SECURITY

Security

How Klemento is built to be safe to use. The short version: we hold less, encrypt everything, and tell you fast if something goes wrong.

Last updated

Data protection

The single most important security control at Klemento isn't a firewall or a key-management system. It's that we don't keep the data in the first place.

  • Raw transcripts are never persisted. The transcript you submit lives in memory just long enough to be analysed, then it's gone.
  • Structured PII is regex-scrubbed on our server before any AI model sees the text. Emails, phone numbers, IBANs, postcodes, and URLs are all stripped.
  • Names in quoted moments are anonymised by the model itself. Our coaching prompt instructs Claude to replace any names with role descriptors ("the manager", "the client") before returning the structured output. So no raw names land in our database either.
  • What we do store is the structured coaching output: dimension scores, coaching paragraphs, and anonymised quoted moments. All encrypted at rest with AES-256, encrypted in transit with TLS 1.2 or higher.

The combined effect is that even in a worst-case data breach, there is no transcript and no identifiable name to leak.

Authentication

Passwords

If you sign up with a password, we hash it with PBKDF2-SHA256 (100,000 iterations) using the Web Crypto API on Cloudflare's edge. We never store or log your password in plain text. Minimum length is 10 characters; we don't bother with arbitrary character-class rules because length matters more.

Magic links

You can also sign in by emailed magic link, which never requires a password. Magic links expire after 15 minutes and can only be used once.

Sessions

Session cookies are HTTPS-only, marked SameSite=None; Secure; Partitioned (the strictest cross-site cookie flags Chrome supports). Sessions expire after 30 days of inactivity. You can sign out of all sessions from your account settings.

Infrastructure

Klemento runs entirely on Cloudflare's developer platform.

  • Marketing site on Cloudflare Pages (klemento.com).
  • App on Cloudflare Pages (app.klemento.com), gated behind real auth.
  • API on a Cloudflare Worker (api.klemento.com), running on Cloudflare's edge.
  • Database on Cloudflare D1 (SQLite at the edge), primary location hint Western Europe.
  • Cache and rate limiting on Cloudflare KV.

All inter-service traffic is TLS-encrypted. The Worker runs with the minimum bindings needed; no production secrets live in the codebase. Secrets are managed through Wrangler and stored in Cloudflare's encrypted secret store.

Subprocessors

We use the following third parties to deliver the service. Each is bound by a data processing agreement.

  • Cloudflare: hosting, database, edge compute, DNS, TLS termination.
  • Anthropic: AI coaching via the Claude API. Anthropic does not retain prompt content for training under the commercial API terms.
  • Brevo: transactional and marketing email.
  • Lemon Squeezy: subscription billing and payments.
  • GitHub: source code repositories (private), CI/CD via GitHub Actions.

Monitoring

Cloudflare provides edge-level DDoS protection and Web Application Firewall rules out of the box. Worker requests are rate-limited per user (200/hour on the AI endpoint, 30/hour on auth registration) using KV-backed counters. All requests are logged for 30 days for abuse detection.

We don't log request bodies, response bodies, or any field that could contain transcript content. Logs include user ID, route, status, and duration only.

Incident response

If we suffer a data breach that affects you, we'll notify you within 72 hours of becoming aware, as required under UK GDPR. The notification will include what happened, what data was affected, what we've done about it, and what you can do.

Routine availability incidents (degraded performance, partial outages) are posted to @klemento on X in real time.

Vulnerability disclosure

If you've found a security issue, please email [email protected] with a description and reproduction steps. We'll acknowledge within 48 hours and aim to resolve critical issues within seven days.

We don't yet run a paid bug bounty program, but we'll publicly credit researchers who report responsibly (with your permission) and we'll send you Klemento merch and a year of Pro on the house.

Please don't run automated scanners against production. We rate-limit aggressively and they tend to fire false positives.

Compliance

Klemento Ltd is registered with the UK Information Commissioner's Office and operates under UK GDPR. We follow OWASP Top 10 guidance for application security, and we use only subprocessors with a documented security posture.

We are not currently SOC 2 or ISO 27001 certified. If you need a pre-vendor security review for a Team plan, email [email protected] and we'll send you the questionnaire we already have.