Security
How Clairist thinks about security
Clairist is built for teams who expect strong defaults across access control, auditability, and privacy. This page gives a high-level view of current posture—not a certification, audit opinion, or exhaustive control matrix.
Beta-ready draft — not final security commitments
This is a beta security overview and should be reviewed by counsel alongside your own risk assessment before production launch. It is not a substitute for negotiated security commitments in an order form, DPA, or security addendum when available.
Access control and authentication
Workspaces are scoped to teams with role-based access and row-level security enforced at the database layer. All authenticated access flows through Supabase Auth and Clairist's own authorization checks.
Auditability and evidence
Evidence, incidents, and key configuration changes are recorded so teams can review history inside the product. Integrity features for certain artifacts are described in the Trust Center; they support your organization's technical review workflows—they are not a substitute for an independent audit.
Infrastructure and data handling
Clairist is deployed on modern cloud infrastructure with encrypted storage and standard isolation between environments. Sensitive configuration is kept in environment variables and managed secrets.
Team scoping and permissions
Roles limit who can see evidence, incidents, billing, and workspace settings. Access is scoped per workspace and enforced at the database layer—no cross-team data leakage.
Assurance and roadmap
SOC 2 Type II is not yet completed for Clairist, and we do not represent that a third-party attestation report is available today. We invest in controls that map to common enterprise expectations and can discuss roadmap and evidence requests with qualified customers under NDA where appropriate.
Subprocessors (summary)
Typical infrastructure subprocessors include Supabase (database, authentication, storage), application hosting (such as Vercel), Stripe when billing is enabled, and Slack when a workspace connects the integration. See the Subprocessors page for the operational list and the Trust Center for DPA and questionnaire routing.
This page is a high-level overview and does not replace formal security documentation or contractual commitments. For DPA, subprocessor, and artifact verification context, see the Trust Center. DPA and procurement intake: trust request form (preferred) or procurement@clairist.com. Security questionnaires and security reviews: security@clairist.com. General product questions: hello@clairist.com.