Security at clipt.ai

If you believe you've found a security vulnerability in clipt.ai, email security@clipt.ai. We respond within 48 hours. We don't have a paid bug bounty yet, but we publicly credit researchers who report in good faith and we will absolutely not pursue legal action against people who abide by the boundaries below:

• No social engineering of our staff or our vendors.
• No denial-of-service, spam, or brute-force testing against production.
• No accessing, modifying, or exfiltrating data that doesn't belong to you. Use your own account.
• Give us reasonable time to remediate before publicly disclosing.

clipt runs on a Digital Ocean droplet (NYC region) fronted by DO Spaces (object storage) and a Neon Postgres database in AWS us-east-2. Background jobs run on the same droplet; we do not currently operate a separate worker cluster.

• Account + billing data: Neon Postgres (encrypted at rest).
• Generated videos & snapshots: DO Spaces (private buckets, signed URLs).
• Short-lived queues & rate-limit counters: Upstash Redis.
• Transactional email: Resend.
• Error + performance telemetry: Sentry.
• Product analytics: PostHog (EU-hosted).

Generation prompts and outputs transit the providers below. We send only what's required to fulfill the request — no account identifiers, no tracking pixels, no extra metadata.

• BytePlus Ark — Seedance 2.0 video + Doubao chat (scripts, ideas, enhance).
• ElevenLabs — text-to-speech voiceover.
• OpenAI Whisper (hosted or self-hosted whisper.cpp) — transcription.
• Stripe — billing (PCI-scope isolated via Checkout + Portal).

• Sign-in via Google OAuth (Auth.js v5). No passwords to breach.
• Optional TOTP two-factor is on our Phase-11 roadmap; in the meantime we strongly recommend enabling 2FA on your Google account.
• Session cookies are HttpOnly, Secure, SameSite=Lax, and scoped to clipt.ai.
• You can revoke individual sessions or sign out everywhere from /settings/security.
• Impersonation by an admin (for support) is time-limited, cookie-scoped, shows a banner to you, and is written to an audit log.

• API keys issued to you are stored as SHA-256 hashes with a public prefix. We cannot recover the plaintext — if you lose a key, rotate it.
• Vendor credentials are stored as environment variables on the droplet, read only by the Node process, and rotated on a calendar cadence.
• We don't log request bodies or response bodies in production by default. When we do (debugging a specific bug), we scrub prompts and outputs before writing them.

• You can export a full JSON bundle of your data at any time from /settings/account.
• You can request account deletion from the same page. We soft-delete for 30 days (in case you change your mind), then hard-delete Postgres rows and the DO Spaces prefix containing your renders.
• Stripe records are retained as required by tax and accounting law (typically 7 years). Stripe itself is the record-keeper; we only hold the metadata links.
• Audit logs are retained for 18 months for incident investigation.

• We don't train models on your prompts, uploads, or generated outputs.
• We don't sell user-level data to third parties.
• We don't use personal data for ad-targeting.
• We don't read your prompts for anything other than abuse moderation and customer support you've asked us to assist with.

• We scan prompts against a keyword deny-list for CSAM, real-person impersonation, and a handful of other categories (see our Acceptable Use Policy). Matches are dropped and logged without the raw prompt.
• We rate-limit per account and per IP to stop abuse and runaway scripts.
• We run TLS 1.2+ across every surface.
• We mirror every Stripe webhook event into our database so reconciliation is idempotent and replayable.