Home / Trust Center

Trust Center

How creavio protects your data and your clients' data.

Authentication

Passkeys (WebAuthn)LiveBiometric + hardware key support
Two-factor auth (TOTP)LiveAuthenticator apps + backup codes
Password hashingLivePBKDF2, 100,000 iterations
Google + Facebook SSOLiveOAuth 2.0
SAML / OIDC SSOIn progressFree on all paid plans

Data protection

Encryption in transitLiveTLS 1.3 via Cloudflare
Encryption at restLiveAES-256 (Cloudflare D1 + R2)
Signature encryptionLiveAES-256-GCM for contract signatures
Tenant isolationLiveAll queries scoped to tenant_id
Rate limitingLivePer-tenant, per-endpoint D1-backed
CSRF protectionLiveSvelteKit origin verification

Infrastructure

HostingCloudflareWorkers, Pages, D1, R2, KV
DDoS protectionCloudflareIncluded on all plans
WAFCloudflareManaged ruleset on API Worker
Backups (database)LiveD1 point-in-time recovery, 30-day window
Backups (files)LiveR2 versioning; cross-region replication on Business+

Observability

Platform audit logLiveEvery admin and billing event persisted to D1
Error trackingLiveSentry on client + server
Request logsLiveCloudflare Logpush, 30-day retention

Availability

Target uptime99.9%Best-effort, measured monthly
Status pageLiveapp.creav.io/status
Incident responseLive72-hour breach notification per DPA §7

Sub-processors

creavio engages the following sub-processors to operate the Platform. The canonical list lives on /legal/subprocessors and is governed by our Data Processing Addendum.

Sub-processorPurpose
Cloudflare, Inc.Hosting, CDN, D1 database, R2 file storage, KV, DNS
Stripe, Inc.Payment processing, subscription billing (PCI DSS Level 1)
Resend, Inc.Transactional + marketing email delivery
Telnyx, Inc.SMS + MMS delivery
Anthropic, PBCAI features (copy, SEO optimizer, AI Insert)
OpenAI, L.L.C.AI features (select admin tooling)
DataForSEOKeyword research and SERP data for the SEO suite
Google LLCGSC + GA4 data import (opt-in), Google SSO

Compliance

GDPRIn scopeDPA + SCCs for EEA/UK transfers
CCPA / CPRAIn scopeDSAR at privacy@creav.io; GPC honored
DMCALiveDesignated agent registered with U.S. Copyright Office
CAN-SPAMLiveFooter enforcement + unsubscribe on all marketing email
PCI DSSStripeCard data never touches creavio servers
SOC 2 Type IIPlannedTargeting audit once we cross 100 paying customers

Responsible disclosure

If you believe you've found a security vulnerability in creavio, email security@creav.io. We respond to all reports within 2 business days. We don't run a paid bounty program yet, but we credit researchers (with permission) in our security advisories.

  • Report in plain text; avoid automated scanners on production.
  • Don't access other tenants' data. If you stumble on it, stop and report.
  • Give us a reasonable window to fix before public disclosure — typically 90 days.

Contact

Security issues
security@creav.io
Privacy + DSAR
privacy@creav.io
paints so dark-mode users don't see a white flash. Allowed by CSP via a sha256 hash in svelte.config.js script-src — if you edit anything in this block (including whitespace), the CSP hash will change and CSP will block the new script. Update svelte.config.js with the hash from the browser console's CSP violation message. --> %sveltekit.body%