Security
Clarus CFO inherits the same isolation, encryption, and audit posture that runs Clarus CLM enterprise customers today.
Tenant Isolation
Every row in every tenant-scoped table carries an org_id and is protected by row-level security at the database. Two tenants cannot see each other's data even if a query is malformed.
Credential Encryption
Accounting, billing, and identity-provider credentials are encrypted at rest with managed envelope keys. Keys are never written to logs and never reach the application boundary in cleartext. Per-tenant BYOK is a planned Enterprise Secure feature.
Read-Only by Default
Every integration is read-only at connect time. Action-taking permissions (cancel a subscription, send a negotiation email) require an explicit per-action approval.
Encrypted in Transit
TLS 1.2+ on every public surface. Internal service traffic between the API, workers, and database is on a private network with mutual authentication.
Role-Based Access
Granular roles per org: viewer, approver, admin, billing. The same RBAC engine that runs Clarus CLM, extended with CFO-specific roles for spend approvers.
Audit Log Per Action
Every recommendation, every approval, every email sent, every cancellation notice: each is logged with actor, timestamp, prior state, and result. SIEM export available on Enterprise Secure.
Dedicated Tenant
On Enterprise Secure, your data lives in a dedicated database and storage bucket with no shared compute. Approved infrastructure regions: US, EU, APAC.
Bring Your Own Keys
On Enterprise Secure, encrypt sensitive fields with keys you control. Revoke access at any time by rotating the key in your KMS.
Compliance Reports
SOC 2 Type II in progress. HIPAA BAA on Enterprise Secure when applicable. Sub-processor list and DPA available on request.
Procurement Data Boundary
Purchase orders, vendor invoices, and contract files uploaded to the 3-way match engine stay inside the tenant. Reconciliation runs server-side; no PO line items, invoice amounts, or contract terms are ever sent to a third-party model without explicit BYOK configuration.
RevOps & Memory Read-Trail
Customer entitlement data, billing lines, support consumption, and the company-memory decision ledger are read with a tenant-scoped principal token. Cross-tenant queries are rejected at the database layer; every read is logged with actor and timestamp for the audit trail.
M&A Engagement Walls
Each acquisition target sits in its own engagement scope inside the acquirer's tenant. Snapshots, findings, and complexity scores are not visible to anyone outside the engagement's assigned reviewers, even within the same acquirer org. Re-running analysis is idempotent and never broadcasts data outside the engagement.
How We Handle Your Financial Data
What We Pull
Transactions, recurring charge cadence, vendor identifiers, and contract metadata. We do not pull personal banking data, individual employee compensation, or private communications.
Where It Lives
Data is stored in your tenant only. No cross-tenant analytics or model training that crosses the tenant boundary. Aggregate benchmarks (when available) are computed per tenant and only published with explicit opt-in.
Who Can See It
Only users you have invited to your org. Clarus staff access is gated by role, time-bounded, and logged. Production data access for support requires customer approval.
What Leaves Your Tenant
Nothing. Action emails (negotiation drafts, cancellation notices) are queued for your approval before any external send. We do not auto-mail vendors on your behalf without explicit per-action approval.
Need a Security Review?
We can walk through architecture, data flow, and audit posture with your security team. Sub-processor list and DPA available under NDA.