Data Handling Policy
Platform: CloviScan | Effective Date: June 10, 2026 | Governing Law: State of Delaware, USA
This Data Handling Policy describes the technical and operational practices CloviTek AI uses to collect, process, store, protect, and delete data within the CloviScan platform. It supplements our Privacy Policy and Terms of Service, and is intended to provide transparency for users, enterprise customers, and compliance reviewers.
Authorized Use Only: CloviScan may only be used to scan systems you own or for which you hold explicit written authorization from the system owner. This policy applies exclusively to data generated through authorized use of the Service. Data generated through unauthorized scanning activity is subject to immediate deletion and may be disclosed to affected parties or law enforcement authorities.
Security Estimates Disclaimer: All scan results, security scores, vulnerability findings, and remediation recommendations produced by CloviScan are based on automated analysis of publicly observable signals and known vulnerability databases. They are computational estimates only, not guarantees of security status. A passing scan result does not certify that a system is free from vulnerabilities. CloviScan is not a substitute for professional penetration testing or a formal security audit.
1. Data Categories and Sources
| Data Category | Source | Purpose | Retention |
| Account identity data (name, email, organization) |
User-provided at registration |
Authentication, communication, support |
Duration of account + 90 days post-closure |
| Payment and billing data |
User-provided; processed by payment processor |
Subscription management |
7 years (legal/financial compliance) |
| Scan targets (domains, URLs, identifiers) |
User-submitted via Service UI or API |
Security scanning, monitoring, reporting |
24 months from last scan, then de-identified |
| Authorization attestations |
User-provided or recorded at scan initiation |
Compliance, abuse investigation, legal |
5 years from submission |
| Scan result data (SSL, headers, DNS, vulnerability matches, scores) |
Automated scan of submitted targets |
Security analysis, historical trending, reporting |
24 months from scan date, then deleted or de-identified |
| Third-party vulnerability and threat intelligence data |
Licensed vulnerability databases and threat feeds |
Vulnerability matching, risk scoring |
Per provider license terms; refreshed periodically |
| Usage and telemetry data |
Automatically collected from Service interaction |
Product improvement, performance monitoring |
13 months, then aggregated/de-identified |
| Support and communication records |
User-initiated support channels |
Issue resolution, quality assurance |
3 years from ticket closure |
2. Data Processing Principles
CloviTek AI processes data in accordance with the following principles:
- Purpose limitation: Data is collected and used only for the specific purposes stated in this policy and our Privacy Policy.
- Data minimization: We collect only the data necessary to deliver the Service and fulfill stated purposes.
- Accuracy: We maintain processes to update or correct account data upon user request.
- Storage limitation: Data is retained only as long as necessary for its stated purpose or as required by law.
- Integrity and confidentiality: Appropriate technical and organizational measures protect data against unauthorized access, loss, or destruction.
- Lawfulness: All scanning activity enabled by the Service must be authorized. Scan data generated through unauthorized use is treated as unlawfully submitted and is subject to removal and disclosure obligations.
3. Scan Data Handling
3.1 Target Submission and Authorization
When a user submits a target for scanning, CloviScan records the target identifier, the initiating account, and the timestamp of submission. By submitting a target, the user implicitly attests to ownership or written authorization, consistent with the Terms of Service. CloviScan may optionally capture explicit authorization attestation where required by the user's plan tier or organizational policy settings.
3.2 Scan Execution
Scans are executed by automated systems that query publicly observable characteristics of the submitted target, including:
- SSL/TLS certificate validity, issuer, expiry, and chain data from certificate transparency logs and direct handshake
- HTTP response headers from publicly accessible endpoints
- DNS records (A, AAAA, MX, SPF, DMARC, DKIM, NS, and related records) via standard DNS resolution
- Known software version fingerprints observable from public responses, matched against disclosed vulnerability databases
- Threat reputation signals from licensed intelligence feeds based on the submitted domain or IP
CloviScan does not perform active exploitation, credential testing, or intrusive probing of submitted targets. All scan methods rely on passive observation of publicly reachable signals or authorized protocol handshakes.
3.3 Scan Result Storage and Isolation
Scan results are stored per-account and per-target. Results from one account are not accessible to or shared with other accounts. Scan history enables trend analysis and alert comparisons within the user's own account. After 24 months, scan result data is either permanently deleted or de-identified such that it cannot be linked to the originating account or target.
3.4 No Cross-Customer Data Sharing
Scan configurations, targets, and results are treated as confidential account data. CloviTek AI does not share individual scan data with other CloviScan users or customers. Aggregate and anonymized signal data (e.g., prevalence of specific vulnerability types across the user base) may be used internally for product improvement purposes and never identifies individual accounts or targets.
4. Automated Processing and Algorithmic Analysis
CloviScan uses automated algorithms and, in some features, AI-assisted analysis to generate security scores, vulnerability matches, and remediation recommendations. Key disclosures:
- All scores, ratings, and findings are computed estimates based on available public signals and known vulnerability data; they are not verified facts or guaranteed security assessments.
- Vulnerability matching is based on disclosed CVE and similar databases; zero-day vulnerabilities and undisclosed weaknesses will not be detected.
- No automated decision-making that produces legal or similarly significant effects on individual users is performed by CloviScan.
- Recommendations generated by automated or AI-assisted features are advisory in nature and do not constitute professional security advice.
Users should engage qualified security professionals before making security decisions based solely on CloviScan output.
5. Data Security Measures
CloviTek AI implements the following security controls for CloviScan data:
- Encryption in transit: All data transmitted between users and the Service is encrypted using TLS 1.2 or higher.
- Encryption at rest: Databases and file storage containing personal, account, and scan result data are encrypted at rest.
- Access controls: Role-based access controls limit internal personnel access to data strictly to those with a documented business need. Scan result data is subject to stricter access controls than general account data.
- Audit logging: Access to scan data and sensitive account data is logged and reviewed periodically.
- Isolation: Per-account data is logically isolated to prevent cross-account exposure.
- Vulnerability management: Regular security assessments and patching processes are applied to Service infrastructure.
- Incident response: A documented incident response plan governs detection, containment, and notification procedures in the event of a security incident.
6. Sub-Processors and Third-Party Vendors
CloviTek AI engages the following categories of sub-processors in the delivery of CloviScan. All sub-processors are bound by data processing agreements that require data protection standards consistent with applicable law:
- Cloud infrastructure provider: Hosts Service infrastructure and databases
- Payment processor: Handles payment card processing and billing
- Email delivery service: Delivers transactional and notification emails
- Vulnerability and threat intelligence data provider(s): Provides licensed CVE, malware reputation, and threat intelligence data used in scan analysis
- DNS and certificate transparency services: Provides DNS resolution and certificate transparency log data
- Analytics service: Collects anonymized usage telemetry for product improvement
- Support ticketing system: Manages user support communications
A current list of sub-processors is available upon request at [email protected].
7. Abuse Detection and Unauthorized Use Handling
CloviTek AI operates controls to detect scanning patterns that may indicate unauthorized use, including anomalous target submission volumes, patterns inconsistent with legitimate security auditing, or targets flagged by third parties as not owned or authorized by the submitting account. Where unauthorized use is suspected:
- The account may be suspended pending investigation.
- Scan records associated with the suspected unauthorized activity may be preserved and disclosed to affected parties or law enforcement.
- CloviTek AI will cooperate with law enforcement investigations in accordance with applicable legal process.
8. Data Deletion and Erasure Requests
Users may request deletion of their personal data and account at any time. Upon a verified deletion request:
- Account identity data will be deleted within 30 days.
- Scan results and stored reports linked to the account will be deleted or de-identified within 60 days.
- Authorization attestation records may be retained for up to 5 years for compliance and legal purposes.
- Billing and financial records will be retained for 7 years as required by applicable financial regulations.
- Backup copies may persist for up to 90 days during regular backup rotation cycles.
- Records preserved in connection with an active legal investigation or enforcement action will not be deleted until the matter is resolved.
To submit a deletion request, contact [email protected] from the email address associated with your account.
9. Data Portability
Upon request, CloviTek AI will provide a structured, machine-readable export of personal data associated with your account (e.g., account information and scan history in JSON or CSV format). Requests will be fulfilled within 30 days.
10. International Transfers
CloviTek AI's primary infrastructure is located in the United States. For users in the European Economic Area, United Kingdom, or other regions with cross-border transfer restrictions, CloviTek AI relies on appropriate legal mechanisms (such as Standard Contractual Clauses) to authorize data transfers. Contact [email protected] for transfer mechanism documentation.
11. Breach Notification
In the event of a data breach that is likely to result in a risk to the rights and freedoms of affected users, CloviTek AI will:
- Notify affected users within 72 hours of becoming aware of the breach, where feasible.
- Notify applicable regulatory authorities within the timeframes required by applicable law.
- Provide information about the nature of the breach, data affected, and remediation steps taken.
12. Compliance and Audit
Enterprise or business customers requiring data processing agreements (DPAs), security questionnaires, sub-processor lists, or audit documentation should contact [email protected]. CloviTek AI will work in good faith to accommodate reasonable compliance review requests.
13. Changes to This Policy
This Data Handling Policy may be updated from time to time to reflect changes in our practices, technology, legal requirements, or operational needs. Material changes will be communicated to registered users via email or in-Service notice at least 14 days before they take effect.
14. Contact
For questions, requests, or concerns relating to this Data Handling Policy:
CloviTek AI Legal & Privacy
[email protected]