Security
The Same Tenant Isolation As Clarus CLM
Cross-tenant leaks are a P0 incident. Every tenant-scoped query opens a transaction with a per-request tenant context. Even a forged query cannot escape the boundary. PII is encrypted at rest with per-tenant keys, and field-level access is logged separately. Compensation data is gap-only on every UI surface; salary numbers never leave the masked-field path. Probation decisions, contractor classification scoring, and policy acknowledgment chains all carry their own append-only audit trails.
Row-Level Tenant Isolation
Every tenant-scoped table runs row-level security enforced at the database layer. The application role does not bypass it. Queries without a tenant context return zero rows. Firm Mode adds a second axis (client_workspace_id) inside a firm so a multi-client services firm can keep each engagement walled off from the others.
Append-Only Audit Log
Every mutation writes an immutable audit row with actor, target, before/after JSON, IP, user-agent, and request ID. Triggers reject UPDATE and DELETE at the database level. Verification HMAC on signed exports.
Envelope-Encrypted PII
SSN, DOB, bank, immigration documents, medical, and investigation notes are encrypted at rest with envelope encryption (per-tenant data encryption keys). Field-level reads write a separate PII access event.
Idempotent + Dry-Run by Default
Every mutating endpoint accepts an Idempotency-Key header. Re-execution returns the original result. Every batch action accepts dry_run=true and returns the predicted before/after diff without committing.
Per-Tenant BYOK
Bring your own AI provider key. AI usage meters against your key and never bills back to Clarus. Per-tenant usage limits configurable. Available on the Firm tier.
Dedicated Infrastructure
Enterprise Secure tier provisions an isolated tenant with dedicated compute, BYOK key management, custom SLAs, and data residency in US, EU, or APAC.
SIEM Forwarders
Outbound audit-log forwarding to Splunk, Datadog, Sentinel, ArcSight (CEF), and QRadar (LEEF v2). Per-tenant prefix filtering. Wraps the standard webhook signing + retry machinery.
MFA + WebAuthn + SSO
TOTP and FIDO2 (Touch ID, Face ID, Windows Hello, YubiKey). SAML and OIDC SSO with JIT provisioning and login-risk scoring. Step-up auth on sensitive routes.
Retention + Legal Holds
Every object class has a retention policy in years with legal-hold support. Holds suspend deletion until released. Hold release requires legal_reviewer role and is logged as a tier-4 approval.
Compensation Gap-Only Display
Salary fields stay server-side. The Compensation Anomalies surface renders only the gap percent and the band that was compared against. Direct database access is masked for roles below internal_hr_manager; even an admin reviewing the page never sees the raw number unless they explicitly drill into the employee record.
Probation + Classification Audit
Every probation decision (pass / extend / fail) and every contractor classification re-evaluation lands as an append-only audit row with actor, rationale, and the matching evidence. Re-running a classification scan accumulates a row per evaluation; the latest is rendered, the prior ones stay queryable for legal review.
Operational HR Debt Trail
Detected debt items, AI-generated summaries, the human resolution choice (resolve / dismiss / accept-risk), and the resolution note are all bound together in a single audit chain. Accepted-risk items require a mandatory note that surfaces on the audit log next to the actor.
Compliance Posture
Audit hardening is baseline on every tier. SOC 2 readiness mode is not a separate add-on; it ships in the box.
Want a Deeper Look?
Talk to our team about your SOC 2, ISO 27001, or HIPAA requirements. Enterprise Secure customers get dedicated infrastructure and BYOK.