Trust Center
- AES-256-GCM at rest
- TLS 1.2+ in transit
- No AI training on content
- 13-month audit-log retention
- Sub-processors publicly listed
- 30-day sub-processor notice
- 72-hour breach notification
- Weekly key-rotation health check
This page is the single entry point for security and privacy information about Clarus. It is intended for prospects, customers, and security reviewers who want to understand how the Service protects their data without having to read our full code.
For legal language, see the Privacy Policy and Terms of Service. For a detailed vendor list, see Sub-processors.
Overview
Clarus is a writing product that holds documents, AI-generated feedback, and the editorial artifacts around them. We protect that content with application-layer encryption, least-privilege access, and a small number of deliberately-chosen sub-processors.
We do not train AI models on your content. We use Plausible Analytics (cookieless) for site measurement. We do not use Google Analytics, session replay, retargeting pixels, or advertising cookies.
Encryption
- At rest: All user content is encrypted with AES-256-GCM at the application layer, with separate encryption keys per user and per document. See Encryption At Rest for details.
- In transit: TLS 1.2+ for every connection between your browser, Vercel, Convex, and our AI providers.
- Key management: Encryption keys are managed server-side with offline backups. Key rotation is automatic when document access is revoked, and a weekly automated health check ensures key integrity. See How Encryption Works for an overview.
Data handling
- What is encrypted: document body content, version snapshots, comments, annotations, coach/researcher/outline AI-run outputs, per-user scratch pads.
- What is plaintext (by design): document titles (needed for search indexing), IDs, timestamps, role enums, and other structural metadata.
- Backups: Convex manages durable backups of the underlying database. Because row ciphertext is what gets backed up, a backup restore requires the same master key that was active at backup time.
- Retention: AI-interaction logs are deleted after 90 days. Full retention schedule is in Privacy Policy §5.
AI providers and training
Clarus does not use your content to train AI models. We use third-party AI providers (Anthropic and Google) to power writing, review, outline, and research features. We are currently on each provider's default commercial API tier, not on Zero Data Retention. Their published commercial terms prohibit using API submissions for training. See Privacy Policy §3 for the specific clauses we rely on and the planned upgrade path.
Sub-processors
The complete list of third-party services that process personal data on our behalf is maintained at Sub-processors. Changes to that list are announced at least 30 days before they take effect, giving you time to delete your account if you disagree.
Authentication
Clarus supports the following sign-in methods:
- Google OAuth (user authenticates with Google; we receive only the minimum identity fields).
- GitHub OAuth (same pattern).
- Email magic link via Resend — single-use signed URLs that expire in 24 hours, with per-email rate limits to prevent inbox flooding.
We do not support SSO/SAML or multi-factor authentication on individual accounts yet. Both are on the roadmap; the Compliance Roadmap below names the trigger.
Session tokens are managed by Convex Auth. We do not store passwords because we do not use password authentication.
Internal access
A limited number of operators hold production-access credentials. Access is governed by a written internal-access policy that names authorized triggers, prohibited actions, and the audit trail. A public summary of that policy:
- Who: Today, Clarus is operated by a sole founder. Any future contractor or employee will be added only after background check, signed confidentiality, and least-privilege scoped access (the full procedure is in our internal-access policy).
- When: Production data is accessed only for deployment, debugging a reported issue, responding to a support request with the user's consent, responding to a security incident, or complying with a legal request.
- How it's logged: Convex, Vercel, and Google Cloud each log administrative access in their native audit trails. Sharing, permission changes, AI-run starts, and master-key rotations are additionally captured in our application-level audit log (13-month retention).
- What is prohibited: reading customer document content without consent in the course of debugging unless no other path exists; bypassing authorization checks; disabling encryption; exporting user content to any non-production system.
The full policy document is available to enterprise prospects under NDA — contact support@clarus.page.
Breach notification
If we become aware of a data breach that is likely to result in a risk to your rights, we will notify affected users and the relevant authorities within 72 hours of becoming aware of the breach, as required by applicable law. This commitment is also in Privacy Policy §9.
Vulnerability reporting
If you believe you have discovered a security vulnerability in Clarus, please email security@clarus.page with a description of the issue and steps to reproduce. We commit to:
- Acknowledge receipt within 2 business days.
- Triage and provide an initial severity assessment within 5 business days.
- Remediate or mitigate: 30 days for high-severity, 60 days for medium, 90 days for low.
- Not pursue legal action against good-faith researchers following industry-standard coordinated disclosure.
Please do not publicly disclose an issue until we have had a reasonable opportunity to remediate.
Security contact
- General security questions: support@clarus.page
- Vulnerability reports: security@clarus.page
- Mail: Sumo Creations, LLC, 16330 SW Kimball St., Lake Oswego, OR 97035
Compliance roadmap
We publish this roadmap rather than claiming certifications we do not hold. It is updated as state changes.
| Standard | Current state |
|---|---|
| SOC 2 Type I | Readiness program complete: policies authored, controls implemented, evidence process documented. Audit planned when funded. |
| SOC 2 Type II | Follows Type I; requires an operating-effectiveness window. |
| ISO 27001 | Post-SOC 2 Type II. |
| ISO 42001 (AI management) | Post-SOC 2 Type II. |
| HIPAA | Not pursued in the current product scope. |
| FedRAMP / DoD IL | Not pursued in the current product scope. |
| GDPR | Data-processing agreements with sub-processors; Standard Contractual Clauses for EU data transfers; 30-day right-to-deletion; 72-hour breach notification. |
| CCPA / CPRA | Right to access, deletion, portability, and non-discrimination for California residents. We do not sell personal data. |
| Oregon Consumer Privacy Act | Full rights to access, correct, delete, port data; opt-out of targeted advertising, sale, and profiling. |
If you need a specific certification we do not currently hold and it would be a deal-blocker, let us know — the roadmap is responsive to customer demand.
Related pages
Last updated: