Security overview
Claresia is built for enterprise procurement. This page is the developer-facing summary; the public, evidence-grade Trust Center lives at trust.claresia.com.
Encryption
Section titled “Encryption”| Where | At rest | In transit |
|---|---|---|
| Hub Postgres (Mode A/B) | AES-256, KMS-managed | TLS 1.3 |
| Hub Postgres (Mode C) | Customer-managed | mTLS to Claresia ingest |
| Object storage (artifacts) | AES-256, per-tenant prefix, KMS-managed | TLS 1.3 |
| Telemetry ClickHouse | AES-256 | TLS 1.3 |
| Backups + cross-region copies | AES-256 (CMEK in Mode B/C) | TLS 1.3 |
| Inter-service control plane | AES-256 | mTLS internal mesh |
Cipher suites: TLS 1.3 with AEAD (TLS_AES_256_GCM_SHA384,
TLS_CHACHA20_POLY1305_SHA256). No TLS ≤1.1, no SSL.
FIPS 140-2 validated cryptographic modules:
- AWS KMS (FIPS 140-2 Level 2 / 3 depending on region)
- AWS RDS Aurora encryption (delegated to KMS)
- Open-source
cryptographylibrary (Python) operating in FIPS mode where deployed
Access control
Section titled “Access control”- WorkOS sits in front of every login. Claresia never stores customer passwords.
- SAML 2.0 + OIDC day-1. SCIM 2.0 for user lifecycle.
- MFA delegated to your IdP (Conditional Access).
- RBAC — see Identity overview
- Session lifetime — 5-min sliding JWT, 8-hour absolute, configurable
- Customer Lockbox for Mode B/C — explicit approval before Claresia engineers can access tenant data
- Break-glass access — Claresia’s two CTO-owned break-glass accounts; every
use emits a
governance_eventof kindsupport.break_glass_invokedto the affected tenant
Tenant isolation
Section titled “Tenant isolation”- Postgres: Row-Level Security keyed on
app.tenant_id, enforced at the session layer - Object storage: per-tenant prefix in shared bucket (Mode A) or per-tenant bucket (Mode B/C)
- CMEK: per-tenant encryption key in Mode B/C; customer can rotate or revoke
- Network: per-tenant subnet in Mode B; per-tenant VPC in Mode C
- API: every authenticated request carries
X-Claresia-Tenant; mismatched bearer + tenant returns 403
Monitoring + auditability
Section titled “Monitoring + auditability”- Every privileged action emits a
governance_eventHub record (7-year retention) - Every skill invocation emits an
output+telemetry_eventrecord - OpenTelemetry traces + metrics + logs to a central Honeycomb tenant
- SLO burn-rate alerts auto-feed
status.claresia.comwithin 5 min - Real-time AI policy monitoring for restricted topics + sensitive content (Clawshield framework)
Vulnerability management
Section titled “Vulnerability management”- Pen test — annual external (engagement signed Q1 2026, first report Q2 2026)
- Bug bounty — open Q3 2026 via Bugcrowd or Intigriti
- Vulnerability disclosure policy — published Q1 2026 at
/security/vdp - CVE response — internal P0 within 24h; customer notification within 72h for any CVE rated CVSS ≥ 7.0
Compliance certifications
Section titled “Compliance certifications”| Certification | Status | Target |
|---|---|---|
| SOC 2 Type 1 | Audit window opens Q1 2026 | Q2 2026 report |
| SOC 2 Type 2 | Q1 2026 audit window | Q4 2026 report |
| ISO 27001 | Not started | Q2 2027 |
| GDPR + Schrems II DPA | Drafting Q1 2026 | Q1 2026 |
| NIS2 + BAA | Not started | Q3 2026 |
| EU AI Act Article 10–12 logging compliance | Built-in (cc-050 governance chain) | GA today |
| ISO 42001 (AI management systems) | Not started | Q3 2027 (after ISO 27001) |
For up-to-the-minute status see trust.claresia.com.
Sub-processors
Section titled “Sub-processors”A live, dated sub-processor list is at Sub-processors and at trust.claresia.com/subprocessors. 14-day notice before any new sub-processor is added (90-day notice if it would process customer Hub records).
Data Processing Agreement
Section titled “Data Processing Agreement”Schrems II compliant DPA template at DPA template and downloadable PDF at trust.claresia.com/dpa. Includes:
- Standard Contractual Clauses
- Technical and Organizational Measures (TOMs)
- Sub-processor consent matrix
- Data subject rights handling
- Schrems II supplementary measures
Customer Security Questionnaire
Section titled “Customer Security Questionnaire”Pre-filled CAIQ-Lite + SIG-Lite at Customer questionnaire and as downloadable artifacts on the Trust Center.
Architecture whitepaper
Section titled “Architecture whitepaper”This documentation site is the architecture whitepaper. Specifically:
Pen test executive summary
Section titled “Pen test executive summary”Available under NDA. Request via your CSM (Slack/Teams Connect channel) or
security@claresia.com. Expected Q2 2026 (first engagement signed Q1).
Reporting a security issue
Section titled “Reporting a security issue”- Email:
security@claresia.com - PGP: pubkey at
https://docs.claresia.com/.well-known/pgp-key.txt - Bug bounty: open Q3 2026
We commit to:
- Acknowledge within 24 hours
- Initial triage within 72 hours
- Status updates every 7 days
- Public disclosure (with reporter credit if desired) within 90 days for confirmed issues
- Reasonable bounty for impactful findings (Q3 2026+)