Klarv
Security

Built for Salesforce data stewardship.

Klarv focuses on automation metadata, not customer records, and applies security controls that match enterprise expectations.

OAuth & read-only access

We connect using Salesforce OAuth 2.0. Klarv only performs read operations via the Tooling and Metadata APIs – we never create, update, or delete any data in your org. Klarv never stores Salesforce user passwords.

Metadata focused

We analyze flows, triggers, and rules. For Process Analytics, we access field history (stage changes only) to analyze business workflows. We do not store customer personal data like names, emails, or financial amounts.

Encrypted tokens

OAuth tokens are encrypted at rest (AES-256-GCM) and only handled server-side. All traffic uses TLS.

Org-scoped access

Every API request validates organization ownership. Data is isolated per Salesforce org.

Passkey authentication

Team members can use biometric login (Face ID, Touch ID, Windows Hello) with phishing-resistant WebAuthn passkeys.

CSRF protection

Mutating API endpoints require CSRF tokens validated server-side against the session.

Secure sessions

User sessions are HTTP-only cookies with SameSite protections and short expiry windows.

Security headers

HSTS, CSP, X-Frame-Options, and strict referrer policies are enforced on all responses.

Security coverage, in plain language

Klarv is built to be simple for end users and rigorous for admins and developers. Here’s what we actively protect.

Account & access
  • OAuth, magic links, or passkeys — no passwords stored by Klarv.
  • Magic links are single‑use and expire quickly.
  • Admin access is protected with TOTP.
  • Pending invites have no access until accepted.
Sessions & sensitive actions
  • Short‑lived sessions with session revocation tools.
  • Optional passkey step‑up for high‑risk actions.
  • Org switching is verified against ownership or active membership.
Data protection
  • OAuth tokens encrypted at rest (AES‑256‑GCM).
  • API keys and login tokens are stored as secure hashes.
  • We focus on automation metadata, not customer records.
Application defenses
  • CSRF protection on all state‑changing requests.
  • Clickjacking blocked and strict security headers enforced (including CSP).
  • Webhook signature verification for Stripe events.
Operational safeguards
Rate limits for scan frequency.
Database access via parameterized queries.
Org-level separation for automation metadata and scan results.
Security contacts

For security concerns, vulnerability reports, or compliance inquiries, contact our security team directly.

security@klarv.iosupport@klarv.ioSecurity FAQ