Trust Center

Security is what we do. Here's how we do it.

We're a cybersecurity platform — so we hold ourselves to the same standard we set for our customers. No vague promises. Real practices, real evidence.

At a glance

Four commitments, in plain terms.

Tenant Isolation

Database-level row security. Each tenant’s data is cryptographically isolated.

Encryption

AES-256-GCM at rest. TLS 1.2+ in transit. Key rotation support.

Vendor Compliance

All infrastructure providers hold SOC 2 Type II certification.

AI Data Policy

Your data is never used for model training. Auditable per-request logging.

Data protection

Data Protection

How we protect your data at every layer

Multi-Tenant Isolation

PostgreSQL Row-Level Security enforced at the database level. Separate worker roles prevent privilege escalation. Per-request RLS context prevents cross-tenant data leakage.

Encryption

AES-256-GCM encryption at rest with versioned format and key rotation support. TLS 1.2+ for all data in transit. No unencrypted sensitive data at rest.

Authentication & Access Control

Clerk-managed authentication with JWT validation (audience + issuer verification), role-based access control, and admin MFA via TOTP. No passwords stored by Clariti — delegated entirely to Clerk.

Infrastructure & vendors

Infrastructure & Vendors

Our infrastructure runs on certified platforms — their compliance is our foundation

Railway

Backend, Database, Redis

SOC 2 II
Trust Center

Vercel

Frontend Hosting

SOC 2 IIISO 27001
Trust Center

Anthropic

AI Engine

SOC 2 IIISO 27001
Trust Center

Clerk

Authentication

SOC 2 II
Security Docs

GitHub

Source Control & CI/CD

SOC 2 IIISO 27001
Trust Center

Sentry

Error Monitoring

SOC 2 IIISO 27001
Trust Center

Resend

Transactional Email

SOC 2 II
Security
AI data handling

AI Data Handling

We use Claude (Anthropic) for AI-powered assessments. Here's exactly what happens with your data.

No training on your data.

Anthropic’s commercial API terms explicitly prohibit using inputs/outputs for model training.

30-day retention, then deleted.

API data is retained for safety monitoring for up to 30 days, then permanently deleted.

Per-request audit trail.

Every AI call is logged with tenant ID and feature context for full auditability.

No email or message content.

We never request permissions to read email bodies, message content, or file contents.

Anthropic's data usage policy
Built in, not bolted on

Development practices.

Security is built into our development lifecycle, not bolted on after.

Static Analysis (SAST)

Bandit + Ruff security rules on every commit

Secret Scanning

Gitleaks pre-commit hook prevents credential leaks

Dependency Auditing

pip-audit for vulnerability scanning, pinned deps with hashes

SBOM

CycloneDX software bill of materials generated per release

CI/CD Security Gates

70% coverage threshold, lint + security scan on every push

Container Hardening

Non-root, read-only filesystem, dropped capabilities

Where we are, honestly

Compliance roadmap.

We're transparent about where we are and where we're headed.

COMPLETE

Production Readiness & Security Hardening

24 security controls, RLS, encryption, SAST, SBOM, CI gates

IN PROGRESS

Code Quality & Testing Maturity

Expanded test coverage, CD pipeline, staging env, Dependabot

PLANNED

ISO 27001 Compliance Foundation

ISMS core docs, operational policies, vendor assessments, CSA CAIQ

PLANNED

Certification & Audit

Penetration test, internal audit, ISO 27001 Stage 1+2

Who touches your data

Subprocessors.

ProviderPurposeLocation
AnthropicAI-powered security analysisUnited States
RailwayApplication hosting & databaseUnited States
VercelFrontend hosting & CDNUnited States
ClerkAuthentication & user managementUnited States
SentryError monitoringUnited States
ResendTransactional emailUnited States

Download Security Documentation.

Get our CSA CAIQ and security overview. Enter your email for instant download.

Have specific security questions? Contact us →
Last updated: April 2026