Trust & security
How we protect your information
We work with sensitive supplier and operational data: RFCs, tax documents, banking details. This page openly explains how we protect it, which providers we use, and the legal frameworks we operate under.
Who we are
Clauhub is the platform your business runs on, and the technical controller for data processing: hosting, database, authentication, backups and infrastructure security. As the organization that owns the record, you keep control over who accesses your information.
Four commitments by default
Encryption in transit and at rest
All traffic travels over TLS 1.2+. Data at rest is encrypted with AES-256 at the storage provider (Convex Cloud + Cloudflare R2).
Least-privilege access
Roles and permissions per organization. Suppliers only see their own record. The admin team only accesses the org it belongs to.
Audit log
Every critical action (uploads, validations, status changes, token access) is recorded with a timestamp and author. Logs are retained for at least 12 months.
Incident response
If we detect unauthorized access or a breach, we will contact affected organizations without undue delay and report to INAI within the timeframes required by law.
Legal framework
We operate under Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP). For customers operating in the European Union we apply GDPR on a supplementary basis; for California, CCPA/CPRA. Full details in the Privacy Policy.
Subprocessors
To deliver the service we rely on certified providers, all with contractual data-protection clauses:
- Convex (US) — database and serverless backend. SOC 2 Type II.
- Cloudflare (US) — CDN, R2 storage and workers. ISO 27001 / SOC 2.
- Resend (US) — transactional email delivery.
- Stripe (US) — payment processing, where applicable. PCI DSS Level 1.
- Mistral / OpenAI (EU/US) — OCR and document processing when the user requests it.
Your rights
As a personal-data subject you can exercise your ARCO rights (Access, Rectification, Cancellation, Objection) at any time. Write to the support email shown in your portal and we respond within 20 business days at most.
Questions or requests?
If you have specific concerns about how your information is handled, contact your organization's administrator through the portal. For technical platform matters, reach us via the details on the Terms page.