1. Encryption
All traffic to and from Klorra is served over TLS 1.2+ with HSTS. Plan files and pipeline output are encrypted at rest in object storage (Cloudflare R2, AES-256). Database backups are encrypted at rest in our managed Postgres provider (Neon). Stripe handles all card data and is PCI-DSS Level 1 certified — Klorra never sees raw card numbers.
2. Authentication
User authentication is handled by Clerk. Sessions are short-lived JWTs; multi-factor authentication is supported and configurable per account. Admin access to production infrastructure (Vercel, Neon, R2, Modal) is gated by the operator's personal MFA-protected accounts.
3. Hosting and data residency
Klorra runs entirely in the United States. The web application is hosted on Vercel (US regions). The Postgres database is hosted on Neon (US-East). Plan-file storage is on Cloudflare R2 (US). The agent pipeline runs on Modal (US-East). No customer data is processed or stored outside the United States.
4. AI provider terms
Klorra invokes Anthropic's Claude API for the bid pipeline. Under Anthropic's commercial API terms applicable to Klorra, customer prompts and completions are not used to train Anthropic's foundation models. Klorra itself does not train, fine-tune, or build models on customer plan content.
5. Subprocessors
A complete list of third-party services that process Klorra customer data — including security and compliance posture for each — is published at /subprocessors. Material additions are reflected on that page; substantial changes are notified per Terms of Service §15.
6. Data retention
Plan files and bid output are retained for the life of the customer's account. On account deletion, all customer-uploaded files and generated deliverables are deleted from primary storage within 30 days; encrypted backups age out within 90 days.
Customers may request deletion of specific bids or files at any time by writing to privacy@klorra.ai. Standard data-rights requests under CCPA, VCDPA, CPA, and similar U.S. state privacy laws are handled per Privacy Policy §10.
7. Backups and disaster recovery
The primary database is backed up continuously by Neon with 7-day point-in-time recovery on production. Plan-file storage replicates across Cloudflare's global object-storage tier. We have not yet conducted a formal third-party DR drill — early-stage company, full transparency.
8. Vulnerability disclosure
Security researchers and customers can report suspected vulnerabilities to security@klorra.ai. We acknowledge reports within two business days, prioritize triage, and credit reporters in our changelog if they wish. We do not currently run a paid bug-bounty program.
9. Incident notification
In the event of a security incident affecting customer data, Klorra will notify affected accounts without unreasonable delay and consistent with applicable law. Notification will include the nature of the incident, data categories impacted, remediation steps taken, and recommended customer actions.
10. Compliance posture
Klorra acts as a service provider under CCPA / CPRA, a processor under VCDPA, CPA, and substantially similar U.S. state privacy laws. We do not currently hold SOC 2 Type II or ISO 27001 certifications; both are on the roadmap but neither is in place at launch. Customers needing certified-vendor posture should evaluate accordingly.
11. Contact
Security reports and IT-team questions: security@klorra.ai. Privacy and data-rights requests: privacy@klorra.ai. General support: support@klorra.ai.