Security & Compliance

What your security
team needs to see.

Clearly is built to be reviewable. Below is the current security posture of the platform — controls in production today, the SOC 2 roadmap, and the contractual commitments we make to Enterprise customers via a DPA.

Request the DPA & SOC 2 packetTalk to sales

Current posture

Encryption
TLS 1.3 in transit on every external connection. AES-256 at rest across every primary data store. Third-party access tokens are stored with a per-environment key envelope so a compromise in one environment cannot decrypt another.
Data residency
Compute runs on a global edge network with the request handled at the closest healthy region. Persistence defaults to the closest healthy region with US/EU pinning available on Enterprise. AI inference is pinned to a single named region for predictability.
Authentication
Email + Google sign-in for end users; identity tokens verified server-side on every authenticated request. SSO via SAML 2.0 and SCIM provisioning available on Enterprise — Google Workspace, Okta, and Azure AD tested.
Authorization
Per-workspace RBAC with owner, admin, member, and guest roles. Per-block visibility (private, team, public) enforced server-side at every share-resolve — visibility is never determined by the client.
Audit logging
Workspace activity, share-link access, and billing transitions are written to an append-only audit log. Every authenticated server-side action is captured with user identity, timestamp, and resource path. Audit export available on Enterprise.
Secrets management
All third-party credentials live in encrypted secret stores, never in source control. Rotation is performed on a documented cadence and on every personnel change. No long-lived credentials are issued to engineers — access is short-lived and audited.
Subprocessors
A current subprocessor list is provided under the Data Processing Agreement. The list is reviewed at least quarterly and customers are notified before material additions take effect.
Vulnerability management
Dependencies audited monthly with critical CVEs patched within the published SLA. Workloads run in isolated tenants — no shared VMs or container hosts. Coordinated disclosure at security@clearly.sh; we respond inside 24 hours.
Backup & recovery
Primary data stores are continuously replicated. Daily snapshots retained 30 days. Point-in-time recovery and object versioning available on Enterprise. Restore drills run quarterly.

Roadmap

  • NowTLS 1.3 in transit, AES-256 at rest, everywhere
  • NowPer-workspace RBAC + per-block visibility
  • NowAppend-only audit log on share-resolve and billing
  • NowEmail DKIM + SPF aligned
  • Q3SOC 2 Type I (auditor engaged Q1)
  • Q4SOC 2 Type II — observation period
  • Q4SAML + SCIM on Enterprise
  • NextOn-prem option (annual contract, dedicated tenancy)
  • NextHIPAA BAA for healthcare customers

Enterprise security review

We'll send you the DPA, current SOC 2 status, the subprocessor list, and a security questionnaire response within one business day.

security@clearly.sh →

Found something concerning? Email security@clearly.sh — we respond inside 24 hours.