Trust Center

Security is what we do.
Here's how we do it.

We're a cybersecurity platform — so we hold ourselves to the same standard we set for our customers. No vague promises. Real practices, real evidence.

Tenant Isolation

Database-level row security. Each tenant’s data is cryptographically isolated.

Encryption

AES-256-GCM at rest. TLS 1.2+ in transit. Key rotation support.

Vendor Compliance

All infrastructure providers hold SOC 2 Type II certification.

AI Data Policy

Your data is never used for model training. Auditable per-request logging.

Data Protection

How we protect your data at every layer

Multi-Tenant Isolation

PostgreSQL Row-Level Security enforced at the database level. Separate worker roles prevent privilege escalation. Per-request RLS context prevents cross-tenant data leakage.

Encryption

AES-256-GCM encryption at rest with versioned format and key rotation support. TLS 1.2+ for all data in transit. No unencrypted sensitive data at rest.

Authentication & Access Control

Clerk-managed authentication with JWT validation (audience + issuer verification), role-based access control, and admin MFA via TOTP. No passwords stored by Clariti — delegated entirely to Clerk.

Infrastructure & Vendors

Our infrastructure runs on certified platforms — their compliance is our foundation

RailwayBackend, Database, Redis
SOC 2 IITrust Center
VercelFrontend Hosting
SOC 2 IIISO 27001Trust Center
AnthropicAI Engine
SOC 2 IIISO 27001Trust Center
ClerkAuthentication
SOC 2 IISecurity Docs
GitHubSource Control & CI/CD
SOC 2 IIISO 27001Trust Center
SentryError Monitoring
SOC 2 IIISO 27001Trust Center
ResendTransactional Email
SOC 2 IISecurity

AI Data Handling

We use Claude (Anthropic) for AI-powered assessments. Here's exactly what happens with your data.

No training on your data. Anthropic’s commercial API terms explicitly prohibit using inputs/outputs for model training.

30-day retention, then deleted. API data is retained for safety monitoring for up to 30 days, then permanently deleted.

Per-request audit trail. Every AI call is logged with tenant ID and feature context for full auditability.

No email or message content. We never request permissions to read email bodies, message content, or file contents.

Anthropic's data usage policy

Development Practices

Security is built into our development lifecycle, not bolted on after.

Static Analysis (SAST)

Bandit + Ruff security rules on every commit

Secret Scanning

Gitleaks pre-commit hook prevents credential leaks

Dependency Auditing

pip-audit for vulnerability scanning, pinned deps with hashes

SBOM

CycloneDX software bill of materials generated per release

CI/CD Security Gates

70% coverage threshold, lint + security scan on every push

Container Hardening

Non-root, read-only filesystem, dropped capabilities

Compliance Roadmap

We're transparent about where we are and where we're headed.

COMPLETE

Production Readiness & Security Hardening

24 security controls, RLS, encryption, SAST, SBOM, CI gates

IN PROGRESS

Code Quality & Testing Maturity

Expanded test coverage, CD pipeline, staging env, Dependabot

PLANNED

ISO 27001 Compliance Foundation

ISMS core docs, operational policies, vendor assessments, CSA CAIQ

PLANNED

Certification & Audit

Penetration test, internal audit, ISO 27001 Stage 1+2

Subprocessors

Third-party services that process customer data on our behalf.

ProviderPurposeLocation
AnthropicAI-powered security analysisUnited States
RailwayApplication hosting & databaseUnited States
VercelFrontend hosting & CDNUnited States
ClerkAuthentication & user managementUnited States
SentryError monitoringUnited States
ResendTransactional emailUnited States

Download Security Documentation

Get our CSA CAIQ and security overview. Enter your email for instant download.

Have specific security questions? Contact us →
Last updated: April 2026