both frameworks and can share our security questionnaire responses on request.
| Framework | Status | Target |
|---|---|---|
| GDPR (EU) | Aligned | , |
| DPDP Act (India) | Aligned | , |
| SOC 2 Type II | In preparation | Q3 2026 |
| ISO 27001 | In preparation | Q1 2027 |
| CCPA (California) | Aligned | , |
Sub-processors
We keep the sub-processor list short and document every one. Current list:
| Provider | Purpose | Location |
|---|---|---|
| AWS | Compute, storage, object storage | India (ap-south-1) |
| Turso (libSQL) | Primary database | Global edge |
| Cloudflare | CDN, DDoS, WAF | Global edge |
| Google Cloud (Gemini) | Content generation | US / EU |
| Stripe / Razorpay | Payment processing | US / India |
| Postmark | Transactional email | US |
| Plausible | Privacy-respecting analytics | EU (Germany) |
| PostHog (self-hosted EU) | Product analytics | EU |
| ImgBB / Cloudinary | Media storage & delivery | US / Global edge |
We notify existing customers by email when we add or remove a sub-processor, at least 30 days before the change takes effect.
Responsible disclosure
See something? Say something.
If you find a security vulnerability in Clanner, please send it to info@galific.com with as much detail as you can share. We'll acknowledge within 24 hours, triage within 72 hours, and fix critical issues within 14 days.
We run a bounty program for material findings. Rewards range from a genuine public thank-you to ₹50,000 - ₹2,50,000 depending on severity and exploitability. We won't pursue legal action against researchers acting in good faith under this program.
In scope
- clanner.ai and app.clanner.ai
- The Clanner API (app.clanner.ai)
- Official mobile apps (when they ship)
Out of scope
- Third-party platforms we integrate with (report to them directly)
- Social-engineering or physical attacks on our team
- Findings that require root/physical access to a victim's device
- Denial-of-service attacks
- Missing best-practice headers without demonstrable impact
Contact
Security-related questions, vulnerability reports, or requests for documentation:
- Report a vulnerability, info@galific.com (PGP key on request)
- Security questionnaire, info@galific.com
- Trust portal, coming with SOC 2 (Q3 2026)