Cleo Enterprise Compliance & SLA Proof Pack
Verifiable Assurance for the Enterprise. Exceeding Standards in Security, Compliance, and Risk Management.
We don't just talk about compliance—we provide the full documentation required to meet your most stringent risk assessments.
Enterprise Audit & Certification Evidence
Security Requirement | Cleo Status | Evidence & Auditable Proof |
Control Certification | SOC 2 Type II, SOC 1 Type 2, SOC 3 | Successfully attested for the SSAE-18 suite. The 2025 Audit Cycle found zero nonconformities and zero exceptions. Full reports available via the Trust Center. |
Information Security | ISO/IEC 27001:2022 | Globally certified for Information Security Management System (ISMS). Scope covers all Cleo data centers and platform services. ISMS objective is to preserve Confidentiality, Integrity, and Availability (CIA). |
Key Compliance Standards | Global & US-Specific | Compliance documentation for GDPR, CCPA, CPRA, DORA, EU-US DPF, and NIST CSF is maintained and auditable. |
Data Protection | In Transit & At Rest | Policies confirm end-to-end Encryption, Data Backups, Data Erasure, and Access Monitoring features are in place, supported by a formal Access Control Policy and Anti-Malicious Software Policy. |
Availability & Incident Response Evidence
Metric / Feature | Cleo Standard | Auditable Proof & BC/DR Metrics |
System Resiliency | BC/DR Architecture | Leveraging Amazon Web Services (AWS) for resilient infrastructure, supported by a documented Business Continuity/Disaster Recovery plan. |
Recovery Time Objective (RTO) | 24 Hours | Formal RTO of 24 hours for severe impact incidents, ensuring rapid recovery capability and minimal long-term disruption. |
Audit Trace Visual | Audit Logging | Granular, time-stamped Audit Logging is enabled for key platform activities, ensuring full data traceability required for customer audits. Trace Visual: showing the event, user, and time. |
Security Validation | Quarterly Vulnerability scans and Annual Penetration Tests | Pentest Reports are featured documents in the Trust Center, reflecting an ongoing commitment to external vulnerability assessment and mitigation. |
Additional Security Information
Find all the information you need to dive deeper.
Responsible AI Usage
Cleo is committed to the ethical and responsible deployment of Artificial Intelligence (AI) technologies. Our approach is guided by the following principles:
- Transparency: We ensure that AI systems are explainable, and decisions are traceable, supporting auditability and regulatory compliance.
- Fairness: AI models are regularly evaluated to mitigate bias and promote equitable outcomes for all stakeholders.
- Privacy & Security: AI solutions are designed to protect data privacy and comply with global standards, including GDPR and NIST CSF.
- Accountability: Clear governance structures are in place for AI development, deployment, and monitoring, with defined roles and escalation paths for incident management.
- Continuous Improvement: We maintain ongoing reviews of AI systems to align with evolving best practices and regulatory requirements.
For more details on Cleo’s Responsible AI policies, visit the Trust Center or contact the Enterprise Risk & Compliance team.
High Availability
- Cloud architecture: CIC runs on AWS with workloads and data distributed across multiple AZs for fault isolation and continuous operations.
- Redundancy & traffic management: Stateless services are fronted by load‑balanced gateways (e.g., HAProxy, Kong) and protected by AWS Security Groups and WAF/IDS/IPS controls.
- Operational monitoring: CIC is continuously monitored with incident response procedures governed by Cleo’s incident management program.
Disaster Recovery
- Targets: Platform objectives of RTO up to 15 minutes and RPO of 0, supported by architecture and recovery runbooks. (Customer‑specific targets and contractual SLAs/Service Credits are defined in the governing MSA/SLA.)
- Testing & updates: The DR plan is tested at least annually and reviewed/updated annually to incorporate lessons learned and platform changes.
- Failover approach: AZ‑level disruptions are mitigated via multi‑AZ design; region‑level contingencies are addressed via documented recovery procedures.
Our 2025 Audit Cycle found zero nonconformities and zero exceptions!
Visit Cleo’s Trust Center to get the consolidated, authoritative proof you need.
Full Audit Suite Reports: Access to the latest SOC 1 Type II, SOC 2 Type II, and SOC 3 reports (SSAE-18).
Global Security Certification: Current ISO/IEC 27001:2022 Certificate and Statement of Applicability (SoA).
Comprehensive Compliance: Adherence to major global standards including GDPR, CCPA, CPRA, DORA, EU-US DPF, and NIST CSF.
Infrastructure Resilience: Details on our BC/DR (Business Continuity/Disaster Recovery) plan and our documented 24-hour Recovery Time Objective (RTO) for severe incidents.
Vulnerability Validation: Recent External Penetration Test Reports and insights into our continuous Access Monitoring and Audit Logging capabilities.