Security FAQ
Answers to the questions we're most often asked by security reviewers, prospects, and procurement teams. Each answer links back to the authoritative source document so you can verify the claim rather than take our word for it.
If you need an answer that is not covered here, email security@clarus.page and we will add it.
Data
Where is Clarus data stored?
All production data lives in Convex (us-east region). Backups are managed by Convex's managed service. See the full vendor stack on Sub-processors.
Is my document content encrypted?
Yes. All document bodies, version snapshots, comments, annotations, AI-run outputs, and per-user scratch pads are encrypted at the application layer with AES-256-GCM. See Trust Center — Encryption for the envelope design.
What data is stored in plaintext?
Structural metadata only — document titles (needed for search), IDs, timestamps, and role enums. No user-authored content is stored in plaintext. See Trust Center — Data handling for the complete list.
Encryption
What algorithm do you use for encryption at rest?
AES-256-GCM with separate encryption keys per user and per document. See Encryption At Rest for details.
How do you manage encryption keys?
Encryption keys are managed server-side with offline backups. Key rotation is automatic when document access is revoked, ensuring revoked users can no longer decrypt content. A weekly health check monitors key integrity. See How Encryption Works for an overview.
How is data protected in transit?
Every connection between your browser, Vercel, Convex, and our AI providers uses TLS 1.2 or higher. See Trust Center — Encryption for the full transport posture.
Access
Who at Clarus can access customer data?
A small set of operators holds production-access credentials, subject to a written internal-access policy that names authorized triggers, prohibited actions, and the audit trail. The public summary is on Trust Center — Internal access.
What authentication methods do you support?
Google OAuth, GitHub OAuth, and email magic link via Resend (single-use signed URLs that expire in 24 hours). We do not use passwords. See Trust Center — Authentication for session management details.
Do you support SSO or MFA?
Not yet. SSO/SAML and MFA are on the roadmap; the trigger conditions are published in the Compliance Roadmap so customers can see exactly what needs to be true for us to prioritize them.
AI
Do you train AI models on my content?
No. Clarus does not use your content to train AI models. The specific provider clauses we rely on are cited in Privacy Policy §3.
Which AI providers does Clarus use?
Anthropic and Google, each on their default commercial API tier. The named providers and the Zero-Data-Retention upgrade path are documented on Trust Center — AI providers and training.
How long are AI interaction logs retained?
AI-interaction logs are deleted after 90 days. The full retention schedule for every data category is in Privacy Policy §5.
Vendors
Who are your sub-processors?
The complete list of third-party services that process personal data on our behalf is maintained at Sub-processors and includes Convex, Vercel, Anthropic, Google, Resend, and Plausible.
How will I be notified if your sub-processors change?
We post changes to Sub-processors — Change notice at least 30 days before they take effect, giving you time to delete your account if you disagree with the change.
Do you have DPAs with your sub-processors?
Yes. We maintain data-processing agreements with each sub-processor and rely on Standard Contractual Clauses for EU data transfers where applicable. See the Compliance Roadmap for the GDPR row.
Incident Response
How quickly will you notify us of a data breach?
If we become aware of a data breach likely to result in a risk to your rights, we notify affected users and the relevant authorities within 72 hours. This commitment is documented on Trust Center — Breach notification.
How do I report a security vulnerability?
Email security@clarus.page with a description and steps to reproduce. We commit to the acknowledgement, triage, and remediation SLAs published on Trust Center — Vulnerability reporting.
What is your vulnerability remediation SLA?
High-severity issues are remediated or mitigated within 30 days, medium within 60, and low within 90. The full commitment — including our pledge not to pursue legal action against good-faith researchers — is on Trust Center — Vulnerability reporting.
Compliance
Are you SOC 2 certified?
Not yet. Our readiness program is complete (policies authored, controls implemented, evidence process documented) and the audit is planned when funded. The state of every standard we are asked about is on the Compliance Roadmap.
Do you comply with GDPR and CCPA?
Yes. We honor GDPR data-subject rights (access, correction, deletion, portability), the CCPA/CPRA right to opt out of sale, and the Oregon Consumer Privacy Act's profiling opt-out. The posture for each regulation is on the Compliance Roadmap.
Last updated: