How Cleo Labs protects your data
Security is foundational to everything we build. Cleo Labs processes sensitive regulatory and compliance data, and we treat its protection as a core product requirement, not an afterthought.
Cleo Labs complies with the General Data Protection Regulation (GDPR), including Article 28 on data processing. We maintain records of processing activities, conduct Data Protection Impact Assessments (DPIAs), and have appointed a data protection lead. We respond to data subject requests within 30 days. DPA available for download.
All customer data is stored and processed on servers located in the European Union (Scaleway, Paris region). We do not transfer personal data outside the EU unless required with appropriate safeguards (Standard Contractual Clauses).
Data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database backups are encrypted. API keys and secrets are managed through secure vault systems. We enforce HTTPS on all endpoints.
We never use customer data to train, fine-tune, or improve our AI models. Your regulatory scans, compliance reports, and account data remain strictly yours. Our AI models are trained exclusively on public regulatory sources.
We implement role-based access control (RBAC) across the platform. Team members only see data relevant to their role. All access to production systems requires multi-factor authentication (MFA). We follow the principle of least privilege.
Every action on the platform is logged with immutable timestamps. Regulatory scan reports include full source traceability, linking each finding to its original regulatory source. Audit logs are retained and available for compliance reviews.
We run automated security scans and dependency audits on every deployment. Critical vulnerabilities are patched within 24 hours.
We maintain a documented incident response plan. In the event of a data breach, affected users and relevant authorities (including the CNIL) are notified within 72 hours as required by the GDPR.
All team members undergo security training upon onboarding and annually thereafter. Access to production systems is restricted and regularly reviewed.
Third-party vendors are vetted for security and data protection practices before engagement. All vendors processing personal data sign Data Processing Agreements (DPAs).
We maintain automated backups with point-in-time recovery. Our infrastructure is designed for high availability with redundancy across multiple availability zones within the EU.
Single Sign-On integration with your identity provider (Okta, Azure AD, Google Workspace). Centralize authentication and enforce your organization's security policies.
Comprehensive, exportable audit logs for every user action, API call, and data access event. Retention for 12+ months with tamper-proof immutable timestamps.
Restrict platform access to approved IP ranges. Ideal for organizations with strict network perimeter requirements.
Configurable data retention policies. Automatic purging of scan results and reports after your defined retention period. Full data deletion on account closure within 30 days.
Priority security support channel with guaranteed response SLAs. Dedicated account manager for security reviews and compliance questionnaire assistance.
GDPR
Article 28 compliant, DPA available
EU Data
Hosted on Scaleway, Paris region
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
If you discover a security vulnerability or have security concerns, please contact us immediately at contact@cleolabs.co. We take all security reports seriously and will respond within 24 hours.