Your data stays yours.

CleanSmart processes your data to clean it, not to keep it. Here's exactly how we protect what you upload.

The Short Version

For people who just want the highlights

  • Encrypted in transit. TLS 1.2 protects data moving to and from CleanSmart.
  • Encrypted at rest. AES-256 encryption on all stored data.
  • Isolated per customer. Your data never touches another customer's data. Ever.
  • You control retention. Keep data for 24 hours, 7 days, 30 days, or 90 days. Your choice.
  • Delete anytime. Get a cryptographic receipt proving what was removed and when.
  • No AI training. We never use your data to train models. Period.

Under the Hood

For the folks who want to know how it works, not just that it works

  • Encryption in Transit

    All data transmitted to and from CleanSmart is encrypted using TLS 1.2. This includes file uploads, API calls, and data exports. Your data is protected from the moment it leaves your browser until it reaches our servers.

  • Encryption at Rest

    Two layers of encryption protect your data at rest:


    Application-level: API credentials and integration tokens (for HubSpot, Salesforce, Mailchimp, etc.) are encrypted using Fernet (AES-256-CBC) before storage. These are never stored in plaintext.


    Platform-level: All database storage runs on Digital Ocean Managed PostgreSQL with AES-256 disk encryption enabled by default. The underlying storage volumes are encrypted at the infrastructure level.

  • Data Isolation

    Customer data is isolated at the database level. Your records, cleaning jobs, and uploaded files are never accessible to other accounts. There is no shared tenancy. When you upload a file, it exists in your workspace and nowhere else.

  • Data Retention

    You choose how long CleanSmart keeps your data:


    • 24 hours: Quick cleanup jobs you don't need to revisit
    • 7 days: Short-term projects with review cycles
    • 30 days: Standard workflows (this is the default)
    • 90 days: Longer projects or compliance requirements

    Change your retention setting anytime in account settings. It applies to all future uploads immediately.


  • Manual Deletion

    Don't want to wait for automatic deletion? Delete any dataset manually, anytime. When you do, you'll receive a deletion receipt that includes:


    • Exact timestamp of deletion
    • Number of records removed
    • SHA-256 cryptographic hash verifying the deletion
    • Dataset name and ID

    This receipt is your audit trail. Save it for compliance documentation, internal records, or peace of mind.

What we don't do with your data

Sometimes it's clearer to say what we won't do:


  • We don't train AI models on your data. The AI in CleanSmart is pre-trained. Your customer lists, contact records, and business data are never fed back into model training.
  • We don't sell or share your data. Not with partners. Not with advertisers. Not with anyone.
  • We don't access your data without reason. Our team only accesses customer data when you explicitly ask for support help, and only with your permission.
  • We don't keep data after you delete it. When you delete something, it's gone. The deletion receipt exists so you can prove it.

Where your data lives

CleanSmart runs on Digital Ocean's infrastructure, hosted in SOC 2 Type II certified data centers.


Current status: CleanSmart itself is not yet SOC 2 certified, but it's on our roadmap. We'll update this page when that changes.



Why Digital Ocean? Managed PostgreSQL with automatic encryption, isolated compute environments, and infrastructure that scales without us managing bare metal. It lets us focus on building a better product instead of running servers.

How we handle your connected accounts

When you connect HubSpot, Salesforce, Mailchimp, Shopify, or Klaviyo:



  • OAuth tokens are encrypted. We use Fernet (AES-256-CBC) to encrypt all integration credentials before storing them.
  • Minimal permissions. We only request the access scopes needed to read and write contact/customer data. Nothing more.
  • Revoke anytime. Disconnect an integration from your CleanSmart settings or directly from the connected platform. Either way, we lose access immediately.

Common security questions

Can CleanSmart employees see my data?

Not without your explicit permission. If you contact support and ask us to help troubleshoot a specific dataset, we may request temporary access. You grant it, we help, then access ends. Otherwise, no.


What happens if there's a breach?

We would notify affected customers within 72 hours with details on what happened, what data was involved, and what we're doing about it. We follow industry-standard incident response procedures. (To date, we have not experienced a data breach.)


Do you have a DPA for GDPR compliance?

Yes. Contact support@cleansmartlabs.com and we'll send it over.


Is my data backed up?

Yes. Digital Ocean Managed PostgreSQL includes automated daily backups with point-in-time recovery. Backups are encrypted and retained for 7 days.

Ready to clean your data?

Start Your Free Trial

7-day free trial. No credit card required.