Security & Trust
We operate to the standards we help clients implement.
A compliance platform that doesn't hold itself to the same bar it holds its clients to is a liability, not a solution. This page documents the practices that apply to the ClearPath platform itself.
Data Residency
Platform data is hosted in U.S. regions. For clients handling CUI, hosting is configured to match your compliance obligations — including GCC or GCC High environments where required.
Encryption
All data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using industry-standard encryption. Access to customer data is limited to authenticated sessions over encrypted channels.
Access Control
Administrative access follows least-privilege principles. All access to production systems requires multi-factor authentication and is logged for audit review.
Data Isolation
Client data is logically isolated at the tenant level. No customer data is shared, co-mingled, or used for cross-client analytics.
Subprocessors
We maintain a current list of subprocessors and the categories of data they process. The list is available to clients under NDA during engagement due diligence.
Incident Response
We maintain an internal incident response plan aligned to the same standards we help clients implement. Notification commitments are defined in each engagement agreement.
Data Retention
Client data is retained only for the duration of the engagement plus a defined post-termination window. On termination, data is exported for the client and securely deleted.
Data Ownership
You own your data. All compliance documentation, evidence packages, and policies generated through ClearPath remain the sole property of your organization and are exportable at any time.
Responsible Disclosure
We welcome reports of potential security issues in the ClearPath platform from security researchers, clients, and the broader community. If you believe you have identified a security vulnerability, please report it through our contact formand indicate “Security Disclosure” in the message.
We commit to:
- Acknowledge receipt of your report within 2 business days
- Provide an initial assessment within 5 business days
- Keep you informed of remediation progress
- Credit you in any public disclosure (with your permission)
Please do not test vulnerabilities against production data or attempt to access data belonging to other clients. We ask researchers to follow responsible-disclosure norms and give us reasonable time to remediate before any public disclosure.
Compliance & Audit Documentation
Detailed security documentation — including our subprocessor list, security architecture overview, and compliance attestations — is available to clients and prospective clients under NDA during due diligence.
To request this documentation, use our contact formand indicate “Security Due Diligence” in the message.