Security & Data Protection
Last updated: April 14, 2026
Your data security is our priority. Below are the technical and organizational measures DLV Digital S.A. applies to protect data in the CleanData service.
1. Encryption
All data is transmitted over TLS 1.3 encrypted connections. Files on the server are stored with UUID names without links to original filenames. Database backups are encrypted.
2. File Handling
Uploaded files: (a) receive a random UUID name; (b) are validated by MIME-type (not just extension); (c) are limited to 50 MB; (d) are processed in an isolated environment; (e) are automatically deleted after 1 hour. File contents are never written to logs.
3. Access Control
Access to server infrastructure is restricted. The principle of least privilege is applied. Administrative interfaces are protected with additional authentication.
4. Rate Limiting & Abuse Protection
Free users: 5 uploads per hour. DDoS protection at CDN/Nginx level. All input is validated on client and server. Filename sanitization. CSRF protection.
5. AI Security
Data sent to the Claude API: only unique values from selected columns (not the entire file). API mode is used — Anthropic does not retain data for training. Results are cached in anonymized form in Redis.
6. Infrastructure
The service is deployed in Docker containers with service isolation. Nginx as reverse proxy with configured security headers (HSTS, CSP, X-Frame-Options). CORS restricted to document.dlv.do.
7. Monitoring & Logging
Structured logging via structlog. Availability and performance monitoring. Logs do not contain personal data or user file contents. Log retention: 90 days.
8. Incident Response
In case of a data breach: affected users and supervisory authorities are notified within 72 hours (GDPR Art. 33); the vulnerability is investigated and remediated; an incident report is published.
9. Responsible Disclosure
If you discover a vulnerability in the service, report it to security@dlv.do. We guarantee: acknowledgment within 48 hours; investigation within 10 business days; no legal action for good-faith disclosure.