Skip to main content

Trust Center · v1

How Clarity Protects Your Data

Clarity is built around a non-negotiable security stance from day zero. The architecture, compliance posture, and subprocessor list below are public commitments — not legal disclaimers.

Architectural commitments

  • · Encrypted at rest (Supabase AES-256), RLS-isolated per user, cryptographic erasure on account deletion.
  • · Vent transcripts and sensitive inputs stored in an isolated, RLS-protected partition. No Clarity employee can query them directly.
  • · Per-user encryption keys (Phase 2) — when shipped, even Clarity’s own database access cannot decrypt stored content.
  • · No voice cloning. Ever. Pre-set voices only.
  • · No password authentication. Passkeys only.
  • · All exports are watermarked to deter unauthorized sharing.
  • · Vault Mode (Elite tier, post-V1) — client-side encryption; Clarity literally cannot decrypt the content.

Subprocessors

Every third party that handles user data is listed below. Notification at least 30 days before any subprocessor change.

  • · Anthropic (Claude API) — decision content for inference, not retained
  • · Vercel — hosting + edge firewall, encrypted at rest
  • · Supabase — database, RLS-enforced, encrypted at rest, eu-west-1
  • · Stripe — payments only, no decision content
  • · Upstash — Redis for app-layer rate limiting, no user content
  • · Cloudflare — Turnstile widget + CDN for rewiredminds.io only, no Clarity user content
  • · Supabase Vault — encryption key storage (V1: KEK; per-user envelope encryption targets Phase 2)
  • · Doppler — secrets, no user data
  • · Sentry — error tracking, PII scrubbed before ingestion
  • · PostHog — product analytics, privacy-mode default
  • · Voice providers — Pending: V1 voice infrastructure

Compliance status

  • · GDPR — Article 17 erasure via account deletion and data destruction; cryptographic erasure (per-user DEK deletion) ships Phase 2
  • · CCPA — Opt-out of training data inclusion
  • · SOC 2 Type 2 — target Year 2; evidence collection in motion from day zero
  • · HIPAA — explicitly NOT in scope (Clarity is not a healthcare product). HIPAA-adjacent practices for Vent mode anyway.

Responsible disclosure

Found a vulnerability? See security.txt. Acknowledge within 48h, fix critical within 7 days, fix high within 30 days.

Last updated 2026-04-30 · Trust Center v1 (Phase 0 scaffold) · Full V1 commitments populate at Phase 6 launch.