K Klovex Request access
Security at Klovex

Built around the principle of least privilege.

Klovex handles access tokens to our customers' most valuable accounts. We treat that responsibility seriously: short scopes, encrypted storage, audit-logged access, and a fast path to disconnect at any time.

Encryption

  • TLS 1.2+ in transit, end-to-end.
  • AES-256-GCM at rest for application data.
  • Envelope-encrypted OAuth tokens with KMS-managed data keys.
  • Encrypted, access-controlled backups.

Access control

  • SSO + 2FA mandatory for all Klovex personnel.
  • Principle of least privilege; per-environment access.
  • Production write actions require approval.
  • All admin actions are audit-logged with immutable retention.

Infrastructure

  • Application hosting on Vercel.
  • Managed PostgreSQL on Neon (EU region).
  • Cloudflare for DNS, TLS, and DDoS protection.
  • Infrastructure-as-code; reproducible deployments.

Secure development

  • Code review on every change, signed commits.
  • Static analysis and dependency scanning in CI.
  • Secrets stored in a managed secrets manager — never in repos.
  • Pre-production environments isolated from production data.

Monitoring

  • Centralized application and access logs.
  • Anomaly alerts on auth events and token usage.
  • Uptime monitoring and on-call rotation.
  • Periodic review of detection coverage.

Privacy by design

  • We request the minimum API scopes a feature needs.
  • We don't resell data and we don't build derivative datasets.
  • One-click disconnect — see data deletion.
  • GDPR-aligned DPA available to all customers.

Incident response

We maintain a documented incident-response plan covering detection, triage, containment, eradication, recovery and post-mortem. In the event of a security incident affecting customer data we will:

Responsible disclosure

We welcome reports from the security community. If you believe you have found a vulnerability in Klovex, email security@klovex.xyz with a clear description, reproduction steps, and any supporting material. We will acknowledge within 48 hours, keep you informed of progress, and credit you (if you wish) once a fix is shipped.

Please avoid testing that may degrade the Service for other customers (no DoS, no automated scanning at high volume, no social engineering of Klovex personnel). We will not pursue legal action against researchers who follow this policy.