CREAV SECURITY POLICY Last Updated: April 23, 2026
This document summarizes creavio's security posture. A live, more detailed view — including current status and compliance scope — is maintained at creav.io/trust.
1. AUTHENTICATION 1.1. Passwords. Stored using PBKDF2 with 100,000 iterations. Plaintext passwords are never logged or transmitted outside the login request. 1.2. Two-Factor Authentication. Time-based one-time password (TOTP) support plus single-use backup codes. Enabled per account from Settings → Security. 1.3. Passkeys. WebAuthn passkeys (platform authenticators and hardware keys) are supported and recommended for all paid accounts. 1.4. Social sign-in. Google and Facebook OAuth 2.0. 1.5. SSO. SAML / OIDC SSO is in development and will ship free on all paid plans.
2. ENCRYPTION 2.1. In transit. TLS 1.3, delivered by Cloudflare with managed certificates. 2.2. At rest. AES-256 at the storage layer for D1 database and R2 object storage. 2.3. Sensitive fields. Contract e-signature material is encrypted with AES-256-GCM using a platform key stored in Cloudflare Secrets.
3. ACCESS CONTROLS 3.1. Tenant isolation. Every data-access path is scoped to the authenticated tenant_id. Background jobs enforce the same scoping. 3.2. Role-based access. Platform-administrator access is gated behind a separate flag with audit logging on every privileged action. 3.3. Rate limiting. A D1-backed per-tenant, per-endpoint rate limiter throttles authentication, email send, AI calls, and write endpoints. 3.4. CSRF. SvelteKit same-origin verification is enforced on all write endpoints.
4. INFRASTRUCTURE 4.1. Cloudflare Workers + Pages + D1 + R2. DDoS protection and a managed Web Application Firewall ruleset are always on. 4.2. Secrets. API tokens and platform keys live in Cloudflare Workers Secrets. They are never committed to source control.
5. OBSERVABILITY 5.1. Platform audit log. Every admin and billing event is persisted to the platform_audit_log table in D1. 5.2. Error tracking. Sentry on client and server with request-body scrubbing. 5.3. Access logs. Cloudflare Logpush with a 30-day retention window.
6. BACKUPS + RECOVERY 6.1. Database. D1 point-in-time recovery is enabled; the recovery window is 30 days. 6.2. Files. R2 versioning is enabled on production buckets. Cross-region replication is available on Business and above. 6.3. Testing. Restore drills are performed at least quarterly.
7. INCIDENT RESPONSE 7.1. Detection. Alerts are wired to the platform owner via PagerDuty-class rotation. 7.2. Notification. Per DPA §7, affected Creators are notified within 72 hours of creavio becoming aware of a breach affecting their client data. 7.3. Remediation. Post-incident reviews are documented and tracked in the platform audit log.
8. VULNERABILITY DISCLOSURE 8.1. Reporting. Email security@creav.io. We respond within 2 business days. 8.2. Scope. All creavio-owned domains (creav.io, app.creav.io, *.creav.io, *.creavio.site) and the public API. 8.3. Rules. Do not access other tenants' data. Do not run automated scanners on production. Report in plain text. We credit researchers with permission. 8.4. Disclosure window. We ask for a reasonable embargo to ship a fix; typically 90 days.
9. COMPLIANCE 9.1. GDPR. creavio acts as data processor for Creator client data and as data controller for Creator account data. See the Data Processing Addendum for specifics. 9.2. CCPA / CPRA. California Creators and their clients can exercise their rights at privacy@creav.io. We honor Global Privacy Control signals. 9.3. DMCA. creavio has a designated DMCA agent registered with the U.S. Copyright Office. 9.4. CAN-SPAM. Marketing email sent from the Platform is gated on a valid sender physical address and carries unsubscribe links. 9.5. PCI DSS. All card data is handled by Stripe (PCI DSS Level 1) and does not touch creavio servers. 9.6. SOC 2 Type II. Planned once we cross 100 paying Creators.
10. AVAILABILITY 10.1. Target uptime. 99.9% monthly, best-effort, measured at the Platform API edge, excluding announced maintenance and force majeure. 10.2. Status. Current status and historical uptime are published at status.creav.io (when available) and at creav.io/trust.
paints so dark-mode
users don't see a white flash. Allowed by CSP via a sha256 hash in
svelte.config.js script-src — if you edit anything in this block
(including whitespace), the CSP hash will change and CSP will block
the new script. Update svelte.config.js with the hash from the
browser console's CSP violation message.
-->
%sveltekit.body%