Security & data handling
A plain-English summary of how ClauseClear secures the data it touches. For procurement teams who need a one-page answer; for solicitors and DPOs who want the detail. Every claim on this page is operationally true today, not aspirational.
Last updated:
Data residency
ClauseClear data lives primarily in the European Union. Our database (Supabase Postgres) sits in Frankfurt, Germany. Transactional email is dispatched from Ireland (Resend, eu-west-1). Hosting and edge caching is handled by Vercel with EU regions prioritised.
The single exception is AI inference: when ClauseClear runs the Simpler Terms translator, the submitted Terms & Conditions text is sent to Anthropic for processing. Anthropic operates UK and US data residency. Inference inputs are not retained for training under our enterprise terms with Anthropic.
A complete list of every third party that touches data is on our Subprocessors page.
Encryption
- In transit: TLS 1.2+ enforced on every public endpoint (HTTPS-only). HSTS preload enabled on the production domain.
- At rest: AES-256 encryption for the Postgres database (provided by Supabase) and for backups. API keys and secrets stored in Vercel are encrypted with AWS KMS.
- Email: Outbound transactional email is signed (DKIM) and sender-authenticated (SPF) so recipients can verify it genuinely came from ClauseClear.
Access control
- Customer data is segmented per merchant via Postgres row-level security (RLS) policies. A merchant’s data is unreachable by another merchant’s authenticated session, even if the application code had a bug — the database itself enforces the boundary.
- Sign-in is via single sign-on only (Google or Microsoft). ClauseClear never stores merchant passwords. Multi-factor authentication is the responsibility of the merchant’s identity provider.
- Internal admin access (the
/adminarea) is restricted to a short, named allowlist. Access is read-mostly and logged. - Production database credentials are rotated when staff with knowledge of them leaves the company.
Audit & change-detection
Every audit ClauseClear runs against a merchant’s Terms & Conditions is recorded with a SHA-256 content hash of the source document. Daily, our hash-monitor re-fetches each verified merchant’s T&Cs URL and compares the new hash to the stored one.
When the underlying terms change, three things happen automatically: (1) the audit is flagged stale; (2) the public Verified badge auto-downgrades to “not currently verified”; and (3) the merchant is emailed to re-audit. There is no quiet drift.
Backups & disaster recovery
- Database backups are taken daily by Supabase, retained for at least 7 days on the current plan.
- Application code is stored in a private GitHub repository with full history; rollback to any prior deployment is one click on Vercel.
- Recovery time objective (RTO) for a complete platform outage: under 4 hours. Recovery point objective (RPO) for data loss: under 24 hours.
Vulnerability handling
We monitor our dependencies for known vulnerabilities (CVEs) on every deploy via GitHub’s automated dependency scanning. Critical security patches are applied within 24 hours of disclosure where practicable; high-severity within 7 days.
If you believe you have found a security vulnerability in ClauseClear, please email hello@clauseclear.co.uk with the subject line “Security vulnerability disclosure”. We will acknowledge receipt within two working days and will not pursue legal action against good-faith security researchers who follow standard coordinated-disclosure principles.
Breach notification
In the event of a personal-data breach that meets the UK GDPR notification threshold, we will notify the Information Commissioner’s Office within 72 hours of becoming aware, and notify affected individuals without undue delay where the breach is likely to result in high risk to their rights.
What ClauseClear is NOT certified for (yet)
Honesty matters more than puffery. ClauseClear is, at the time of writing, a small UK SaaS without external security certifications:
- Not currently SOC 2, ISO 27001, or Cyber Essentials certified. We rely on certified subprocessors (Vercel, Supabase, Microsoft 365) and inherit security controls from them, but we have not undergone our own external audit. We expect to pursue Cyber Essentials Plus and ISO 27001 once the customer base justifies the spend.
- No formal penetration test has yet been commissioned on our own application. Code review is internal.
- No 24/7 on-call rotation. Incident response is during UK business hours, with best-efforts out-of-hours coverage.
Enterprise customers who need any of the above as a contractual condition should reach out — most can be addressed via security commitments in our Data Processing Agreement.
Who is responsible
Security is owned by the directors of PJ Consulting Group Ltd. We do not have a dedicated CISO at this stage; security responsibilities are held jointly by the engineering and operations leads.
For security or compliance questions, write to hello@clauseclear.co.uk.