Security at Clappia

Introduction

Clappia is a secure, serverless no-code platform designed for enterprises and SMBs to build and deploy business applications rapidly. Security is at the core of our architecture, processes, and operations. This document outlines the various security controls, compliance measures, and best practices that make Clappia an enterprise-ready platform trusted across regulated and security-sensitive industries.

1. Infrastructure Security

Network Architecture and Segmentation

  • Clappia’s infrastructure is built entirely on a serverless architecture using AWS-managed services such as Lambda, API Gateway, DynamoDB, S3, and Step Functions, which eliminates the risks associated with traditional server and network maintenance.
  • Each microservice is functionally decoupled and designed with the principle of least privilege. Access between services is defined using fine-grained IAM roles, ensuring only authorized services can interact with specific APIs or databases.
  • All APIs are exposed only via Amazon API Gateway with custom Authorizers, which acts as a secure boundary with capabilities for request validation, throttling, and authentication. 
  • Inter-service communication happens through event-driven triggers, completely avoiding lateral movement risks commonly seen in monolithic or EC2/VPC-based setups.

Protection Against DDoS and Malicious Traffic

Clappia’s application layer is protected from automated abuse, bots, DoS and DDoS attacks through a multi-layered security strategy:

  • Cloudflare Turnstile is integrated into the user interface to block bot traffic and validate human users before reaching the backend.
  • All APIs are protected via AWS WAF, which filters requests based on known attack patterns like SQL injection, XSS, and request floods.
  • API Gateway throttling ensures that each endpoint is limited by maximum request rates and burst capacity, preventing brute-force and flood-based attacks.
  • Backend Lambda functions are capped with reserved concurrency settings to ensure critical system resources are not overwhelmed, even during unexpected traffic spikes.

This layered defense ensures that malicious traffic is blocked at the edge, preserving availability and performance for legitimate users.

Service Continuity and Uptime Architecture

Clappia’s use of managed services enables a highly resilient and self-healing infrastructure. Unlike traditional setups that rely on EC2 or load balancers, Clappia relies on:

  • AWS Lambda and API Gateway, which are inherently multi-AZ and automatically scalable.
  • DynamoDB and S3, which offer regional replication and automatic failover with no customer intervention required.
  • Each service component is decoupled using queues, streams, and state machines to provide graceful degradation during high load or partial failures.
  • CloudWatch metrics and alarms are configured for all production services, with 24x7 monitoring by Clappia’s SRE team to ensure fast response and automated incident handling.

Clappia maintains an uptime SLA of over 99.9%, with full transparency and audit trails for all platform outages and recovery events.

Cloud & Region Flexibility

Clappia supports the unique needs of enterprises that require specific cloud vendors or regional hosting due to regulatory, data sovereignty, or internal compliance mandates.

  • While the default hosting is on AWS India (ap-south-1), Clappia can also deploy on Microsoft Azure or Google Cloud Platform based on enterprise requests.
  • Customers can specify their preferred geographic region (e.g., Europe, US, Middle East, Australia etc) for data hosting during onboarding.
  • Each customer's Workplace is logically isolated, and cloud resources are provisioned accordingly — ensuring tenant data and apps are not co-mingled.
  • This flexibility helps enterprises comply with data residency laws (e.g., GDPR, IT Rules India) and internal IT policies around cloud vendor usage.

Encrypted Infrastructure Services

All of Clappia’s infrastructure services are protected with encryption both at rest and in transit:

  • DynamoDB, Amazon S3, and CloudWatch Logs are encrypted at rest using AES-256 encryption, managed through AWS Key Management Service (KMS).
  • Communication between services and with external clients is secured using TLS 1.2+, enforced at the API Gateway and internal service layers.
  • Encryption keys are securely managed by AWS KMS with automatic rotation and strict IAM access policies.
  • Access to infrastructure services is audited using AWS CloudTrail, with alerts configured for unauthorized access attempts or key misuse.

2. Data Security

Secure by Design Development Principles

Security is not an afterthought at Clappia — it is integrated from the earliest phases of design. All application and infrastructure components are built with a “secure by default” mindset.

  • Threat modeling is performed during architectural planning to identify potential vulnerabilities and mitigate them proactively.
  • Least privilege is the default — every service and developer is granted only the minimum access necessary.
  • Static code analysis and secret detection tools are integrated into the CI/CD pipeline to prevent unsafe code and exposed credentials.
  • All endpoints are designed to validate input thoroughly and respond gracefully to malformed or malicious requests, reducing the attack surface.

Data Isolation Between Workplaces

Clappia operates on a multi-tenant architecture, where each customer’s data resides in a logically isolated environment called a Workplace.

  • Data from one Workplace is never accessible to users or automations from another Workplace.
  • API requests are scoped and authenticated at the Workplace level. Any unauthorized access attempt is denied and logged.
  • Within a Workplace, admins can define fine-grained permissions — controlling access to apps, submissions, modules, and even form fields on a per-user basis.
  • This robust isolation ensures data confidentiality across all tenants and prevents horizontal privilege escalation.

Encryption for Data in Transit

All data transmitted within and across Clappia’s systems is encrypted using strong transport layer protocols to prevent eavesdropping, tampering, or man-in-the-middle attacks.

  • TLS 1.2 or higher is enforced across all public endpoints, internal APIs, and service-to-service calls.
  • The platform’s frontend is served via AWS CloudFront, with SSL certificates managed by AWS Certificate Manager (ACM) to ensure secure and up-to-date TLS configuration.
  • Backend APIs are accessed through Amazon API Gateway, which also uses ACM-issued certificates for HTTPS enforcement.
  • All services — web, mobile, backend — are accessible only via HTTPS. HTTP traffic is automatically redirected or blocked.
  • TLS configurations are hardened (no SSLv3, no weak ciphers), and headers like HSTS (HTTP Strict Transport Security) are included where applicable.

This ensures that every data packet sent between users and the platform, or between internal services, is encrypted and protected from unauthorized access.

Encryption for Data at Rest

All data stored on Clappia’s infrastructure — including user content, configurations, and metadata — is encrypted at rest using strong cryptographic standards.

  • AES-256 encryption is applied across all storage layers, including:
    • DynamoDB for structured app data
    • Amazon S3 for file uploads and exports
    • CloudWatch Logs for runtime and audit data
  • Encryption is handled using AWS Key Management Service (KMS), which provides:
    • Automatic key rotation
    • Key usage logs via AWS CloudTrail
    • Granular IAM-based access control, restricting who can decrypt what
  • Clappia does not manage encryption keys manually — all keys are created and rotated by AWS KMS following industry best practices.
  • Temporary files, backups, and snapshots also inherit the same encryption guarantees.

This ensures that even in the unlikely event of a physical breach or misconfigured access, the underlying data remains unreadable and secure.

Data Retention and Disposal Policies

Clappia follows a deliberate and transparent approach to data retention, prioritizing long-term data availability, manual control by the customer, and compliance with applicable regulations.

  • By default, Clappia does not auto-delete any user data. All app submissions, configuration data, files, and metadata are retained indefinitely unless manually archived or removed by the customer.
  • If a customer formally requests deletion of a Workplace, Clappia initiates a 30-day hold period:
    • During this period, all associated data — apps, users, submissions, and files — is marked for deletion but can be recovered upon request.
    • After 30 days, data is permanently and irreversibly deleted using AWS-native secure deletion standards (DynamoDB, S3).
  • Clappia supports data export and deletion processes in accordance with regulations like GDPR and IT Rules (India). Upon request, we can provide:
    • Complete data exports in machine-readable formats
    • Verified deletion confirmations for users or Workplaces

Archival and Recovery Options

Customers can manually archive inactive data to reduce clutter while maintaining full control over recovery:

  • Archived apps can be restored by admins within 30 days of archival.
  • Archived submissions can be recovered for up to 6 months after being archived.
  • Archived data is never deleted automatically and remains encrypted and protected during the archival window.

Point-In-Time Recovery (PITR)

To safeguard against accidental deletions or system-level corruption, Point-In-Time Recovery is enabled for all production-critical databases:

  • PITR on AWS DynamoDB allows Clappia to restore data to any second within the last 35 days.
  • This enables rapid rollback of app logic, records, or system state in case of human error or service disruption.
  • PITR data is encrypted, monitored, and restored only upon verified request by the security or platform engineering team.

Database and Object Store Security

Clappia leverages AWS-native security to protect all structured and unstructured data.

  • DynamoDB tables are encrypted, access-controlled using fine-grained IAM policies, and monitored continuously.
  • S3 buckets are private by default, and public access is completely disabled at both the bucket and object level.
  • Access to files and data is logged, and suspicious read/write patterns are flagged using AWS GuardDuty and CloudTrail insights.
  • Object URLs expire automatically to prevent unauthorized reuse or sharing.

3. Application Security

Secure Development Lifecycle (SDLC) Practices

Clappia’s engineering team follows a secure-by-default development workflow:

  • All new features go through threat modeling, including misuse case analysis and potential abuse scenarios.
  • Code changes are reviewed via mandatory peer reviews, with focus on access control, input validation, and architectural risk.
  • CI/CD pipelines are integrated with static application security testing (SAST) tools to detect secrets, insecure functions, and known patterns of unsafe code.
  • Changes are validated in staging environments with production parity, including user permission simulations and data isolation tests.

Runtime Input Handling & Injection Protection

To prevent client-side and server-side injection attacks, all user inputs are rigorously validated and escaped:

  • All form inputs and API payloads are passed through strict schema validation using industry-tested libraries.
  • HTML/JS injection is blocked through auto-escaping and sanitization across templates, frontend rendering engines, and internal tools.
  • All queries to storage and analytics systems are performed using parameterized logic, with zero raw query execution.
  • Application workflows are designed to reject unexpected or unverified parameters at all levels — including hidden fields, metadata, or indirect access paths.

Session & Token Management

Clappia uses a robust OAuth2-based token system to manage authentication and session state across devices and clients:

  • Access tokens are short-lived, while refresh tokens are stored with HttpOnly and Secure flags in web browsers.
  • Mobile apps store tokens in secure storage (e.g., Keychain for iOS, EncryptedSharedPrefs for Android).
  • Session expiration policies are enforced globally, and invalidated automatically on logout or detected anomalies.
  • Device fingerprinting and token scope logic prevent reuse across different browsers or networks.

Password Hashing & Storage Security

User credentials are protected using modern password hashing best practices:

  • Clappia uses bcrypt with strong salting and cost factors to hash all user passwords.
  • No plaintext passwords are ever stored — not even in logs or during migrations.
  • Password changes are accompanied by token revocation and event logging for traceability.
  • The system is designed to support hash upgrades in-place as stronger standards emerge.

Third-party Library and Build-time Security

Clappia takes a conservative, security-first approach to open-source usage:

  • All packages and libraries (npm, pip, etc.) are pinned to specific versions, and automatic updates are not allowed without audit.
  • CI builds include Software Bill of Materials (SBOM) generation and dependency diffing to track changes.
  • Libraries are scanned for known vulnerabilities using tools like npm audit, Snyk, and AWS dependency vulnerability feeds.
  • Build artifacts are signed and verified before deployment, ensuring supply chain integrity.

4. User Identity & Access Controls

Authentication Mechanisms (SSO, Email Login)

Clappia supports a variety of secure login methods tailored for both enterprise and smaller organizations:

  • Users can authenticate using standard email-password login or Single Sign-On (SSO).
  • Supported SSO options include Google Workspace, Microsoft Azure Active Directory, SAML 2.0, and custom OpenID Connect (OIDC) providers.
  • Users can also authenticate using their phone numbers and OTP.
  • Enterprise customers can enforce login only via their IdP, enabling centralized user provisioning and deprovisioning.
  • SSO-based sessions support auto-mapping of user roles based on SAML attributes or OIDC claims.

Multi-Factor Authentication (MFA)

To safeguard against credential theft, Clappia allows each Workplace to enforce MFA policies:

  • Supported methods include OTPs over email or phone numbers.
  • MFA can be made mandatory for all users.
  • Users are prompted to enroll in MFA during onboarding or when Workplace policy changes.
  • In case of lost access, MFA resets follow a strict identity verification process and audit trail.

Workplace-specific Login Rules & Security Policies

Every Workplace on Clappia can define its own access policies to enforce organization-specific security standards:

  • Custom password policies including minimum length, character rules, expiry durations, and reuse restrictions.
  • Session control settings, such as idle session timeouts, login attempt limits, and simultaneous session caps.
  • IP whitelisting to restrict access to trusted corporate networks.
  • Optionally, logins can be restricted to verified email domains or pre-approved user invitations.

Custom Access Control Model & App Permissions

Clappia provides a flexible and role-driven access control system that allows administrators to precisely manage who can interact with each app, and at what level:

  • Access to apps, dashboards, and submissions is governed by a role-based model — users are explicitly assigned roles for each app, enabling contextual access.
  • The following predefined roles are available:
    • Submitter – can fill and submit forms
    • View All Data – can view submissions made by all users in the app
    • Reviewer – can approve or reject submissions based on workflows
    • Full Data Admin – can edit all submissions made by any user of the App.
    • App Admin – can configure app structure, workflows, users, and permissions, has unrestricted access to view, edit, or export any data within the app
  • Permissions at further granularity can also be configured, such as “Can view Analytics”, “Can assign Owners”, “Can clone Submissions” etc
  • Admins can assign different roles to the same user across multiple apps within a Workplace — enabling precise segmentation of duties.
  • All permission checks are enforced at the server level, ensuring that unauthorized access via frontend manipulation, API calls, or external tools is not possible.

Admin Role Management and Audit Trails

Clappia ensures that administrative privileges are carefully controlled and fully auditable:

  • Admin users can be granted different scopes — e.g., app management, user management, or billing — avoiding all-powerful super-admins.
  • All critical admin actions (user invitations, role changes, app deletions) are logged in an immutable audit log.
  • Logs include metadata such as IP address, user agent, and timestamp for compliance-grade traceability.

5. Operational Security

Centralized Logging and Monitoring

Clappia maintains full observability of its platform using AWS-native logging, metrics, and alerting tools:

  • All Lambda functions, API Gateways, DynamoDB events, and error logs are captured in Amazon CloudWatch.
  • Logs are retained securely and tamper-proof, with role-based access for audits and incident analysis.
  • Anomalous usage — like spikes in failed logins, repeated rate limit hits, or abnormal API patterns — is flagged in real-time.
  • Dashboards are monitored by Clappia’s SRE team 24x7, with alerts integrated into automated escalation channels.

Vulnerability Management and Patching

Clappia uses a proactive, continuous vulnerability lifecycle for both internal code and underlying dependencies:

  • Dependencies are scanned using tools like Snyk, npm audit, and AWS-provided CVE feeds as part of the CI/CD process.
  • Third-party packages are reviewed and version-pinned to minimize exposure to supply chain threats.
  • Vulnerability SLAs:
    • Critical: Patched or mitigated within 24–48 hours.
    • High: Patched within 5 days.
    • Medium: Addressed in regular release cycles.
  • Clappia regularly performs internal security reviews on business-critical workflows.

Malware and Spam Filtering

To protect against malicious file uploads and abuse of notification systems:

  • All file uploads are scanned via antivirus engines integrated at the edge.
  • Document previews and renderers are sandboxed to avoid RCE (Remote Code Execution).
  • In-built spam detection filters protect shared form links, email workflows, and comments/approvals in apps.
  • Outbound emails and app notifications are rate-limited and monitored to prevent misuse.

Backup and Restore Framework

Clappia ensures that customer data can be reliably recovered in case of unexpected events:

  • Automated daily backups are taken for all production DynamoDB tables and critical metadata.
  • AWS-native Point-In-Time Recovery (PITR) is enabled on core databases to allow rollback to any second in the past 35 days.
  • Backups are encrypted and stored across multiple availability zones, ensuring regional resiliency.
  • Restore processes are tested quarterly in a dedicated recovery sandbox.

Business Continuity and Disaster Recovery

To maintain platform availability under adverse conditions, Clappia has a documented and practiced Business Continuity Plan (BCP):

  • All services are deployed across multiple AWS availability zones in a given region.
  • DR plans include automated failover, manual overrides, and prioritized RTO/RPO objectives.
  • Recovery Time Objective (RTO): <2 hours
  • Recovery Point Objective (RPO): <15 minutes
  • DR simulations are conducted every quarter to validate preparedness.

6. Incident Management

Security Event Detection and Analysis

Clappia operates with a proactive monitoring and alerting framework to detect and respond to security threats in real time:

  • All logs from API Gateway, Lambda, DynamoDB, and S3 are streamed to a centralized logging service via CloudWatch.
  • Anomalies such as excessive failed logins, rate limit violations, or unexpected IP addresses trigger automated alerts.
  • Security alerts are routed to the engineering team’s on-call rotation with severity-based prioritization.
  • Analysts correlate events using metadata (IP, headers, user agent, etc.) to validate or dismiss suspicious activity.

Incident Response and Notification

Clappia follows a structured incident response protocol to ensure swift containment, investigation, and transparency:

  • Incidents are triaged into Low, Medium, and High severity categories based on potential impact and data scope.
  • Every security incident goes through:
    • Containment – isolate affected services or users
    • Root cause analysis – detailed technical investigation
    • Remediation – apply patches, restore data, revoke tokens
    • Post-mortem – documented internally with learnings
  • For notifiable incidents, Clappia provides:
    • Timely breach notifications to affected customers
    • Details on what happened, what data was involved, and actions taken
    • Guidance on customer-side steps, if needed

Responsible Disclosure Program

Clappia believes in collaboration with ethical researchers to identify and fix potential vulnerabilities before they can be exploited:

  • Security researchers can report vulnerabilities by reaching out to security@clappia.com.
  • All valid reports are acknowledged within 2–3 business days and triaged with clear timelines.

7. Organizational Security

Employee Background Checks

Clappia takes human-layer security seriously and applies strict checks before onboarding any team member:

  • All full-time employees undergo background verification covering identity, education, employment history, and any criminal records.
  • Contractors with access to sensitive infrastructure or data are similarly vetted before engagement.
  • Background checks are revalidated when employees move into privileged roles, especially in engineering, DevOps, and security.

Security Awareness and Training

Security is a shared responsibility, and Clappia ensures every team member understands their role in protecting customer data:

  • New hires undergo mandatory security onboarding, covering phishing, data classification, and secure coding (if applicable).
  • Periodic refresher courses are conducted on topics like:
    • Phishing simulation and response
    • Use of MFA and secure device configuration
    • Reporting suspicious activity
  • Specialized training is given to developers, QA engineers, and support staff who handle sensitive tasks.

Access Governance and Review Processes

Access to internal systems is tightly controlled and regularly reviewed:

  • Clappia follows a zero standing access policy — access is granted only for the duration needed, and only with approval.
  • IAM roles and permissions are reviewed quarterly for all internal tools, repositories, and AWS environments.
  • All access requests go through a ticketed approval workflow, and elevated access is logged with justification.

GDPR and Data Subject Rights

Clappia is committed to upholding the principles of the General Data Protection Regulation (GDPR) and supports customers in fulfilling their obligations:

  • Lawful Processing: Personal data is collected and processed only when there is a legal basis, such as user consent or contractual necessity.
  • Data Subject Rights: Users have the right to:
    • Access their personal data.
    • Rectify inaccurate or incomplete data.
    • Request deletion of their data ("right to be forgotten").
    • Object to or restrict processing under certain circumstances.
  • Data Handling: Clappia processes and stores personal data in compliance with GDPR, ensuring data minimization, accuracy, and integrity.
  • Privacy Policy: Detailed information on data collection, usage, and user rights is available in our Privacy Policy.

ISO 27001 Compliant Controls

Clappia is ISO/IEC 27001:2013 compliant, demonstrating our commitment to implementing a globally recognized framework for managing information security:

  • Information Security Management System (ISMS): Covers technical, organizational, and administrative controls across infrastructure, development, operations, and personnel.
  • Aligned Controls: Security controls are aligned with ISO 27001, including access management, asset control, cryptography, logging, physical security, and business continuity.
  • Risk Assessments: Conducted at least twice a year and during any major architectural or operational change.
  • Vulnerability Assessments: Internal and external VAPT assessments are mapped to ISO control families and documented within the ISMS.
  • Audit Readiness: Clappia maintains full audit readiness and supports security due diligence efforts by enterprise customers.
  • Certification: A copy of our most recent ISO 27001 certification can be shared upon request under NDA.

Customer and Regional Data Processing Agreements (DPAs)

Clappia provides standard and custom Data Processing Agreements (DPAs) to meet enterprise, public sector, and international compliance requirements:

  • Roles and Responsibilities: The DPA outlines data roles (Controller vs. Processor), retention periods, subprocessors, breach responsibilities, and rights.
    Compliance Provisions: DPAs can include:
    • EU Standard Contractual Clauses (SCCs).
    • Indian IT Rules 2021 provisions.
    • Country-specific addenda (e.g., UAE, UK, Singapore).
  • Customization: Customers can request custom language additions or clarify edge cases in shared responsibility areas.
  • DPA Document: For more details, refer to our Data Processing Addendum.

Audit and Legal Readiness

Clappia maintains a state of continuous audit readiness:

  • Documentation: All logs, access controls, infrastructure changes, and internal decisions are archived for audit review.
  • Audit Materials: Documentation includes:
    • VAPT summaries.
    • Change management records.
    • Incident response logs.
    • Compliance questionnaire answers (for vendor security reviews).
  • Review Process: Legal and compliance reviews are handled by Clappia’s core security and executive team with defined SLAs.

9. Privacy & Data Handling

User Data Handling Transparency

Clappia is committed to transparency in how customer data is collected, processed, stored, and used:

  • Only data that is explicitly provided by users or app builders is stored — we do not track or store unnecessary metadata.
  • Data collected through forms and apps belongs entirely to the customer (Workplace) and is never shared or sold.
  • Clappia does not access customer data unless explicitly authorized for support or troubleshooting, and such access is logged and time-bound.
  • Usage data (e.g., feature analytics) is collected in an aggregated, anonymized format to improve platform performance and user experience.

Anonymization and Data Minimization

Clappia follows privacy by design principles, especially when handling analytics, backups, and log data:

  • User-generated content is stored and logged only when necessary — verbose logging is disabled in production.
  • Support and diagnostic tools anonymize sensitive values before logging or display.
  • Access to sensitive data within the company is strictly role-scoped; only support and infra engineers working on active tickets can view user data.
  • In internal analysis and system tuning, personally identifiable information (PII) is masked or excluded entirely.

10. Resources & Contact

Security Whitepaper and Disclosures

Clappia provides this security whitepaper to help enterprise customers, compliance officers, and IT security teams understand our architecture, controls, and philosophy in detail. Additional documents are also available:

  • Clappia Security Architecture Overview (technical diagrams, IAM flow, platform stack)
  • Cloud Hosting Details and Region Mapping
  • Data Residency & Processing Policies
  • Summary of Internal Controls (mapped to ISO 27001 Annex A)

These resources are available on request or through your account representative.

Vulnerability Assessment & Penetration Test (VAPT) Reports

Clappia conducts regular third-party penetration testing and vulnerability assessments with Cert-In empaneled auditors:

  • External VAPT is done at least twice per year.
  • Internal security testing is performed continuously across services.
  • A summary of the latest VAPT report — including findings, mitigation actions, and auditor info — is available for enterprise customers under NDA.

Contact the Security Team / Escalation Channels

For any of the following, please reach out to our Security Response Team:

  • Security due diligence or audit discussions
  • Compliance requests or documentation (e.g., ISO, VAPT)
  • Operational concerns, such as misconfigurations or platform behavior
  • Breach alerts or incident escalations
  • Security improvement suggestions or responsible disclosures

You can email us at security@clappia.com. All emails are triaged within 1 business day.

Report a Vulnerability (Responsible Disclosure)

If you are a security researcher or have discovered a potential vulnerability in Clappia, we appreciate your responsible disclosure:

  • Please email your report to security@clappia.com.
  • All valid reports receive an acknowledgment within 2–3 working days and are prioritized based on severity and impact.
  • Clappia values the ethical hacking community and acknowledges meaningful contributions.

Conclusion

Clappia is committed to maintaining high security and privacy standards across every layer of our platform. With continuous monitoring, regular audits, and a proactive engineering culture, we ensure our customers can rely on us to handle their critical business data securely. We invite all stakeholders to engage with our security team for assessments, validations, or custom deployment queries.