Security and Compliance

Enterprise-Grade Security

Over 8,000 customers rely on CleverTap to execute on their mobile engagement strategies everyday. Our security and risk management processes safeguard each customer’s data within their own silo, strictly restricting any movement of data between clients and thereby ensuring there is no inadvertent access to data other than yours.

CleverTap leverages two-factor authentication, inflight data security across devices, formal change management policies and up-to-date security protocols on the dashboard and across all API endpoints to ensure that customer security is not compromised.

Enable Physical and Network Security

We maintain data-centers on AWS that are fully compliant with a range of certifications for industry-specific applications. We do not store any data off-site outside of AWS and do not use any off-site physical storage facilities. We follow best practices to protect the network perimeter, including maintaining redundant DNS servers and a denial-of-service (DoS) prevention and mitigation system. Antivirus and a host-based intrusion detection system (IDS) are used on all production servers. For more information on AWS security best practices, visit: AWS Security

Encrypting Data at Rest and Data in Motion

CleverTap performs encryption at all incoming and outgoing data collection endpoints. The most up-to-date TLS protocols with SHA256 algorithms are used to handle communications between CleverTap and customer applications. The data key used for encryption is itself encrypted using a unique customer master key and stored securely on the disk. The customer management key is stored securely using FIPS 140-2 validated hardware security modules and is never transmitted outside of EU, where our data centers are based.

Ensuring strict Access Control

CleverTap takes preventive measures to ensure that its internal systems are accessed by employees on a need-to-know basis based on least-privilege, and via VPN. Additionally, to access the CleverTap dashboard, every CleverTap end-user requires a unique user ID and password, along with two-factor authentication and role-based, thus reducing the risk associated with account compromise. This access model is enforced on each end-user session. CleverTap requires passwords to be at least eight characters in length and must be rotated every 90 days for additional security. CleverTap passwords use PBKDF2 (Password-Based Key Derivation Function 2) with HMAC (hash-based message authentication code) along with a salt value and the SHA-1 algorithm.

User Privacy

CleverTap is committed to protecting customer data at all times. CleverTap has a formal Privacy Policy in place to protect user access at all times. With best-in-class security standards, CleverTap restricts access based on least-privilege while at the same time allowing customers to easily manage their user data. We have also established best practices so our customers can easily access their user content and determine how it is stored and processed through CleverTap’s user permission controls and approval workflows.

Business Continuity and Disaster Recovery

CleverTap’s infrastructure scales automatically for ebbs and flows in traffic. Our proprietary technology is custom-built and allows us to provide high availability and rapid recovery in the event of an issue. We are not reliant on any external launch cycles or product updates to improve performance. Our infrastructure is connected with multiple network carriers to dynamically respond to each request with the best connectivity in order to ensure reliable and continuous availability of critical resources at all times. All data backups are protected by stringent role-based access control restrictions. Data is replicated periodically to provide state-of-the-art fault-tolerance, highly responsive recovery, and scalability at all times.

Compliance

CleverTap is committed to maintaining strong data protection commitments while also ensuring that we provide our customers with the tools required to comply. By maintaining a shared responsibility with AWS, CleverTap is able to maintain fully compliant data centers that allow sensitive data to be stored securely.

GDPR – General Data Protection Regulation

CleverTap welcomes the opportunity to deliver better customer experiences in preparing for the General Data Protection Regulation (GDPR). CleverTap is compliant with GDPR and is taking the necessary steps to help our customers manage compliance related features and capabilities. We have added enhancements to our product functionality and updated our documentation to help you better handle the GDPR requirements. Among other things, these updates will support you in offering data privacy to your application’s end users and easily facilitate user requests to exercise individual data subject rights.

Data Privacy and Security