Skip to main content

Security practices

We know you’ve entrusted ClarityLoop with your team’s most valuable data—feedback, growth history, and insights that shape people’s futures. We take that trust seriously. This page outlines the systems and practices we’ve put in place to protect your data.

Data Security

  • Automated Backups: Hosted on Google Cloud Platform (GCP), we perform encrypted, automated daily backups of production data using GCP’s built-in infrastructure. Our resilience testing has confirmed our ability to restore from backups reliably.
  • Data Deletion & Retention: Workspace owners can request deletion of their workspace by contacting security@clarityloop.com. Certain system logs may be retained for audit and compliance purposes, as permitted by applicable law.
  • Encryption at Rest: All customer data is encrypted using AES-256 at rest across GCP storage systems, including Cloud SQL, and GCS.
  • Encryption in Transit: All data in transit is encrypted via TLS 1.2 or higher, both internally and externally.
  • Access Monitoring: All access to ClarityLoop systems is logged, including administrative actions, and data modifications. These logs are processed via GCP-native tools for real-time analysis and alerting.
  • Physical Security: ClarityLoop relies on GCP’s infrastructure and its extensive physical security controls. Learn more in Google Cloud’s security documentation.

Application Security

  • Secure Development: ClarityLoop follows a secure-by-default approach to development. All deployments go through automated CI/CD pipelines, minimizing manual intervention and reducing the risk of human error. GitHub provides code scanning and dependency alerts to help detect known vulnerabilities early in the development lifecycle.
  • Credential Management: Secrets are securely stored and managed using GitHub Secrets during CI/CD, and Kubernetes Secrets within GKE for runtime use. Secrets are encrypted at rest and access is restricted via least-privilege policies.
  • Vulnerability Scanning: GCP-native tools and GitHub’s security features (like Dependabot) are used to monitor dependencies and containers for known vulnerabilities.
  • Responsible Disclosure: While we don’t have a formal bug bounty program, we welcome responsible security disclosures. Please contact security@clarityloop.com.
  • Web Application Firewall (WAF): GCP-managed WAF solutions are in place to help mitigate OWASP Top 10 threats and common exploit patterns.

Security Profile

  • Data Access Level: Only authorized personnel can access customer data for legitimate operational or support needs. All access is logged and monitored.
  • Third-Party Dependencies: ClarityLoop uses a small set of trusted third-party services. A complete list of subprocessors is available here.
  • Hosting Provider: ClarityLoop is fully hosted on Google Cloud Platform (GCP), leveraging regional isolation and cloud-native security.
  • Recovery Objectives:
    • RTO (Recovery Time Objective): 2 hours
    • RPO (Recovery Point Objective): 24 hours

Corporate Security

  • Incident Response: ClarityLoop maintains a documented incident response procedure covering detection, containment, investigation, remediation, and communication.
  • SSO & MFA for Internal Access: All access to internal and production tools is gated through SSO with enforced MFA.
  • Security Training: Security awareness and secure coding best practices are followed diligently and formalized in onboarding when team members are added.

Access Control

  • Least Privilege: Access is provisioned based on specific roles and responsibilities. Access reviews are done regularly.
  • Audit Logging: Access to critical infrastructure and sensitive operations are logged and monitored using GCP audit logs tooling.
  • Password Management: Bitwarden is used for secure password management. Shared accounts are avoided, and MFA is enabled wherever supported.

Infrastructure

  • DDoS Protection: We rely on GCP services to protect against volumetric attacks.
  • Environment Separation: Production, staging, and development environments are isolated. Customer data never resides in non-production environments.
  • Infrastructure Reviews: Infrastructure and configurations are reviewed internally as part of regular operational hygiene.
  • CI/CD Pipelines: All deployments are managed through automated CI/CD pipelines hosted on GitHub Actions.
  • Version Control: ClarityLoop uses GitHub for all version control and code collaboration, with branch protection and code review enforcement.

Endpoint Security

  • Device Encryption: Company-managed laptops are encrypted using full disk encryption (e.g., FileVault on macOS).
  • EDR Coverage: GCP-native protections are used to detect and monitor for malware and suspicious activity on endpoints.

Network Security

  • Firewalling & Segmentation: GCP VPC firewalls are configured with allowlists and fine-grained network segmentation to limit access between services.
  • IDS/IPS: Intrusion detection is in place via GCP-native services. At present, this setup is alert-only and not tied to automated response playbooks.
  • Office Network Policy: All production access is through cloud-based infrastructure. Personal networks do not connect to production systems.

Product Security Features

  • Domain Verification: Workspace admins can verify and manage email domains to enforce identity consistency and control access.
  • SSO & SAML: SAML SSO is supported for Enterprise customers.
  • Audit Logs: Admins can view activity logs to investigate changes, track access, and monitor workspace usage.
  • Two-Factor Authentication: SSO-based workspaces can enforce 2FA through their identity provider.
  • Granular Permissions: ClarityLoop supports workspace- and feature-level permissions, allowing organizations to restrict access appropriately.

Artificial Intelligence (AI) Governance

ClarityLoop uses AI to help users give and receive clearer, more actionable feedback, and to identify patterns that support team growth.

  • Responsible Use: ClarityLoop leverages services from Azure OpenAI and Google AI to deliver AI-powered experiences. These providers prohibit the use of customer data for training their foundation models by default.
  • Data Governance: Customer data sent to AI services is used strictly for inference, not training. We do not store prompts or completions outside of our systems unless explicitly required to power a feature (e.g., historical insights or summaries).
  • Security Reviews: All AI vendors are reviewed for security, compliance, and data handling practices prior to integration.
  • Transparency & Control: Our AI features are built to enhance—not replace—human decision-making. Customers retain control over their data and can choose how and when AI is used within the product.

Compliance & Privacy

ClarityLoop is built with security and privacy in mind, and we align our practices with leading industry standards and regulations:

  • Data Protection: We follow principles of GDPR and CCPA, and offer Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) upon request.
  • Privacy by Design: Our systems are architected to minimize data exposure, with access controls, encryption, and auditability as core design tenets.
  • Enterprise Readiness: For customers with specific compliance needs (such as HIPAA or SOC 2), we’re happy to discuss roadmap alignment and data handling practices. Reach out to security@clarityloop.com.
  • Data Processing Addendum: Our DPA outlines the legal and technical commitments we make as a data processor.

FAQs

What types of data does ClarityLoop store?
We store user-generated content like feedback, 1:1 notes, and OKRs, along with contextual metadata (e.g., who gave feedback, when, and any attached references). We do not store any plain text passwords or payment information directly.

Where is my data stored?
All customer data is stored in Google Cloud Platform (GCP) data centers located in secure, compliant regions. We do not transfer data outside of these regions without explicit legal safeguards.

Can I export or delete my data?
Yes. Workspace owners can request a data export or deletion by contacting security@clarityloop.com. For more details, see our Data Processing Addendum. Deletion requests are handled promptly, though some audit logs may be retained for compliance or security purposes.

What’s your disaster recovery plan?
We rely on GCP’s highly redundant infrastructure, including automated backups with secure storage. We’ve tested restoration as part of our resilience planning to ensure business continuity.

Who can access our data?
Access is strictly limited. Only few ClarityLoop employees currently has production access, and only for legitimate support or operational reasons. All access is logged and monitored.

Is customer data used for AI training?
No. ClarityLoop does not use customer data to train any AI models. Data passed to third-party AI services (Google AI and Azure OpenAI) is used only for inference, not training.

Do you support data residency or regional hosting?
Currently, all data is hosted in GCP’s default multi-region US-based infrastructure. We’re exploring options to support regional hosting in the future.

Can I integrate with my identity provider (SSO)?
Yes. ClarityLoop supports SAML-based Single Sign-On (SSO) for Enterprise plans along with user provisioning.

Can I opt out of analytics or telemetry?
At this time, we do not provide a user-facing analytics opt-out. However, we minimize tracking and do not collect sensitive personal content for analytics purposes. Learn more in our Privacy Practices.

Do you conduct regular security testing?
Yes. We conduct resilience tests periodically. We also welcome responsible disclosure of bugs at security@clarityloop.com.