How We Protect Your Data
CloviScan is a security product, so we hold ourselves to the standard we audit you against. Here is exactly how your scan data is handled, where it lives, how long we keep it, and how to get it deleted — in plain English, with no fabricated certifications.
Encryption in transit
All traffic to and from CloviScan is served over HTTPS/TLS. Scan requests, report data, and your account session are encrypted on the wire. We do not expose scan results over plain HTTP.
Encryption at rest
Scan reports and account records are stored on encrypted-at-rest storage. Any uploaded artifacts (for code scans) are written to a private, access-controlled store — never a public bucket or world-readable path.
Per-account isolation
Your scans, reports, and uploaded code are scoped to your account. A new account starts empty. We do not pool or share one customer's findings with another, and reports are only retrievable by the account that ran them.
Where scan data lives
Scan results are processed and stored on CloviScan-operated infrastructure. Code uploaded for static analysis is held only as long as needed to produce your report, then handled per the retention policy below.
Data retention & your right to deletion
- Scan reports are retained in your account so you can track fixes over time and compare re-scans.
- Code uploaded for static analysis is used to generate findings and is not retained beyond what is needed to deliver and re-open your report.
- You can delete any individual report, or request full account deletion, at any time.
- On account deletion, associated scan data and uploaded artifacts are removed from active systems.
How to request deletion
Email [email protected] or use the in-app account controls. We confirm deletion and remove your scan data from active systems. See our Data Handling and Privacy Policy for the full statement.
The consent model
You should only scan assets you own or are authorized to test. When you submit a domain, server, or repository, you confirm you have permission to scan it. Authorization-based scanning keeps you — and us — on the right side of acceptable use.
Our own security posture
We apply the same hardening we audit for: HTTPS everywhere, least-privilege access to scan data, private storage for artifacts, and scoped sessions. We do not publish internal hostnames, ports, or service names on public pages.
Found a vulnerability in CloviScan?
We welcome responsible disclosure. If you believe you have found a security issue in CloviScan itself, please email [email protected] with steps to reproduce. Give us reasonable time to remediate before any public disclosure, and please do not access or modify other users' data while testing.
Honesty note: CloviScan does not currently hold a formal SOC 2 or ISO 27001 certification. We describe our actual practices above rather than claim a badge we have not earned. As our compliance program matures, we will publish verified attestations here.