Security

Kloup handles fundraising data — investor pipelines, deal terms, cap tables — so security is a foundational concern, not an add-on. This page describes our practices in plain language. For specifics under NDA (audit reports, penetration tests, sub-processor list), email security@kloup.com.

Encryption

• In transit — every connection runs over TLS 1.2+ (HTTPS for the app and API, TLS for outbound integrations). Cloudflare's universal SSL covers *.kloup.com and custom-domain workspaces.
• At rest — D1 (SQLite) and R2 (object storage) encrypt data at rest using AES-256 managed by Cloudflare. OAuth refresh tokens are additionally encrypted at the application layer before being written to D1.

Authentication

• Sign-in is Google OAuth only — no passwords stored in our system.
• Access tokens are short-lived (1 hour) JWTs; refresh tokens (7 days) live in browser localStorage and rotate on use.
• Workspace access is membership-based: every API call validates the caller against the requested organization, not just a session.
• Per-workspace roles (admin, manager, employee, advisor, current_investor, investor) gate every read and write.

Multi-tenancy

Each organization's data is isolated by organization_id on every row in every table, with foreign-key cascades enforcing integrity. The middleware layer rejects any request whose authenticated user isn't a member of the target organization — so even a leaked workspace id can't be used to read another tenant's data.

Infrastructure

• Hosted on Cloudflare (Workers, Pages, D1, R2, KV, Queues).
• No long-lived servers; the app and API run on edge Workers that auto-scale and have no SSH surface.
• All deploys go through CI from a protected GitHub branch with required reviews.
• Production secrets live in GitHub Actions environment secrets, pushed to Cloudflare on every deploy via signed action runs. No secret is ever committed to the repo.

Data ownership and processing

• You own your Customer Data. We process it only to provide the Service.
• We don't sell data and don't use Customer Data to train AI models.
• AI features (drafts, summaries) call third-party providers under zero-retention agreements where available.
• You can export your workspace data anytime via Settings → Data Export.

Backups and recovery

• Nightly D1 + R2 snapshots, retained for 30 days.
• Snapshots are encrypted and stored in a separate R2 bucket scoped to the production account.
• Recovery is point-in-time; restore times depend on workspace size.

Monitoring and incident response

• Application-level logs are tail-shipped to Cloudflare Logpush and retained for 30 days.
• Authentication events, admin role changes, and data-room access are recorded in the activity log visible to workspace admins.
• We commit to notifying affected workspace admins within 72 hours of confirming a security incident that materially affects their data.

Vulnerability reporting

Found something? We're happy to hear from you and we won't sue researchers acting in good faith.

• Email security@kloup.com with reproduction steps and the affected URL.
• Please don't run automated scans against production. Use a workspace you own.
• Don't access, modify, or delete data that isn't yours. Reading the response that proves the vulnerability is enough — stop there.
• Give us a reasonable disclosure window. We aim to acknowledge within 48 hours and remediate critical issues within 14 days.

Compliance

We follow the principles of GDPR, LGPD, and CCPA, and contractually bind sub-processors to equivalent standards. Specific compliance artifacts (DPA, sub-processor list, security questionnaire responses) are available to customers under NDA.

Contact

Security disclosures and questions: security@kloup.com.