Security & Compliance

In Transit: All communication with Cluso servers uses TLS 1.2+ encryption (HTTPS).

At Rest: Your survey data and voice recordings are encrypted using AES-256 encryption at rest in Supabase Storage.

Encryption Keys: Encryption keys are managed by Supabase and follow industry best practices.

Authentication: We use Supabase Auth with secure session tokens.

Row-Level Security (RLS): All data is protected by PostgreSQL RLS policies, ensuring users can only access their own organization's data.

Multi-Tenant Isolation: Data is completely isolated between organizations.

Audit Logging: All data deletions are logged in an immutable audit trail.

Soft Deletions: When you delete a survey, it's marked as deleted but retained for 30 days for recovery purposes.

Permanent Deletion: After 30 days, surveys are automatically purged from all systems.

Account Deletion: When you delete your account, all associated data is removed within 7 days.

Audio Deletion: Voice recordings are deleted when their parent survey is permanently deleted.

GDPR: Cluso is GDPR compliant. We can provide Data Processing Agreements for enterprise customers.

CCPA: We comply with California Consumer Privacy Act requirements.

HIPAA: Cluso is not HIPAA-compliant and should not be used for healthcare data.

SOC 2: Supabase (our infrastructure provider) is SOC 2 Type II certified.

If we discover a security breach, we will:

• Notify affected users within 48 hours
• Provide details of what data was accessed
• Recommend protective actions
• Conduct a thorough investigation
• Implement preventive measures

If you discover a security vulnerability, please email us at security@cluso.ai instead of disclosing it publicly. We will acknowledge your report within 24 hours and work with you to resolve the issue.

Do not: Attempt unauthorized access, modify data, or exploit vulnerabilities for any reason.