Clemind AUMCLEMIND AUM

Security

v1.0 · 2026-05-02 · Continuously updated

Encryption

All production data is encrypted at rest and in transit. Voice recordings, when enabled, use encrypted storage with limited retention.

Authentication

Protected account sign-in is required for the console. Hardware-MFA is strongly recommended on owner accounts. Owner-only operations are gated by approved identity and launch controls.

Audit logging

Clemind AUM actions, CAMA reviews, and sensitive console events are logged with trace context. Voice calls, when enabled, follow the published retention policy. Audit logs are append-only.

Threat model

STRIDE-based. Top 10 vectors mitigated. Documented in our public repo at legal/THREAT_MODEL.md. Annual review.

Incident response

Documented 5-phase runbook: detect → contain → eradicate → recover → lessons. Notification within 72 hours per GDPR Article 33 if your account data is impacted. Postmortems published.

Disaster recovery

Recurring encrypted backups are maintained separately from the primary production environment. Target recovery posture: RPO 7 days, RTO approximately 4 hours.

Compliance status

  • GDPR Article 32 (technical security): ✅ encryption + access controls + audit + IR runbook.
  • GDPR Article 33 (breach notification ≤72h): ✅ documented runbook.
  • CCPA right-to-delete + Do-Not-Sell: ✅ self-serve in Settings.
  • SOC 2 Type 2: ⏳ targeted 2027 H1.
  • HIPAA: ❌ not supported (do not submit PHI).

Responsible disclosure

Found a vulnerability? Email security@clemindaum.com. We acknowledge within 24h, triage within 48h, fix critical issues within 7 days. Hall-of-fame credit available; no formal bounty program yet (planned at $250K MRR).

See also: Privacy Policy · Terms · Cookie Policy