Built to be trusted.
By your security team, and by the machines.
CLEO connects to your CMS, your search and analytics, audits and publishes content, and tracks how AI engines cite your brand. That means we hold access, and we take it seriously.
Here is how we protect your data. What is established, and what we are still strengthening. We would rather you see both.
IDENTITY & ACCESS
A verified core
Delegated identity, no passwords. All sign-in is handled by a specialist identity provider using signed, verified tokens. CLEO stores no passwords of its own.
Encrypted credentials. The credentials we need to publish on your behalf are encrypted at the application layer using authenticated encryption and a strong key-derivation function. If our keys are absent, the service fails closed.
Controlled egress. Every response passes through a multi-pass scrubber that strips internal detail and personal data before anything leaves our service, with an automated guard that prevents regressions.
Tenant isolation. Your data is isolated per project. The acting identity is always taken from a verified token, never from the request itself, and every read and write is scoped to your own projects.
Isolated hosting. CLEO runs in a dedicated cloud account with production and staging fully separated. Billing is handled by a PCI-certified provider; we never store card data.
ENCRYPTION
Protected in transit, at rest, and at field level
In transit: a modern minimum TLS version, with a full set of browser security headers: strict transport, content-security policy, frame and content-type protections.
At rest: encryption across all managed data stores at the cloud-platform layer; provider attestations available on request.
At field level: sensitive credentials encrypted in the application with authenticated symmetric encryption and an iterated key-derivation function.
AI & YOUR DATA
Your content stays yours
Your content is never used to train third-party AI models. We use AI providers only on their paid, commercial API terms, under which client inputs and outputs are not used to train their models. We do not use free tiers that would permit it.
We do not train our models on your campaigns. If that ever changes, it will be strictly opt-in: you will be asked first, and you may decline and continue to use CLEO in full.
Your CMS credentials never leave for AI or search vendors. Only the marketing and content data required for a task is sent to generate or analyse content.
EXCLUSIONS
What we never hold
Payment-card data: card handling is delegated entirely to a PCI-certified provider.
Passwords for your users: identity is delegated.
Clinical records, patient files, or claims data: CLEO works with marketing data and is not a system of record for any such data.
HOSTING
Hosting and data residency
Production data is hosted in the cloud region we agree with you. Available regions include the United States of America (New York), Australia (Sydney), the United Kingdom (London), and India (Mumbai). Where you have a residency requirement, your data is provisioned and stored in that region, and operational telemetry is processed in-region. Automated backups and point-in-time recovery are in place, with a web application firewall at the edge and container image scanning on every deployment.
ASSURANCE
Where we stand, plainly
CLEO has completed an internal SOC 2 Type 1 readiness assessment across all five Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy. We are not yet independently audited: no external firm has issued an opinion, and an independent assessment is on our roadmap. We state this plainly, because a security team is best served by a vendor that knows exactly where its strengths and boundaries are.
Subprocessors are bound by data-processing agreements. The named subprocessor list, their regions, and current attestations are available on request.
FOR REVIEWERS
Request the full overview
A full Security & Trust Overview, architecture and data-flow, control matrix, data inventory, subprocessor list, data-processing agreements, and our enhancement roadmap, is available under controlled review. We are glad to host a technical walkthrough with your team and to complete any security questionnaire your process requires.
Contact: connect@regencleo.ai
We would rather you see the full picture than a polished summary. That is the posture.