Security at Clodei.

Version: 1.0Effective Date: 2026-05-11
Ver en Español
Table of Contents

How we host, isolate, encrypt, audit, and disclose. EU-only data plane, per-tenant container isolation, asymmetric JWT, append-only wallet ledger, coordinated disclosure policy.

This page summarises the controls Clodei has in place today. It complements the formal documents in /legal and the operational runbooks the team uses internally. For RFP questionnaires or due diligence packs, request them at legal@clodei.com.

1. Hosting and data residency

All Clodei data processing lives in EU jurisdictions. The control plane runs on Railway (eu-west-1). Identity and persistence run on Supabase (eu-west-3 Paris). Transactional email is sent via Resend from EU infrastructure (eu-west-1 Ireland). Invoice PDFs are stored in Cloudflare R2 with EU jurisdiction. Compute (GPU containers) runs on provider nodes whose physical location is selected per-instance and visible to the customer; production targets KUMO Networks Tier IV datacenter in Spain.

2. Tenant isolation

Each GPU instance runs in its own Docker container with cap_drop ALL, seccomp profile applied, network_mode=bridge (host networking is blocked at the agent layer), pids_limit and ulimits enforced, IPC namespace private for single-GPU, and per-instance workspace mounted at 0750. Image registries are restricted to an allowlist (aitorgarmen/, ghcr.io/clodei/, library/, pytorch/, nvidia/, nvcr.io/, tensorflow/). Volume bind mounts under /etc, /proc, /sys, /var/run/docker.sock are rejected by the node agent.

3. Identity and access

Supabase Auth issues ES256-signed JWT access tokens. The backend verifies them locally via JWKS (cached 10 minutes; an admin endpoint forces immediate refresh). Refresh tokens rotate on every use with a 10-second reuse window — replaying an older refresh token fails with invalid_grant. Admin endpoints are gated by require_admin; cron endpoints by scoped X-Cron-Token. Email verification is enforced before resource-creating operations.

4. Data protection

TLS 1.2+ in transit on every external hop. Supabase Postgres and Cloudflare R2 encrypt data at rest with AES-256. Personal data is retained per category — see the published Privacy Policy and DPA. Operational tables (email_events_log, webhook_events_log, feedback_responses) are auto-purged on schedule. PII is masked in application logs via a shared helper; CI rejects new logger.* calls that pass raw emails.

5. Wallet and billing integrity

The wallet ledger is append-only at the database layer (Postgres triggers reject UPDATE/DELETE). Idempotency keys prevent double-spend. A daily reconciliation cron compares balance vs. ledger sum across every wallet; deltas ≤ €1 are auto-corrected and audit-logged; larger drift escalates by email to the ops admin alerts mailbox.

6. Compliance roadmap

GDPR conformance is the baseline (lawfulness, purpose limitation, retention, transparency, data subject rights via the Privacy page). ISO 27001 and ENS Medio certifications are on track for Q1 2027 — the underlying gap analysis is maintained in docs/compliance/. A DPA is available for B2B customers under signature. Subprocessors are listed publicly.

7. Subprocessors

The full list of subprocessors — with the role, data accessed, primary location, and legal mechanism for each — is published at /legal/subprocessors and updated whenever a new one is engaged.

8. Vulnerability disclosure

Coordinated disclosure policy and safe harbour clause are published at /legal/security-policy. Machine-readable metadata is at /.well-known/security.txt. Reports to security@clodei.com; we acknowledge within 2 business days and triage within 5 business days.

9. Contact

security@clodei.com for vulnerability reports. legal@clodei.com for DPO questions, GDPR data-subject-rights inquiries, RFP / due-diligence packs, and DPA signature.