Security at ClearGRC

Security isn't a feature.
It's the foundation.

ClearGRC is built for the security and compliance teams that run governance, risk, and compliance programmes — which means the platform itself has to clear the same bar. Here's how we protect your data, your tenant, and your trust.

Data Protection

Encryption in transit and at rest, multi-tenant isolation, regional residency, and backup with controlled retention.

Access Control

Azure AD B2C SSO, multi-factor authentication, granular 8-flag RBAC per module, and per-role workflow restrictions.

Operational Security

Dual-layer immutable audit trail, hosted on Microsoft Azure, monitored continuously, with documented incident response.

Compliance Posture

Aligned to ISO 27001, NIST CSF, and SOC 2 control families. Independent attestation roadmap in progress.

Data Protection

How your data is secured at rest and in transit.

ClearGRC is hosted on Microsoft Azure with encryption applied throughout, regional tenant isolation, and operator controls over residency and retention.

Encryption

  • TLS 1.2+ for all data in transit between client and platform
  • AES-256 encryption at rest for all stored data, including database, file storage, and backups
  • Encryption keys managed via Azure Key Vault with restricted access
  • Hashed and salted passwords (PBKDF2) for any account credentials we hold

Multi-Tenant Isolation

  • Tenant-scoped data model — every query carries the tenant context, enforced at the application layer
  • Customer data is logically segregated by tenant identifier on every record
  • Cross-tenant access is impossible by design, including for administrative users
  • Tenant-aware audit trail captures every read/write with tenant attribution

Data Residency

  • Data is hosted in the Azure region you choose at the time of tenant provisioning
  • Currently supported regions on request — additional regions available for enterprise deployments
  • Data does not leave the chosen Azure region except for documented sub-processors (see below)
  • Cross-border transfers, where applicable, governed by your Data Processing Agreement

Backup & Recovery

  • Automated encrypted backups of customer data within the tenant region
  • Point-in-time restore for the database supported via Azure-native capabilities
  • Defined RTO/RPO targets per deployment tier — available under NDA
  • Disaster-recovery procedures tested as part of operations review
Access Control

Who can do what — defined, enforced, audited.

Authentication, authorisation, and oversight built around the way GRC teams actually segregate duties — assessor vs reviewer vs approver, with a full audit trail of every privileged action.

Authentication

  • Azure AD B2C as the identity provider
  • Single sign-on (SSO) via SAML / OpenID Connect for enterprise tenants
  • Multi-factor authentication (MFA) enforceable per tenant policy
  • Configurable session timeout and idle-lock policies
  • Password policies (length, complexity, expiry) configurable per tenant

Role-Based Access Control

  • Granular 8-flag permission model per module: Read · Execute · Add · Edit · Delete · Review · Approve · Report
  • Roles defined per tenant — assessor, reviewer, approver, custodian, third-party
  • Workflow-level segregation of duties enforced (one user cannot self-approve their own assessment)
  • Least-privilege defaults — new users start with zero permissions and must be explicitly granted

Audit Trail

  • Dual-layer immutable audit trail — every create, update, delete, and privileged action is captured
  • Audit records cannot be modified or deleted, including by tenant administrators
  • Audit log exposes actor, action, target, timestamp, IP, and outcome
  • Audit data available to tenant administrators via the platform UI and export

Administrative Controls

  • Tenant administrators manage their own users, roles, and permissions
  • ClearGRC personnel access is restricted, logged, and requires explicit business justification
  • Production access requires MFA and is subject to break-glass procedures
  • No customer data is accessed for support without explicit customer authorisation
Operational Security

How we run the platform.

Vulnerability management, secure development, monitoring, and incident response — applied to the platform that runs your GRC programme.

Vulnerability Management

  • Static and dynamic application security scanning integrated into the CI/CD pipeline
  • Dependency scanning for known CVEs in third-party libraries
  • Infrastructure scanning of Azure resources and configurations
  • Patching of operating system, runtime, and dependencies on a defined cadence
  • Internal Nessus scanning of production environments

Secure Development Lifecycle

  • Peer code review required for every change merged to main
  • Branch protection rules enforce review, status checks, and signed commits
  • Secrets scanning blocks credentials from entering the source repository
  • Security training for all engineers on OWASP Top 10 and secure coding

Monitoring & Logging

  • Application telemetry, error tracking, and uptime monitoring across the production stack
  • Centralised logs from application, runtime, network, and identity layers
  • Alerts on authentication anomalies, error spikes, and security-relevant events
  • Retention aligned to enterprise-grade audit and forensic needs

Incident Response

  • Documented incident response procedures covering detection, containment, eradication, and recovery
  • Affected customers notified per contractual obligations and applicable law
  • Post-incident review and remediation tracked through closure
  • Contact: info@clearinfosec.com
Compliance & Certifications

Our roadmap, honestly stated.

ClearGRC is built around the control families of major frameworks. Where we hold independent attestation we say so; where we don't yet, we say that too.

Roadmap
SOC 2 Type II

SOC 2 Type II readiness underway. Independent attestation targeted; status available under NDA.

Roadmap
ISO/IEC 27001:2022

ISMS implementation in progress, mapped to ClearGRC's own platform. Certification timeline shareable on request.

Aligned
NIST CSF 2.0 / SP 800-53

Platform control objectives mapped to NIST CSF 2.0 functions and SP 800-53 controls. Mapping shareable on request.

Sub-Processors

Who we use, and why.

ClearGRC uses a limited set of third-party services to deliver the platform. Each sub-processor is reviewed for security posture before onboarding.

Sub-Processor
Purpose
Region
Microsoft Azure
Hosting, storage, networking, identity (Azure AD B2C)
Customer-Selected
Azure OpenAI Service
AI capabilities (recommendations, summaries, search) — runs in your Azure tenant region
Customer-Selected
SendGrid / Azure Communication
Transactional email (assessment invites, attestations, notifications)
Global

Full sub-processor list with versioned change history available on request under NDA.

Found a vulnerability?

We welcome responsible disclosure from the security community. Email us with details — we'll respond, investigate, and remediate. We don't pursue good-faith research.

info@clearinfosec.com

Want the full security package?

Detailed architecture, sub-processor change history, compliance attestation timelines, and Data Processing Agreement available under NDA. Let's talk.

Contact Security