Security.

How we protect your account, your clash data, and the AI processing behind it.

Authentication

Passwords are hashed with BCrypt and are never stored or logged in plain text. Optional two-factor authentication (TOTP) can be enabled per account, backed by single-use recovery codes. Repeated failed sign-in attempts trigger a lockout, and refresh tokens rotate on use and are revoked immediately on logout.

Access control

Every API endpoint requires an authenticated user unless it is explicitly marked public — there is no accidental open endpoint. Sensitive endpoints such as sign-in and password reset are rate-limited per IP address, and security-relevant actions like logins, admin impersonation, and permission changes are written to a long-retained audit trail.

Data protection

Everything in transit is encrypted over TLS. Two-factor secrets, and password-reset and account-activation tokens, are encrypted before storage. Encryption of our database and file storage at rest is provided by our cloud infrastructure. Our database is backed up continuously, and we test the restore process end to end rather than assuming it works.

Data residency and hosting

AI processing — clash naming, the Wise chat assistant, and AI summaries — runs on Microsoft Azure OpenAI in Sweden, within the EU. The application itself is hosted on Hetzner infrastructure in Germany, within the EU. Customer data at rest, including our primary database, file storage, and transactional email, is held in the United Kingdom under the European Commission's adequacy decision.

Frequently asked questions

Does ClashWise support two-factor authentication?

Yes — optional TOTP-based two-factor authentication can be enabled per account, backed by single-use recovery codes, with the shared secret encrypted at rest.

Where is my data hosted?

Customer data at rest, including the primary database, file storage, and transactional email, is held in the United Kingdom. AI processing runs on Microsoft Azure OpenAI in Sweden, and the application itself is hosted on Hetzner infrastructure in Germany — all within the EU or under the UK adequacy decision.

How do I report a security issue?

Email support@clashwise.ai — reports are taken seriously and answered promptly.

Start free trial Download plug-in See pricing