Trust
Security & compliance
We treat customer data as if it were our own. The page below summarises the controls we run today and links to the documents you need to procure Clipora in regulated environments.
Encryption
All traffic is served over TLS 1.2+. Database, object storage, and Mux assets are encrypted at rest with AES-256.
Access control
Role-based access on every API route. Admin operations require Clerk-managed two-factor authentication and are logged to a tamper-evident audit trail.
Audit log
Privileged admin actions are recorded to an append-only AdminAuditLog with actor, IP, user agent, and per-action metadata. Retained for 7 years and available to enterprise customers on request.
Data retention
Production data is retained for the lifetime of your account. Anonymous analytics events expire after 24 months. Export or delete from /studio/settings or by emailing privacy@clipora.app.
IP hashing
Analytics IPs are hashed daily with a rotating salt (SHA-256(ip + ':' + YYYY-MM-DD)). We never store raw IP addresses.
Vendor list
Clerk (auth), Stripe (payments), Mux (video), Cloudflare Images, Vercel (hosting), Upstash Redis, Resend (transactional email), Sentry (error monitoring), PostHog (product analytics), OpenRouter (AI).
Documents
Procurement-ready paperwork.
Everything your security and procurement team needs, in one place.
- Data Processing Addendum (DPA)
Fillable form returns a signed counter-signature within one business day.
- Privacy policy
Plain-language description of what we collect and why.
- Terms of service
Master agreement for all paying tiers.
- security@clipora.app
Vulnerability reports (PGP key on request). Responsible disclosure welcome.
Need a custom contract?
Enterprise plans include DPA, MSA, custom retention, SSO, and a dedicated CSM.