Our Commitment to Security

At Klarvo, security is fundamental to everything we do. As a platform handling sensitive compliance data, we implement industry-leading security practices to protect your information.

Infrastructure Security

Data Encryption

All data is encrypted both in transit and at rest:

In Transit: TLS 1.3 encryption for all connections
At Rest: AES-256 encryption for stored data
Database: Encrypted database connections and backups

Hosting & Infrastructure

Our infrastructure is hosted on enterprise-grade cloud platforms with:

EU-based data centers for data residency compliance
Redundant systems and automatic failover
Regular security patches and updates
DDoS protection and Web Application Firewall (WAF)

Application Security

Authentication & Access Control

Secure password hashing with industry-standard algorithms
Multi-factor authentication (MFA) support
Role-based access control (RBAC)
Session management with secure tokens
Automatic session timeout

Secure Development

Security-focused code reviews
Dependency vulnerability scanning
Static code analysis
Regular penetration testing
Bug bounty program (coming soon)

Organizational Security

Employee Practices

Background checks for all employees
Mandatory security awareness training
Principle of least privilege access
Secure workstation policies

Vendor Management

Security assessments for all vendors
Data Processing Agreements (DPAs) with sub-processors
Regular vendor security reviews

Compliance & Certifications

We are committed to meeting the highest compliance standards:

GDPR: Full compliance with EU data protection requirements
SOC 2 Type II: Audit in progress
ISO 27001: Roadmap planned

Audit Logging

All sensitive operations are logged for compliance and security purposes. The following actions are recorded in the audit trail:

Classification & Assessments

Classification changes (risk level, prohibited screening, high-risk determination)
FRIA creation, updates, and approvals
Assessment answer submissions

Evidence & Controls

Evidence file uploads and deletions
Evidence approval and rejection actions
Control status changes
Control-evidence linking

Tasks & Incidents

Task creation, assignment, and completion
Incident creation, updates, and resolution

Governance & Access

User role changes
AI system creation, updates, and deletion
Vendor record modifications
Policy updates and approvals
Export generation (Classification Memo, FRIA Report, Evidence Pack)
Auditor link creation and access

All audit log entries include: timestamp, user identity, action type, affected entity, and relevant metadata. Logs are retained for a minimum of 7 years.

Incident Response

We maintain a comprehensive incident response plan that includes:

24/7 monitoring and alerting
Defined escalation procedures
Customer notification within 72 hours of confirmed data breach
Post-incident analysis and remediation

Data Protection

Backups

Automated daily backups
Encrypted backup storage
Geo-redundant backup locations
Regular backup restoration testing

Data Retention & Deletion

We retain data according to our Privacy Policy and contractual obligations. Upon account termination, data is securely deleted within 30 days unless legally required to retain it.

Responsible Disclosure

We welcome security researchers to help us keep our platform secure. If you discover a vulnerability:

Email security@klarvo.com with details
Allow reasonable time for remediation before disclosure
Do not access or modify user data

We commit to acknowledging reports within 48 hours and working collaboratively on fixes.

Contact

For security inquiries or to report a vulnerability:

Security Team: security@klarvo.com
Data Protection Officer: dpo@klarvo.com