Trust & Security

Security is the foundation, not a feature.

A platform that holds your compliance programme must itself meet the highest security standards. ClearGRC is built — and independently audited — to do exactly that.

Certifications

Independently verified.

Our security posture is not self-assessed. Independent auditors review our controls on an annual basis — and we make the reports available on request.

🔐
SOC 2
Type II
🛡️
ISO 27001
Aligned
🇪🇺
GDPR
Compliant
🔒
AES-256
Encryption
🧪
Pen Tested
Annually
Security Controls

How we protect your data

Six layers of protection — from the network perimeter to the application data model — each independently tested and continuously monitored.

Encryption everywhere

AES-256 encryption at rest for all stored data. TLS 1.3 for all data in transit. Encryption keys managed in a dedicated HSM with annual rotation.

Access control

Role-based access control with attribute-level permissions. Principle of least privilege enforced by default. MFA required for all users. SSO via SAML 2.0 and OIDC.

Immutable audit logs

Every action — login, read, create, update, delete — logged with timestamp, user identity, IP, and change detail. Logs are tamper-proof and exportable on demand.

VAPT & pen testing

Annual vulnerability assessment and penetration testing by an independent third party. Findings triaged within 24 hours; critical issues patched within 72 hours.

Network security

Web application firewall, DDoS protection, and network-level intrusion detection. All ingress and egress traffic monitored and anomalies alerted in real time.

99.9% uptime SLA

Financially backed uptime commitment. Redundant infrastructure across multiple availability zones. Continuous health monitoring with automated failover.

Data Handling

Your data. Your control.

We don't sell your data, use it to train AI models, or share it with third parties beyond the sub-processors disclosed in our DPA. Your compliance data is yours — and you can export or delete it at any time.

  • Data Processing Agreement (DPA) available on request
  • Sub-processor list published and updated within 30 days of change
  • Data export in standard formats (JSON, CSV, PDF) at any time
  • Right to erasure honoured within 30 days of request
  • Retention policy configurable per data type
Data residency options
Primary regions
🇺🇸 US East  |  🇪🇺 EU West  |  🇸🇬 APAC
Data sovereignty
Your data never leaves your chosen region
Backup encryption
AES-256 — same as production
Request security documentation
Available on NDA
SOC 2 Type II report, pen test executive summary, DPA

Your security team has questions. We have answers.

We provide SOC 2 reports, pen test summaries, DPA, and security architecture documentation for enterprise due diligence. Just ask.