Security & trust

Your pipeline,
defended.

SOC 2 Type II. GDPR. HIPAA-eligible. SAML SSO. Encryption everywhere. A 24/7 on-call rotation staffed by engineers, not a script. And a bug bounty paying out within the week.

SOC 2
Type II · 2026
GDPR
EU SCCs · DPA
HIPAA
BAA · Scale plan
PCI DSS
SAQ-A · Stripe
CCPA
California ready
All systems operational 99.99% uptime in 2025 · 14 minutes since last deploy View status page →
How we protect your data

Four pillars.
One platform.

Encryption

Every byte encrypted at rest and in transit. Customer-managed keys on Scale plans.

  • AES-256 at rest, every database, every backup, every blob.
  • TLS 1.3 in transit, HSTS preloaded, modern ciphers only.
  • AWS KMS envelope encryption — per-tenant data keys, master keys rotated annually.
  • Field-level encryption on PII for healthcare and financial-services workspaces.

Identity & access

SSO, SCIM provisioning, granular roles, audit trail. Every action your team takes is logged.

  • SAML 2.0 SSO with Okta, Azure AD, Google, OneLogin, Ping, ADFS.
  • SCIM 2.0 auto-provisioning with group-based role mapping.
  • RBAC with 6 default roles, unlimited custom roles.
  • Immutable audit log — 90 days Growth, 2 years Scale, exportable to your SIEM.

Resilience & recovery

Multi-region replication, point-in-time restore, drilled DR plans, on-call engineers 24/7.

  • 99.99% uptime SLA on Scale, signed, with monthly credits if we miss.
  • Multi-region active-active across 3 AWS AZs per region.
  • PITR with 35-day window, RPO < 1 minute, RTO < 15 minutes.
  • DR plans tested quarterly. The drill reports are available under NDA.

Compliance & programs

Independent audits, structured vendor program, public sub-processor list, transparency reports.

  • SOC 2 Type II — audited annually, report under NDA.
  • GDPR · CCPA · LGPD ready. DPA pre-signed at order form.
  • HIPAA-eligible workloads on Scale with a signed BAA.
  • Bug bounty active on HackerOne, payouts up to $25,000.
Defense in depth

Six layers,
each independent.

No single layer protects your data. A request from your browser passes through six independent control points — each operated by a different system, each logged, each tested. A breach of one doesn't compromise the others.

We publish the whitepaper on this architecture, with threat models and red-team findings, on request. Email security@clientlink.io.

L1 · Edge
Cloudflare WAF + DDoS
cf-edge
L2 · Auth
SAML SSO + token rotation
auth-svc
L3 · RBAC
Policy engine + audit log
rbac/opa
L4 · App
Tenant-isolated runtimes
k8s/iso
L5 · Crypto
AWS KMS envelope encryption
kms-east-1
L6 · Storage
Encrypted DB + cold backups
aurora/s3
Data residency

Choose where your data lives.

US

United States

us-east-1 · us-west-2

Default for North American customers. AWS Virginia and Oregon, active-active across three AZs each. CCPA-ready.

EU

European Union

eu-central-1 · eu-west-1

AWS Frankfurt and Ireland. Data and metadata stay in-region. SCCs in place. Default for EU/UK customers on Growth+.

AU

Australia

ap-southeast-2

AWS Sydney. Required for some APAC public-sector customers and available on Scale by default.

Responsible disclosure

Find a bug.
Get paid.

Our bug bounty has been live on HackerOne since 2022. We triage every report within 24 hours, fix critical findings within 72, and pay out within a week of validation. We don't threaten researchers, we don't gag them, and we publicly thank everyone whose report led to a fix.

Report bugs at hackerone.com/clientlink or, if you'd rather skip the platform, directly to security@clientlink.io using our PGP key.

214
Reports validated
$485K
Paid out since 2022
72h
Median time to fix (critical)

Bounty rates

CritRCE, auth bypass, tenant isolation breach$25,000
HighPrivilege escalation, sensitive data exposure$8,500
MedCSRF, stored XSS, IDOR (single tenant)$2,500
LowReflected XSS, info leak, rate-limit bypass$500
For your security review

Everything we can share.

SOC 2 Type II report (2026)
PDF · Under NDA · Available on request
Data Processing Addendum
PDF · Pre-signed · Auto-attaches to order forms
Business Associate Agreement (HIPAA)
PDF · Scale plan customers · 5 business days to sign
Pen-test summary (Q1 2026)
Latitio Security · Findings remediated
Sub-processor list
Live page · 30-day notice on changes
Security questionnaire (CAIQ Lite)
XLSX · Pre-filled · Updated quarterly
Security questions?

Talk to our
security team.

We pre-fill security questionnaires, hop on calls with your CISO, and sign just about anything reasonable. Most reviews wrap in a week.

Book a security review Email security@clientlink.io