Authentication
| Passkeys (WebAuthn) | Live | Biometric + hardware key support |
| Two-factor auth (TOTP) | Live | Authenticator apps + backup codes |
| Password hashing | Live | PBKDF2, 100,000 iterations |
| Google + Facebook SSO | Live | OAuth 2.0 |
| SAML / OIDC SSO | In progress | Free on all paid plans |
Data protection
| Encryption in transit | Live | TLS 1.3 via Cloudflare |
| Encryption at rest | Live | AES-256 (Cloudflare D1 + R2) |
| Signature encryption | Live | AES-256-GCM for contract signatures |
| Tenant isolation | Live | All queries scoped to tenant_id |
| Rate limiting | Live | Per-tenant, per-endpoint D1-backed |
| CSRF protection | Live | SvelteKit origin verification |
Infrastructure
| Hosting | Cloudflare | Workers, Pages, D1, R2, KV |
| DDoS protection | Cloudflare | Included on all plans |
| WAF | Cloudflare | Managed ruleset on API Worker |
| Backups (database) | Live | D1 point-in-time recovery, 30-day window |
| Backups (files) | Live | R2 versioning; cross-region replication on Business+ |
Observability
| Platform audit log | Live | Every admin and billing event persisted to D1 |
| Error tracking | Live | Sentry on client + server |
| Request logs | Live | Cloudflare Logpush, 30-day retention |
Availability
| Target uptime | 99.9% | Best-effort, measured monthly |
| Status page | Coming soon | status.creav.io |
| Incident response | Live | 72-hour breach notification per DPA §7 |
Sub-processors
creavio engages the following sub-processors to operate the Platform. The canonical list lives on /legal/subprocessors and is governed by our Data Processing Addendum.
| Sub-processor | Purpose |
|---|
| Cloudflare, Inc. | Hosting, CDN, D1 database, R2 file storage, KV, DNS |
| Stripe, Inc. | Payment processing, subscription billing (PCI DSS Level 1) |
| Resend, Inc. | Transactional + marketing email delivery |
| Telnyx, Inc. | SMS + MMS delivery |
| Anthropic, PBC | AI features (copy, SEO optimizer, AI Insert) |
| OpenAI, L.L.C. | AI features (select admin tooling) |
| DataForSEO | Keyword research and SERP data for the SEO suite |
| Google LLC | GSC + GA4 data import (opt-in), Google SSO |
Compliance
| GDPR | In scope | DPA + SCCs for EEA/UK transfers |
| CCPA / CPRA | In scope | DSAR at privacy@creav.io; GPC honored |
| DMCA | Live | Designated agent registered with U.S. Copyright Office |
| CAN-SPAM | Live | Footer enforcement + unsubscribe on all marketing email |
| PCI DSS | Stripe | Card data never touches creavio servers |
| SOC 2 Type II | Planned | Targeting audit once we cross 100 paying customers |
Responsible disclosure
If you believe you've found a security vulnerability in creavio, email security@creav.io.
We respond to all reports within 2 business days. We don't run a paid bounty program yet, but we credit researchers
(with permission) in our security advisories.
- Report in plain text; avoid automated scanners on production.
- Don't access other tenants' data. If you stumble on it, stop and report.
- Give us a reasonable window to fix before public disclosure — typically 90 days.