LogoClimbVista
ES/
EN

Security overview

How ClimbVista protects your data and your customers. One page — for procurement and security reviews.

Last updated: 2026-06-21

Hosting and region

Application runs on Vercel with primary region São Paulo (gru1). Database is Neon (PostgreSQL) in the same region. Data never leaves Brazil / Chile in normal operation except to contracted sub-processors.

Encryption

TLS 1.3 in transit. At rest, provider-managed AES-256 (Vercel, Neon, Cloudflare KV). Database connections are encrypted (SSL/TLS) with credentials scoped per environment.

Authentication and authorisation

Access control is enforced server-side on every request. Customer team access is governed by site-scoped roles (ANALYST / EDITOR / ADMIN) applied to all mutations. Public API: Bearer tokens stored as SHA-256 hashes; per-key scopes; 60-request-per-minute per-key rate limit; revocation and expiry supported.

Audit logging

Every privileged action (login, API-key create/revoke, webhook mutation, crawl trigger, edge-policy toggle, team-member change) is recorded to an append-only activity & audit log with actor, IP, user-agent, and metadata. Retained per customer requirements.

Monitoring and uptime

Every Enterprise domain is probed every 5 minutes. Daily uptime aggregates are available to the customer via admin panel, public API, and an optional public status page at /status/<domain>.

Secrets and key management

Secrets held in Vercel environment variables, scoped per environment. Webhook signing secrets and API-key hashes are salted and never returned via API after creation.

Sub-processors

Vercel (hosting), Neon (PostgreSQL), Cloudflare (DNS + edge KV), Fly.io (on-demand page rendering), OpenAI (AI analysis — ephemeral, not used for training), Resend (transactional email). 30-day notice for any addition.

Backups and disaster recovery

Neon point-in-time-recovery (7 days). Schema migrations versioned in source. Edge policies distributed via Cloudflare KV — continue to serve if origin is down.

Vulnerability management

Dependencies and security advisories are monitored and patched promptly, with CRITICAL / HIGH issues prioritised. Independent penetration testing can be arranged for Enterprise procurement on request.

Personnel

Access to production data is limited to authorised personnel under written confidentiality, on a least-privilege basis.

Data subject and regulator requests

Single intake: info@climbvista.com. Assist the Controller within 30 days, faster for regulator-driven requests.