Security

Last updated: April 17, 2026

At Claper, security is a core priority. As an open-source platform, we believe transparency is the best foundation for trust.

Infrastructure Security

• EU hosting: All infrastructure is hosted on Hetzner Cloud within the European Union (Germany/Finland)
• Encryption in transit: All connections use TLS 1.2 or higher
• Encryption at rest: Data is encrypted at rest using industry-standard encryption
• Network isolation: Services are isolated using firewalls and private networks
• Regular backups: Encrypted backups are performed regularly and stored within the EU

Application Security

• Authentication: Passwords are hashed using strong, modern algorithms. Session tokens are securely generated and managed
• Input validation: All user input is validated and sanitized to prevent injection attacks (SQL injection, XSS, CSRF)
• Access controls: Role-based access ensures users can only access resources they are authorized to use
• Error monitoring: We use Sentry for real-time error detection, allowing us to quickly identify and resolve security-relevant issues
• Dependency management: Dependencies are regularly audited and updated to address known vulnerabilities

Data Protection

• Minimal data collection: We collect only the data necessary to provide the service
• No data selling: We never sell user data to third parties
• GDPR compliance: We comply with the General Data Protection Regulation
• Data residency: All primary data is stored and processed within the EU on Hetzner infrastructure
• Consent-based tracking: Marketing and optional analytics tools (Clarity, Facebook Pixel, Reddit Pixel) are only activated with explicit user consent

Open Source Advantage

Claper is 100% open source. Our entire codebase is available on GitHub for anyone to review, audit, and verify our security practices. This transparency means:

• Security researchers can review our code at any time
• Vulnerabilities can be identified and reported by the community
• Our security claims are verifiable, not just stated

Incident Response

In the event of a security incident, we follow a structured response process:

1. Identification and containment: Immediately isolate affected systems
2. Assessment: Determine the scope and impact of the incident
3. Notification: Notify affected users within 72 hours as required by GDPR
4. Remediation: Fix the vulnerability and restore normal operations
5. Post-mortem: Conduct a thorough review and implement preventive measures

Responsible Disclosure

We welcome security researchers who help us keep Claper safe. If you discover a vulnerability, please report it responsibly to alex@claper.co.

Do not disclose vulnerabilities publicly until we have had a chance to address them.

Contact

For security concerns: alex@claper.co