Security at ClearStax

Name: ClearStax Platform
Brand: ClearStax

ClearStax is where MSPs keep their clients' operational record. We hold the platform to the same evidence-led standard the platform produces.

Securing the agent workforce

ClearStax doesn't just show you data — agents observe and propose work on your behalf, and earn the right to act as you raise their trust phase. Every agent runs inside a governance layer you control, so autonomy is earned, bounded, and accountable.

Trust ladder

Every agent begins in an observe-only Shadow phase and is promoted through Supervised, Audited, and Bounded phases — per tenant, under your control. An agent never acts beyond the autonomy you've granted it.

Instant kill-switch

AI execution can be halted platform-wide in an instant. Every dispatch checks the kill-switch before it runs, so there's always a hard stop.

Input & output guardrails

Untrusted content is wrapped and isolated before it reaches a model, and every completion is screened by an output guardrail before it's used. Authorization is never inferred from model output.

Token & cost budgets

Per-tenant and per-agent token and cost budgets cap spend and contain runaway usage. An agent that exceeds its budget is blocked before the next call — it can't quietly burn resources.

Every call on the record

Each model call is recorded — provider, model, prompt and output fingerprints, token count, and cost — scoped to your tenant. The agent workforce produces the same evidence trail as everything else in ClearStax.

Platform foundations

Built on certified, audited infrastructure with security designed into every layer.

Managed, audited data layer

Managed PostgreSQL on a SOC 2 Type II and ISO 27001 certified platform, with row-level security enforcing tenant isolation at the database itself.

SOC 2 Type II · ISO 27001

Hardened edge

A global edge network with always-on DDoS protection and TLS termination. All traffic is proxied through Cloudflare before it reaches the platform — origin infrastructure is never exposed directly.

DDoS + TLS edge

Dedicated US compute

Application compute runs on dedicated, hardened infrastructure in the United States (Oregon), with isolated capacity for background jobs and the agent workforce.

US — Oregon

Data protection

Your clients' data is encrypted, isolated, and backed up — always.

Encryption at rest

Database volumes and backups are encrypted at rest with AES-256. The most sensitive fields carry an additional layer of application-level AES-256-GCM encryption with per-tenant keys — protected even inside the database.

Encryption in transit

TLS 1.2+ enforced on every external connection — all API traffic and webhooks. Internal service traffic stays on a private host network, isolated from the public internet.

Tenant isolation

Row Level Security (RLS) enforces tenant boundaries at the database layer, backed by defense-in-depth tenant scoping in every application query — so one tenant cannot read another's records.

Daily backups

Automated, encrypted daily backups on the SOC 2 Type II managed data platform.

Authentication & access control

Defense in depth for every user and every session.

Multi-factor authentication

MFA support via TOTP authenticator apps, included for every account — no add-on required to secure access.

Role-based access control

Granular RBAC with predefined roles (Admin, Manager, Analyst, Read-only). Assign permissions per user, per tenant.

Session management

Secure, short-lived JWT tokens with automatic refresh. Sessions expire after inactivity, users can revoke their own active sessions, and admins set tenant-wide session policy.

Audit trail

Every login, data access, and configuration change is logged with timestamp, user ID, and IP address.

Our own security posture

We hold the platform to the same evidence-led standard we build into the product.

Enforced

Least-privilege access & audit logging

Production access is least-privilege and reviewed, and every privileged action is logged. Tenant data is isolated at the database with row-level security, so one tenant can never read another's records.

By design

Chain-of-record evidence model

Encryption, access control, audit logging, and tenant isolation are foundations — but the differentiator is provenance. Every record carries a source, an owner, and a timestamp, linked back to the work that produced it, so a control claim can always be traced to its origin.

Penetration testing

We plan independent third-party penetration testing as we grow; results and remediation details will be shared with enterprise customers on request.

Data processing locations

Your primary operating record — database and self-hosted analytics — is stored in the United States (Oregon). Specific functions rely on vetted sub-processors (for example payments, email, SSO, and AI) under data-processing agreements; we share the current sub-processor list on request.

Primary data: US — Oregon

Responsible disclosure

Found a security vulnerability? We take every report seriously. Please disclose responsibly by emailing us directly — do not open a public issue.

security@levoysec.com

We aim to acknowledge reports within 48 hours and resolve confirmed vulnerabilities promptly.

Questions about our security practices?

We're happy to walk through our security architecture during your demo.

Book a walkthrough Contact Us