KlervexKlervex
← Back to Home

Security

Last updated: April 1, 2026

Trade documents contain sensitive commercial and personal data. Klervex treats security as a core product requirement, not an afterthought.

Infrastructure

  • Hosting: Supabase (managed PostgreSQL on AWS) for backend; Vercel for frontend.
  • Processing: Rynko platform (Railway) for AI extraction, validation, and document generation.
  • Encryption in transit: TLS 1.2+ enforced on all connections.
  • Encryption at rest: AES-256 encryption on all database storage and backups.
  • Network isolation: Database not accessible from the public internet; all access through authenticated Edge Functions.

Authentication & Access Control

  • User authentication: Supabase Auth with email verification required before any processing.
  • API access: Team-scoped API keys with Bearer token authentication.
  • Row-level security: PostgreSQL RLS policies ensure complete tenant isolation — users can only access their own team's data.
  • Role-based access: Owner, Admin, Member, and Viewer roles with granular permissions.

Data Protection

  • Minimal retention: Uploaded documents are processed and not stored permanently. Temporary processing data is retained for 5 days maximum.
  • Verification hashes only: Document SHA-256 hashes are stored permanently for tamper-proof verification, but not the documents themselves.
  • Audit logging: Every data access, modification, and API call is logged with user, timestamp, and action.
  • Sanctions screening: Party names are screened locally — no data is sent to external screening services.

AI & Extraction Security

  • Double-blind principle: AI extraction and deterministic validation are separate — the AI does not see validation reference data, preventing it from "grading its own homework."
  • No training on your data: Documents uploaded to Klervex are not used to train AI models.
  • Provider isolation: AI provider API calls use ephemeral sessions with no persistent state.

Document Verification

  • SHA-256 hashing: Every generated document includes a cryptographic hash for tamper detection.
  • Public verification: Anyone can verify a document's authenticity at klervex.com/verify without needing an account.

Compliance

  • GDPR-ready: Data Processing Agreement available; data subject rights supported.
  • Data residency: Primary data stored in AWS US regions via Supabase.
  • Sub-processor transparency: Full list maintained at klervex.com/subprocessors.

Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly to security@klervex.com. We take all reports seriously and will respond within 48 hours.