Our Security Posture

Before you trust us with your vendor data — here's ours

Clarito is a tool for security teams. The vendor questionnaire data you process through us is sensitive — it includes your vendors' security posture details and your own evidence library. We hold ourselves to the same controls we help you apply to your vendors.

A note on certification claims: the practices below are aligned with SOC 2 Trust Services Criteria. We do not claim SOC 2 Type II certification. We describe what we actually do.

Security Controls

How we protect your data

The controls below are aligned with SOC 2 Trust Services Criteria (Security and Availability). These are practices we follow and can describe in detail on request — not a certification we hold. Enterprise customers may request our security questionnaire response directly.

Encryption at rest and in transit

All data encrypted at rest using AES-256. All data in transit encrypted with TLS 1.2+. No data transmitted unencrypted.

Least-privilege access controls

Internal access to production systems requires MFA and is scoped to minimum necessary privilege. Access logs are reviewed on a scheduled basis.

Penetration testing

Annual third-party penetration tests covering API endpoints, authentication flows, and data access paths. Critical and high severity findings are remediated within 30 days of report delivery. Medium findings within 90 days.

Network segmentation

Production, staging, and development environments are fully segmented. No cross-environment data access is permitted.

Data backup and recovery

Daily encrypted backups with tested restore procedures. RTO and RPO targets defined and tested quarterly.

Monitoring and alerting

Real-time monitoring of infrastructure and application layers. Anomalous access patterns trigger automated alerts and on-call response.

Data Handling

What happens to your vendor data

Your data stays yours

Vendor questionnaire data you import is processed to generate scores and drafts, then stored in your account. It is not shared with other customers, used to train external models, or sold to third parties.

Data residency

All customer data is stored in US-based infrastructure. Enterprise customers can request private cloud or on-premises deployment.

Retention and deletion

Inactive account data is retained for 90 days after account closure, then purged. You can request immediate deletion of your data at any time by contacting [email protected].

// Data flow for a vendor review

1. Questionnaire ingested (TLS 1.3)
   └─ Stored encrypted (AES-256)
   └─ Scoped to your account only

2. Taxonomy parsing runs internally
   └─ No external API calls for scoring
   └─ No data leaves your account scope

3. Score + draft stored in account
   └─ Retained per your retention policy
   └─ Deletable on request

4. Audit trail immutable
   └─ Append-only log
   └─ Exportable by account admin

Shared Responsibility

What we secure vs. what you configure

Infrastructure encryption at rest and in transit

Internal access controls and MFA enforcement

Network segmentation and monitoring

Annual penetration testing and patching

Backup, recovery, and availability SLAs (Enterprise)

User account passwords and MFA for your team members

Access permissions for user seats within your account

Data retention settings and deletion requests

Which vendor questionnaire data is uploaded to the platform

Integration credentials and API key management

Questions about our security practices?

Email [email protected] — we respond to all security inquiries within 24 hours. If you are conducting a vendor assessment of Clarito, we can provide a completed security questionnaire response on request.

Contact Security Team