Skip to main content

Trust

Procurement pack

One shareable packet for procurement and legal review: security, privacy, subprocessors, deletion handling, and service status.

Open security source page
Open privacy source page

Last updated: March 23, 2026 (America/Los_Angeles)

Direct diligence answers

These answers are kept blunt on purpose so reviewers do not have to infer posture across multiple pages.

SOC 2 report available?

No public SOC 2 report is published on this site today.

We are continuing to mature our security and operational controls. Formal attestation may be pursued in the future, but there is no report available today.

DPA available for download?

A public DPA review draft is available at /dpa, but no approved execution copy is published for download today.

Use support for signatures or redlines. The /dpa page is the current standard-form review draft and includes print-to-PDF export for internal review, but it is not the executed signature copy.

Review DPA draft

How is data retention handled?

Portal-scoped app records are retained for app operation and support review until they are updated, deleted, or offboarded.

Current repo docs also show active pruning for OAuth state records at 10 minutes and ops events at 30 days, plus backup retention that can preserve deleted portal rows for up to 30 days.

How are incidents communicated?

Service updates are posted on /status, and portal-specific follow-up continues through the support mailbox.

Status and uptime now separate service degradation from status-feed failures so buyers can tell which layer is failing.

What are support hours?

Monday-Friday, 9:00 AM to 5:00 PM America/Los_Angeles.

Email-first via support@clevercat.app. Coverage is limited on weekends and US holidays.

What are the response targets?

General support first response target: within 1 business day.

Production-blocking issues with no viable workaround are prioritized with a first response target of within 4 business hours during support hours. Docs, pricing, and low-severity questions target a first response within 2 business days.

How to use this packet

Share this page internally for procurement review. Each section summarizes current posture and links to the canonical trust surface.

1) High-level data flow

  1. HubSpot admins install an app and authorize required OAuth scopes.
  2. Runtime requests execute with portal context in CleverCat app services.
  3. CleverCat stores minimal portal-scoped operational metadata needed for app behavior and support.
  4. Health, status, and trust surfaces publish operational visibility on this site.

Canonical source: Security page.

2) Data stored and retention posture

  • OAuth token records are stored per portal for authenticated API access; in OAuth mode token records are encrypted at rest.
  • Stored app data is limited to documented app behavior (DupliCat settings, PressKit profile/publish metadata, TabCalendar config and import metadata).
  • DupliCat clone operations process CRM record data in server memory only. Property values are never written to disk, cached, or logged. After the response completes, all in-memory CRM data is discarded. DupliCat does not provide a separate per-run customer-facing audit trail. CleverCat retains minimal operation records for support and operational review. Clone operation records contain only record IDs, object type, status, and configuration flags. Those records exclude property names and property values.
  • Active prune windows currently documented in repo: OAuth state records after 10 minutes, and ops-event records after 30 days.
  • Portal-scoped app records are otherwise retained until settings change, data is offboarded, or manual cleanup runs.
  • Current DupliCat runbooks describe daily backups with 30-day retention, so deleted portal rows can remain recoverable from backups until that window expires.
  • Full CRM payload backups are not maintained by CleverCat; HubSpot remains system of record.

Canonical source: Privacy page.

3) Subprocessors and change policy

  • Current listed subprocessors: Cloudflare for site delivery, Google for public-site fonts/analytics, HubSpot for app workflows, and Google (optional) for TabCalendar calendar import.
  • Material subprocessor changes are reflected on the public subprocessor page with updated timestamp.
  • Subprocessor disclosures are updated before introducing a new production processor.

Canonical source: Subprocessors page.

4) Standard DPA draft and execution path

  • Standard-form DPA review draft: /dpa.
  • Signatures, customer legal entity details, and redlines are handled manually through support.
  • The draft helps procurement review start in parallel with security and privacy review.

Canonical sources: DPA and Support.

5) Deletion request procedure

  • Send request to support@clevercat.app from an authorized account email.
  • Subject line: Data Deletion Request.
  • Include HubSpot portal ID and ownership context for verification.
  • After verification, CleverCat purges stored portal token records, app settings, and app-side records.

Canonical sources: Privacy and Support.

6) Status and uptime references

  • Service status page: /status
  • Uptime monitor: /uptime
  • Service updates are posted on /status.
  • Portal-specific follow-up continues through support.

7) Support expectations

  • Email-first via support@clevercat.app.
  • Monday-Friday, 9:00 AM to 5:00 PM America/Los_Angeles.
  • General support first response target: within 1 business day.
  • Production-blocking issues with no viable workaround are prioritized with a first response target of within 4 business hours during support hours.

PDF export (optional)

Use the button below to open your browser print dialog and save this packet as PDF for internal circulation.

Need a trust follow-up?

Send procurement/security follow-ups through support with your portal context so answers can stay app-specific.

Contact support
Open DPA draft