Cloop Security Overview
Last updated: 2026-02-15 Intended audience: Prospective and current customers evaluating Cloop's security posture
Company
Cloop is built and operated by ROFFI Oy, a Finnish customer experience consultancy. We are a small, technical team of three. Security is not a department — it's how we build.
Infrastructure
Hosting
| Component | Provider | Location |
|---|---|---|
| Application server | Hetzner Online GmbH | Helsinki, Finland (EU) |
| Database | Self-managed on Hetzner VPS | Helsinki, Finland (EU) |
| Cache / state store | Self-managed on Hetzner VPS | Helsinki, Finland (EU) |
| Object storage (documents) | Hetzner S3-compatible | Helsinki, Finland (EU) |
| TLS certificates | Let's Encrypt | Automated renewal |
| DNS | Hetzner DNS | EU |
All data is stored and processed exclusively within the European Union.
Network
- All public traffic is encrypted via TLS 1.2+ (HSTS enforced)
- Database and cache services are not exposed to the network
- Strict firewall rules — only necessary ports open
- The application runs behind a reverse proxy
- Server version information is not disclosed
Operating System
- Current, maintained Linux distribution with automatic security updates
- Mandatory access control (MAC) in enforcing mode
- Application runs as a dedicated unprivileged user (not root)
- Service hardening via systemd security directives
Application Security
Authentication
- OAuth 2.0 / OpenID Connect via Google, GitHub, and Microsoft
- Short-lived tokens with separate refresh tokens and revocation support
- Secure token delivery — tokens are not exposed in server logs
Authorization
- Multi-tenant isolation: Every database query is scoped by tenant ID and/or site ID
- Role-based access: Owner, Admin, Member roles with appropriate permission boundaries
- Feature gating: Tier-based feature flags enforced at the API level
- Site access control: Users can only access sites within their tenant
Input Validation
- SQL injection prevention: All database queries use parameterized queries
- XSS prevention: Widget sanitizes all rendered content
- SSRF prevention: Web crawler validates URLs against internal and reserved address ranges
- File upload security: Content-type validation, size limits, and randomized storage paths
- Widget authentication: Per-site embed token verified on every request; origin validation ensures requests come from the registered domain
- CORS: Configured for secure cross-origin widget operation; no cookie-based auth (CSRF not applicable)
- Path traversal prevention: File paths are validated and sanitized
Rate Limiting
Multi-tier rate limiting applied across all API endpoints (chat, authentication, admin, public). Limits are enforced per IP using a sliding window algorithm.
Budget Controls
- Per-tenant daily AI cost cap (configurable)
- Prevents runaway costs from abuse or misconfiguration
- All AI API calls are metered
Data Security
Encryption
- In transit: TLS 1.2+ for all connections, HSTS enforced
- At rest: Hetzner VPS uses full-disk encryption
Multi-Tenant Isolation
- Every database query includes tenant/site scoping
- No shared tables without tenant isolation
- Users cannot access data outside their tenant
- Widget API resolves site from request, scoped queries prevent cross-tenant leakage
Data Retention
- Customer data retained while account is active
- Deleted within 30 days of account termination
- Demo/trial data auto-deleted after 24 hours
- Server logs rotated after 90 days
- Audit logs retained for 12 months
AI Security
Data Flow
- Visitor message arrives at our server
- Vector similarity search runs locally (PostgreSQL + pgvector) — no external call
- Relevant content chunks + visitor message sent to Nebius AI API for response generation
- Response streamed back to visitor
What Goes to AI Provider
- Visitor message text
- Retrieved content chunks (from customer's knowledge base)
- System instructions (language, persona, phase)
- Recent conversation context
What Does NOT Go to AI Provider
- Visitor email or personal identifiers
- Account credentials or internal metadata
- Data from other tenants
AI Provider Commitment
Nebius AI Studio does not use API inputs/outputs for model training. Processing is transient.
Monitoring and Incident Response
Audit Logging
- Structured JSON audit log for authentication events (login, logout, token refresh, failed attempts)
- Site events tracking (settings changes, content operations)
- All events include timestamps, actor identification, and relevant metadata
Deployment Verification
- Automated deployment script with comprehensive pre-flight checks
- Service health endpoint verifying database and cache connectivity
- Automatic service restart on failure
Incident Response
As a small team, our process is direct:
- Detection via monitoring, logs, or user report
- Immediate assessment by the engineering team
- Containment and fix
- Notification to affected customers (within 48 hours for data breaches per DPA)
- Post-incident review and prevention measures
Security issues: security@cloop.io
Compliance
| Framework | Status |
|---|---|
| GDPR | Compliant — Finnish company, EU data processing, DPA available, data subject rights supported |
| ePrivacy Directive | Widget uses localStorage (not cookies) for visitor identification |
| SOC 2 | Not yet — planned as customer base grows |
| ISO 27001 | Not yet — planned as customer base grows |
Security Assessments
We conduct regular internal security audits covering:
- Backend API security (injection, authentication, authorization)
- Frontend and widget security (XSS, CSRF, storage)
- Infrastructure security (network, OS, services)
- Database security (isolation, access control)
- Deployment security (secrets management, hardening)
Our most recent audit (February 2026) found no critical issues, with all high-severity findings addressed or mitigated.
Responsible Disclosure
If you discover a security vulnerability in Cloop, please report it to security@cloop.io. We appreciate responsible disclosure and will:
- Acknowledge receipt within 24 hours
- Provide an initial assessment within 72 hours
- Work with you on disclosure timing
- Credit you (if desired) when the fix is published
We do not currently offer a bug bounty program.
Questions
For security-related questions or to request additional information for your security review:
Email: security@cloop.io General: legal@cloop.io