Security is what we do. Here's how we do it.
We're a cybersecurity platform — so we hold ourselves to the same standard we set for our customers. No vague promises. Real practices, real evidence.
Four commitments, in plain terms.
Tenant Isolation
Database-level row security. Each tenant’s data is cryptographically isolated.
Encryption
AES-256-GCM at rest. TLS 1.2+ in transit. Key rotation support.
Vendor Compliance
All infrastructure providers hold SOC 2 Type II certification.
AI Data Policy
Your data is never used for model training. Auditable per-request logging.
Data Protection
How we protect your data at every layer
Multi-Tenant Isolation
PostgreSQL Row-Level Security enforced at the database level. Separate worker roles prevent privilege escalation. Per-request RLS context prevents cross-tenant data leakage.
Encryption
AES-256-GCM encryption at rest with versioned format and key rotation support. TLS 1.2+ for all data in transit. No unencrypted sensitive data at rest.
Authentication & Access Control
Clerk-managed authentication with JWT validation (audience + issuer verification), role-based access control, and admin MFA via TOTP. No passwords stored by Clariti — delegated entirely to Clerk.
Infrastructure & Vendors
Our infrastructure runs on certified platforms — their compliance is our foundation
AI Data Handling
We use Claude (Anthropic) for AI-powered assessments. Here's exactly what happens with your data.
No training on your data.
Anthropic’s commercial API terms explicitly prohibit using inputs/outputs for model training.
30-day retention, then deleted.
API data is retained for safety monitoring for up to 30 days, then permanently deleted.
Per-request audit trail.
Every AI call is logged with tenant ID and feature context for full auditability.
No email or message content.
We never request permissions to read email bodies, message content, or file contents.
Development practices.
Security is built into our development lifecycle, not bolted on after.
Static Analysis (SAST)
Bandit + Ruff security rules on every commit
Secret Scanning
Gitleaks pre-commit hook prevents credential leaks
Dependency Auditing
pip-audit for vulnerability scanning, pinned deps with hashes
SBOM
CycloneDX software bill of materials generated per release
CI/CD Security Gates
70% coverage threshold, lint + security scan on every push
Container Hardening
Non-root, read-only filesystem, dropped capabilities
Compliance roadmap.
We're transparent about where we are and where we're headed.
Production Readiness & Security Hardening
24 security controls, RLS, encryption, SAST, SBOM, CI gates
Code Quality & Testing Maturity
Expanded test coverage, CD pipeline, staging env, Dependabot
ISO 27001 Compliance Foundation
ISMS core docs, operational policies, vendor assessments, CSA CAIQ
Certification & Audit
Penetration test, internal audit, ISO 27001 Stage 1+2
Subprocessors.
| Provider | Purpose | Location |
|---|---|---|
| Anthropic | AI-powered security analysis | United States |
| Railway | Application hosting & database | United States |
| Vercel | Frontend hosting & CDN | United States |
| Clerk | Authentication & user management | United States |
| Sentry | Error monitoring | United States |
| Resend | Transactional email | United States |
Download Security Documentation.
Get our CSA CAIQ and security overview. Enter your email for instant download.