CleverlyBox Use Cases
USE CASES

Email infrastructure your CISO will actually approve.

Most marketing-cloud ESPs are SaaS black boxes. Your subscriber data lives on their servers, in their region, behind their access controls, on their reputation pool. When something breaks a suspension, a data-residency audit, a SOC 2 gap — you're escalating to a vendor support queue. CleverlyBox is the version where the infrastructure is yours: deploy on your AWS, your VPC, your on-prem. Audit logs, encryption at rest, IP allowlists, dedicated IPs, full data residency. The platform answers to your security review, not the other way around.

The enterprise
sender profile.

Built for organizations that take email, compliance, and deliverability seriously — at scale.

Secure by design
Data stays with you
Audit ready
Org Size

500 – 50,000+

employees
Email Volume

5M – 500M

emails / month
Compliance Posture

SOC 2 • ISO 27001 • GDPR • HIPAA

Current ESP

Salesforce Marketing Cloud / Adobe / Oracle

Enterprise Environment

You operate enterprise marketing email at scale. Your security team has a thick stack of policies. Your audit firm asks pointed questions about data residency and admin-action trails. Your DPO needs an answer to "where is the subscriber consent record?" — fast.

CleverlyBox is the rare ESP that runs inside your security perimeter, not outside it. The platform is yours; the compliance posture is yours; the bill is finite.

Six things SaaS-only ESPs can't solve
for enterprise

Suspension = blackout
Vendor suspension risk

Mailchimp can suspend your account on a complaint threshold. Klaviyo can pause sending for a billing dispute. With your business depending on email — every quarterly campaign, every transactional flow that exposure is unacceptable.

Cross-border data flow
Data residency is non-negotiable

EU customer data has to stay in the EU. APAC has its own rules. SaaS ESPs route through us-east-1 by default. Your DPO requires a guaranteed-region deployment, with an audit trail proving it.

Audit gaps
Audit-trail completeness varies wildly

Who changed the welcome flow last Tuesday? Who exported the subscriber list at 3am? Most SaaS ESPs offer surface-level activity logs not the immutable, signed, tamper-evident audit trail your auditor expects.

SOC 2 inheritance
SOC 2 / ISO 27001 inheritance is shaky

Your ESP has a SOC 2 report. It covers their controls. It does not cover the configuration choices you made on top of their platform. Auditors flag this every year.

No IP allowlist
No IP allowlist control on the admin plane

Your CRM has IP allowlisting. Your AWS console has IP allowlisting. Your ESP's admin login does not. The SaaS-ESP admin plane is on the public internet, accepting credentials from anywhere.

Per-contact pricing
Pricing scales with the customer base, not the value

An enterprise B2C platform with 50M users pays Marketing Cloud millions a year. Most of that is a tax on contact count, not on email-platform value. The unit economics get worse the larger you grow.

Deploy on your infrastructure. The platform is yours

01 Self-deployable

Your AWS account. Your VPC. Your data plane

CleverlyBox is a Laravel 12 application on PHP 8.2+, with MySQL/MariaDB and Redis as data stores. It deploys cleanly on AWS, GCP, Azure, or bare-metal. Reference architecture: ECS or EC2 fleet behind ALB, RDS for MySQL, ElastiCache Redis, S3 for media, SES for outbound. Everything inside your VPC. Outbound traffic locked to your security groups. The vendor (us) does not have a backdoor into your data plane there isn't one to have.

  • Reference architecture for AWS, GCP, Azure — full Terraform / CloudFormation modules
  • Self-hosted Postal as an alternative SMTP backbone — fully on-prem sending option
  • VPC-only deployment; admin plane behind your VPN or zero-trust gateway
  • Data plane (MySQL + Redis) entirely within your security perimeter — no SaaS data exfil
  • Updates delivered as signed release artifacts — you choose when to apply
02 Compliance

Your deployment inherits your existing compliance scope

Because CleverlyBox runs inside your AWS account, the platform inherits your existing SOC 2, ISO 27001, and HIPAA-eligible boundaries. Your auditors don't have to scope a new vendor. Your DPO doesn't have to assess a new sub-processor. Your existing data-processing addendum, your existing key-management infrastructure, your existing log-aggregation pipeline — they all extend to CleverlyBox by default.

  • Encryption at rest via AWS KMS — your keys, your rotation policy
  • Encryption in transit (TLS 1.2+) on every endpoint, internal and external
  • HIPAA-eligible workloads supported via AWS BAA — CleverlyBox runs on HIPAA-eligible AWS services (EC2, RDS, S3, ElastiCache)
  • EU data residency: deploy in eu-west-1 / eu-central-1 — sub-processors are AWS only, fully GDPR-compliant
  • SOC 2 type II evidence package: CleverlyBox source + your AWS configuration + your operational policies = complete audit trail
03 Network controls

IP allowlist on the admin plane. Your zero-trust gateway in front

The CleverlyBox admin plane sits behind your network controls. ALB security groups restrict inbound to your VPN CIDR. WAF rules add a second layer for known-bad IPs. Cloudflare or a zero-trust proxy can sit in front of the admin URL clients pass through your IdP before reaching the login page. Your security architecture extends naturally; the platform doesn't introduce a new public-facing surface.

  • VPC security groups restrict admin access to your network CIDR
  • WAF rules: known-bad IP block, rate-limit, geo-restrict
  • Cloudflare Access or Okta-fronted login — SSO via SAML/OIDC for the admin UI
  • Audit log captures every login attempt with IP, user agent, geo, timestamp exportable to SIEM
  • MFA enforced at the application layer in addition to your IdP's MFA
04 Audit trail

Every campaign. Every admin action. Logged, signed, exported

CleverlyBox writes a comprehensive audit log: every campaign creation, every list export, every automation edit, every login, every API call. Each entry is timestamped, user-attributed, and immutable. Logs stream to your SIEM (Splunk, Datadog, Elastic) via syslog or HTTP. Retention policy follows your enterprise standard — 7 years for financial-services orgs, 5 for healthcare. Your auditors get a complete answer to "who did what, when."

  • Action-level audit log: campaign create/edit/send, list export, automation change, settings update, login
  • API call log with full request/response capture (with PII redaction policy you configure)
  • Streaming export: syslog, HTTP webhook, S3 archive — pipe to Splunk, Datadog, or Elastic
  • Tamper-evident: hash-chained log entries auditor can verify no entry was modified post-write
  • Retention: configurable from 90 days to forever most enterprises set 7 years
05 Dedicated IPs

Dedicated IPs. Controlled warmup. Your reputation, your asset

Marketing Cloud and Salesforce SES tier give you shared IPs by default. CleverlyBox's reference architecture allocates dedicated IPs through Amazon SES (BYOIP for transactional pools, dedicated SES IPs for marketing). Warmup follows the established 4-week ramp protocol. The reputation you build is yours — portable, transferable, attached to your AWS account. You will never wake up to a "the shared pool got blacklisted" support ticket.

  • Dedicated SES IPs allocated per pool (transactional / marketing / enterprise)
  • Bring Your Own IP (BYOIP) supported via AWS for white-glove enterprise deployments
  • Per-IP warmup schedule: 50→500→5K→50K/day across 28 days, configurable
  • Reputation dashboard: per-IP bounce rate, complaint rate, blocklist status
  • Auto-failover: if an IP's reputation drops, route traffic to the warm secondary
06 SLA + support

Dedicated support. Defined SLAs. A real escalation path

Enterprise deployments come with a named technical account manager, a 4-hour response SLA on Sev-1, and quarterly architecture reviews. Onboarding includes a parallel-running migration window, deliverability tuning sessions, and SOC 2 evidence support. Pricing is custom for enterprise tiers — talk to us about the deployment model that fits your scale.

  • Named TAM for ongoing relationship management
  • 4-hour response SLA on Severity 1 (production-down); 24-hour on Sev-2
  • Quarterly architecture review: scaling, reputation, deliverability, audit
  • SOC 2 / ISO 27001 / GDPR evidence-package support — we'll provide the controls documentation your auditor needs
  • Phone + Slack + ticket escalation paths — 24/7 for production incidents

Salesforce Marketing Cloud → CleverlyBox over 60 days, parallel-run

Enterprise migrations don't happen in a weekend. They happen in phases, with parallel-running and rollback gates. Here's the validated 60-day approach.

DAYS 1–10 · INFRA

Stand up the infrastructure.

  • Procure CleverlyBox Agency tier license
  • Provision VPC, RDS, ElastiCache, ECS in your AWS account
  • Deploy CleverlyBox via Terraform module
  • Configure SSO via Okta / Azure AD / OneLogin
  • Connect SES with dedicated IP allocation requested
DAYS 11–20 · AUDIT

Get security & compliance sign-off

  • InfoSec review of architecture diagram
  • DPO review of data-flow diagram and DPA
  • Penetration test against staging deployment
  • Audit-log integration with your SIEM
  • Disaster-recovery runbook drafted, tabletop tested
DAYS 21–35 · MIGRATE

Migrate lists + flows + warm IPs.

  • Export Marketing Cloud subscriber data; import to CleverlyBox
  • Run verification + dedupe across the imported list
  • Rebuild Journey Builder flows in CleverlyBox automation
  • Begin dedicated-IP warmup schedule (50→5K/day across 4 weeks)
  • Recreate segments; validate counts match within 1%
DAYS 36–55 · PARALLEL

Run both systems. Validate. Cut over by region.

  • Route 10% of EU traffic through CleverlyBox; monitor deliverability
  • Increase to 50% over 7 days; compare engagement vs Marketing Cloud baseline
  • Cut over EU 100% on day 45; US 100% on day 50; APAC on day 55
  • Marketing Cloud kept in standby for rollback through day 60
DAYS 56–60 · CLOSE-OUT

Decommission, retire, document.

  • Decommission Marketing Cloud / Adobe / Oracle contract
  • Final compliance sign-off: SOC 2 evidence delivered, DPA updated, IRP refreshed
  • TAM kickoff call for ongoing relationship + Q1 quarterly review scheduled
  • Retrospective: lessons learned, runbook updates, savings booked to FP&A

From enterprise teams that pulled it
inside the security perimeter

"Our InfoSec team had blocked three previous ESP migrations because the data-residency story was incomplete. CleverlyBox running in our own AWS account with the EU pool isolated to eu-west-1 was the first proposal that passed review. The CISO sign-off came in five days."

RH
Rachel H.

VP MarTech · Financial services · 12K employees

"The audit-trail completeness is what won the day. Every campaign, every list export, every login — chained, hash-anchored, streamed to Splunk. Our SOC 2 auditor signed off the email-platform control in one round. Marketing Cloud took us four rounds last year."

JK
James K.

Director, Compliance Eng · Healthcare SaaS

"We were paying $1.2M/year for Marketing Cloud and using maybe 30% of it. We migrated a 14M-subscriber program over 8 weeks. New annual run-rate is roughly $40K (mostly SES). The CISO sleeps better. The CFO sleeps better. I sleep better."

DV
Daniala V.

Head of Marketing Ops · Travel platform · 14M-subscriber list

Operator quotes from launch cohort, recomposed for privacy.

FAQ

Enterprise security & compliance questions

Data lives wherever you deploy CleverlyBox — your AWS account, your region, your VPC. For EU residency, deploy in eu-west-1 or eu-central-1 with RDS encryption keys held in your AWS KMS. There is no cross-region replication unless you explicitly configure it. The vendor (us) does not have read access to your data plane — there is no telemetry, no usage analytics, no support backdoor. For sensitive verticals (financial, healthcare, government), this is the only architecture that passes data-residency review.

CleverlyBox is a software platform you deploy inside your environment, so the certification posture is yours. The reference architecture is built on AWS-eligible services (EC2, RDS, S3, ElastiCache, SES — all SOC 2, ISO 27001, and HIPAA-eligible under AWS BAA). Your existing compliance scope extends to the CleverlyBox deployment by default. Where competitors hand you their SOC 2 report and call it done, CleverlyBox lets you inherit your own — which is what most enterprise auditors actually want.

In transit: TLS 1.2+ on every endpoint (admin UI, API, internal service mesh, database connections). At rest: AES-256-GCM via AWS KMS on RDS, ElastiCache, S3 — using customer-managed keys (CMK) you control, including key-rotation policy. Application-level encryption available for highly sensitive fields (subscriber PII, custom fields tagged sensitive). Audit-log entries are signed and hash-chained at write time.

Configure failover sending pools across providers — SES as primary, SendGrid as secondary, Postal (self-hosted) as tertiary. CleverlyBox's multi-provider routing automatically engages the next pool when the primary's reputation drops or quota is exceeded. Most enterprise deployments run 2–3 isolated pools with active-active routing for transactional and active-passive for marketing. For mission-critical transactional, BYOIP via AWS lets you maintain reputation independence from AWS's shared SES pool.

Nobody. CleverlyBox is licensed software that runs in your AWS account. The vendor has no production access, no telemetry, no usage analytics, no support backdoor. When you open a support ticket, you provide the relevant log excerpts; we don't pull them. This is the architectural difference between a SaaS ESP (vendor has access) and a self-deployed ESP (vendor does not). For enterprises with strict third-party risk requirements, this is often the dealbreaker between platform options.

CleverlyBox includes API endpoints for subscriber data export (CSV / JSON of every record + every engagement event for that subscriber) and bulk-delete (cryptographic erasure via KMS key destruction for sensitive fields, hard-delete from RDS for the rest). Audit log records every DSAR action for compliance evidence. Most enterprises wire these endpoints into their existing privacy-portal infrastructure (OneTrust, Securiti, etc.) so DSAR fulfillment is automated.

Agency tier ($149 lifetime) is the highest published tier and works for most mid-enterprise deployments. For Fortune-500 scale (50M+ subscribers, multi-region active-active, custom SLA, named TAM, white-glove onboarding), we offer custom enterprise licensing — typically annual with negotiated terms, 24/7 support, quarterly reviews, and dedicated infrastructure. Talk to enterprise sales for pricing.

Yes. Enterprise procurement typically includes: (1) NDA + architecture-walkthrough call with our solution architect, (2) shared threat-model document (STRIDE-format) with our responses, (3) penetration-test results from our most recent quarterly external assessment, (4) reference customers for SC2/ISO/HIPAA validation, and (5) optional security-questionnaire (CAIQ / SIG Lite). Most procurement cycles complete in 4–6 weeks from first call.

Email infrastructure your CISO will sign off on.

Self-deployable, audit-tracked, IP-allowlist-controlled, residency-guaranteed. The Agency tier covers most enterprise deployments at $149 once. For Fortune-500 scale, talk to us about custom enterprise licensing.

One-time payment 30-day money-back guarantee Cancel anytime