ClairifyTrust Center

Clairify is built on a foundation of security, privacy, reliability, and transparency. This page provides clear information on how we protect your data, meet compliance standards, and ensure the security and reliability of our services.

[email protected]Privacy Policy

Compliance

Our compliance posture is maintained through independent audits, certifications, and continuous monitoring.

AICPA SOC for Service Organizations
SOC 2 Type I
AICPA Trust Services Criteria
December 2025
Current
App Defense Alliance
CASA Tier 2
App Defense Alliance · Lab Tested & Verified
Valid to Apr 10, 2026
ID: 90428485
Current
GDPR
GDPR
Standard Contractual Clauses · Full data subject rights · Designated DPO
Compliant
CCPACPRA
CCPA / CPRA
No sale of personal data · Full data subject rights · DSAR process
Compliant

Certifications & Audits

Independent third-party assessments validate our security controls and compliance posture.

SOC 2 Type I
Compliance Audit
Current

Percilchofe CPA LLC, an independent Certified Public Accountant, examined Clairifi's controls against the AICPA Trust Services Criteria for Security, Confidentiality, and Privacy as of December 12, 2025 (SSAE 21). Controls were found to be suitably designed — no exceptions noted on any control tested.

Trust Services Criteria:SecurityConfidentialityPrivacy
No exceptions notedon all controls tested
Report issued: January 9, 2026
Percilchofe CPA LLC · Certified Public Accountant · License No. 1188
Annual · December 12, 2025
Application Security Assessment — Q1 2026
Security Testing
Current

An independent application security assessment was conducted across three core Clairify platform repositories (Admin Server, Web Admin, Webserver), covering source code review, dependency vulnerability analysis, container configuration review, and API specification analysis. The assessment methodology aligns with OWASP Top 10, OWASP ASVS, and API security design principles.

No critical vulnerabilities identified. All reported findings have been fully remediated.

Niraj Koirala · Independent security researcher · OWASP Top 10 & ASVS methodology
Quarterly · Q1 2026
CASA Tier 2 Certification
Application Security
Current

Clairify has successfully completed a Cloud Application Security Assessment (CASA) Tier 2 — Lab Tested and Lab Verified — conducted by TAC Security, an independent third-party lab authorized by the App Defense Alliance. The assessment validates that Clairify satisfies CASA application security requirements based on the OWASP Application Security Verification Standard (ASVS). This is the second consecutive year of certification.

9.7/ 10
ESOF Cyber Score
Low Risk — top tier on the 0–10 scale
Scored by TAC Security · March 2025
Cert ID: 90428485Valid to: April 10, 2026About CASA
TAC Security · Independent lab authorized by the App Defense Alliance
Annual · April 9, 2025

Controls

Security controls implemented across infrastructure, application, and organizational layers.

Continuously monitored

Infrastructure Security

  • All infrastructure is hosted on Google Cloud Platform (GCP)
  • Encryption key access is restricted to authorized personnel only
  • Access is revoked upon employee or contractor termination

Application Security

Independently Verified
  • Architecture, design and threat modeling requirements verified
  • Authentication verification requirements verified
  • Session management verification requirements verified

All 14 OWASP ASVS categories independently verified as Pass by TAC Security (CASA Tier 2, April 2025)

Organizational Security

Independently Verified
  • Background checks are performed on all employees
  • All employees and contractors are required to sign a non-disclosure agreement upon hire and reaffirm it annually
  • Agreements with third parties and subcontractors include clearly defined terms, conditions, and responsibilities

Data & Privacy

  • All data is encrypted in transit using TLS 1.2 or higher
  • All data is encrypted at rest using AES-256
  • Customer data is deleted upon account termination

Product Security

  • Role-based access control (RBAC) is enforced across all product surfaces
  • Audit logging is enabled for all privileged actions
  • Incident response procedures are documented and tested

Subprocessors

A subprocessor is a third party data processor engaged by Clairifi, Inc., who has or potentially will have access to or process Service Data (which may contain Personal Data).

VendorPurpose
Google Cloud Platform
Google Cloud Platform
Named in SOC 2 Type I audit scope
Cloud infrastructure and hosting
Cloudflare
Cloudflare
Web application hosting
Supabase
Supabase
Single sign-on (SSO) authentication
Twilio SendGrid
Twilio SendGrid
Email delivery for product notifications
OpenAI
OpenAI
Named in Privacy Policy — AI Service Provider
Text analysis and summarization
Novita AI
Novita AI
Named in Privacy Policy — AI Service Provider
Text analysis and summarization
Lemon Squeezy
Lemon Squeezy
Named in Privacy Policy — Payment Processor
Payment processing and subscription management
Google
Google
Named in Privacy Policy — Authentication & Analytics
Social login (Gmail SSO) and product analytics (Google Analytics)
Microsoft
Microsoft
Named in Privacy Policy — Authentication
Social login (Outlook SSO)

This list is updated as subprocessors are added or removed. For questions about our subprocessors, contact us at [email protected].

Documents

Public documents are available immediately. Sensitive reports are available to verified customers and prospects upon request.

AUDIT REPORTRequest required
SOC 2 Type I Report
Full SOC 2 Type I audit report prepared by an independent third-party auditor.
SECURITY REPORTRequest required
Application Security Assessment — Q1 2026
Executive summary of Q1 2026 application security assessment by Niraj Koirala. Covers source code review, dependency analysis, container configuration, and API specification across three platform repositories.
POLICYPublic
Privacy Policy
Our full Privacy Policy including GDPR and CCPA provisions.
View
COMPLIANCE REPORTPublic
GDPR Self-Assessment Report
Clairify's GDPR compliance self-assessment covering Privacy Policy, RoPA, DPIA, DSR process, lawful basis, and DPA applicability. March 2026.
View

FAQ

Common questions from security reviewers and enterprise buyers.