Security at ClearStax
We help MSPs deliver compliance to their clients. That starts with how we secure our own platform.
Infrastructure
Built on trusted, certified providers with security baked in at every layer.
Supabase
SOC 2 Type II certified. Managed PostgreSQL with built-in Row Level Security for tenant isolation.
SOC 2 Type IICloudflare
Global edge network with DDoS protection, WAF, and TLS termination. All traffic is proxied and filtered.
DDoS + WAFHetzner
ISO 27001 certified data centers. Dedicated compute for background jobs and agent workloads.
ISO 27001Data protection
Your clients' data is encrypted, isolated, and backed up — always.
Encryption at rest
All data is encrypted at rest using AES-256. Database volumes, backups, and file storage are all covered.
Encryption in transit
TLS 1.2+ enforced on every connection. All API traffic, webhooks, and internal service communication is encrypted.
Tenant isolation
Row Level Security (RLS) policies enforce strict tenant boundaries at the database layer. No cross-tenant data leakage — ever.
Daily backups
Automated daily backups with point-in-time recovery. Backups are encrypted and stored in a separate geographic region.
Authentication & access control
Defense in depth for every user and every session.
Multi-factor authentication
MFA support via TOTP authenticator apps. Available on all plan tiers — no extra cost to secure your accounts.
Role-based access control
Granular RBAC with predefined roles (Admin, Manager, Analyst, Viewer). Assign permissions per user, per tenant.
Session management
Secure, short-lived JWT tokens with automatic refresh. Sessions expire after inactivity and can be revoked by admins.
Audit trail
Every login, data access, and configuration change is logged with timestamp, user ID, and IP address.
Compliance posture
We hold ourselves to the same standards we help our customers achieve.
SOC 2 Type II
SOC 2 readiness program is underway. We've implemented controls across security, availability, and confidentiality trust service criteria.
HIPAA-ready architecture
Our platform architecture supports HIPAA requirements including encryption, access controls, audit logging, and tenant isolation. BAAs available on Scale plans.
Penetration testing
Third-party penetration testing is scheduled for Q3 2026. Results and remediation details will be shared with enterprise customers upon request.
Scheduled — Q3 2026Data processing locations
All customer data is processed and stored in the United States (Oregon region). Backups are geo-replicated within the US. No data leaves US jurisdiction.
US — OregonResponsible disclosure
Found a security vulnerability? We take every report seriously. Please disclose responsibly by emailing us directly — do not open a public issue.
security@clearstax.comWe aim to acknowledge reports within 48 hours and resolve confirmed vulnerabilities promptly.
Questions about our security practices?
We're happy to walk through our security architecture during your demo.