Security & Trust

We operate to the standards we help clients implement.

A compliance platform that does not hold itself to the same bar it holds its clients to is a liability, not a solution. This page documents concrete practices that apply to the ClearPath platform itself, including subprocessor transparency, our architecture, vulnerability management, and business continuity. Detailed attestations and questionnaires are available under NDA.

ArchitectureHostingEncryptionAccessVulnerability MgmtBC/DRRetentionOrganizationalSubprocessorsCompliance PostureDisclosureDue Diligence

Architecture

How data flows through the platform.

The diagram below shows the high-level platform architecture. Traffic terminates at a CDN with a web application firewall, authenticates against an enterprise identity provider, and routes through an API gateway into tenant-isolated services. All client data at rest is encrypted with AES-256; CUI-scoped tenants operate inside Azure GCC / GCC High with FIPS 140-validated cryptographic modules.

Client BrowserTLS 1.3 · MFA · SSOCDN & WAFDDoS · Rate limitingIdentity ProviderSAML / OIDC · MFAAPPLICATION TIERAzure US commercial · GCC / GCC High for CUI-scoped tenantsAPI GatewayAuthn · Authz · AuditCompliance EngineControl logic · ScoringEvidence ServiceCollection · AttributionWorkflow & AlertsIR · POA&M · NotificationsSTORAGE TIER · Encrypted at rest (AES-256)Relational DBTenant-isolatedObject StorageEvidence · DocumentsKey ManagementFIPS 140-2/3 modulesAudit LogImmutable

Detailed architecture diagrams (including specific network topology, key hierarchy, and data flow per service) are available to clients and prospective clients under NDA.

Hosting & Infrastructure

Where your data lives.

Primary region
Microsoft Azure, U.S. commercial regions
CUI-scoped tenants
Azure GCC / GCC High as required by client obligation
Data residency
All client data resides in the United States
Sub-hosting
No data leaves primary cloud boundary without written client approval
Physical security
Inherited from Azure SOC 2 Type II, ISO 27001, FedRAMP

Encryption

Data is encrypted, always.

Transit
TLS 1.2 minimum; TLS 1.3 preferred. HSTS enforced.
At rest
AES-256 encryption on all stored data and backups
Cryptographic modules
FIPS 140-2/140-3 validated modules in CUI-scoped environments
Key management
Managed keys with automated rotation; customer-managed keys available for enterprise tenants
Evidence & artifact storage
Encrypted object storage with per-tenant isolation and server-side encryption

Access Control

Least privilege. Fully logged.

Authentication
Multi-factor authentication required for every user. SSO/SAML supported.
Privilege model
Least-privilege RBAC; administrative actions require elevation and are fully logged
Session control
Idle timeout, concurrent session limits, device binding for privileged accounts
Access reviews
Quarterly access reviews with recertification; immediate revocation on role change
Audit logging
All authentication events, data access, and administrative actions logged to immutable storage
Production access
Engineering access to production requires approval workflow and is time-bound

Vulnerability Management

We scan, patch, and test continuously.

Dependency scanning
Automated scanning of third-party dependencies on every build; critical vulnerabilities block deployment until patched
Static analysis
Static application security testing (SAST) integrated into CI; security findings block merge to main
Penetration testing
Annual third-party penetration test of the platform; remediation tracked to closure
Vulnerability disclosure
Public responsible-disclosure program with SLA commitments (see below)
Patch cadence
Critical patches applied within 24 hours of vendor release; high within 7 days; medium within 30 days
Container & infrastructure
Image scanning on every push; infrastructure-as-code reviewed for misconfiguration before apply

Business Continuity & Disaster Recovery

When things go wrong, recovery is measurable.

Recovery Time Objective (RTO)
4 hours for the production application tier
Recovery Point Objective (RPO)
15 minutes for primary databases; 1 hour for object storage
Backup frequency
Continuous transaction-log backup; full database backup daily; object storage replicated to a secondary region
Backup retention
30 days for daily backups; 365 days for monthly snapshots
DR testing
Disaster recovery drill performed at least annually with documented results
Geographic redundancy
Cross-region replication within U.S. boundaries; CUI-scoped tenants replicated only to compliant regions

Retention & Deletion

You own your data. We delete on demand.

Active engagement
Client data retained for duration of engagement with full client access
Post-termination
90-day retention window for client-initiated export, then secure deletion
Client-initiated export
Full data and evidence export available at any time in standard formats
Deletion standard
Cryptographic erasure of keys followed by overwrite; written deletion confirmation provided
Backup retention
Backups follow the same retention and deletion schedule as primary data
Log retention
Audit logs retained for 12 months minimum, longer as required by client compliance obligation

Organizational

The people behind the platform.

Background checks
All personnel with production access complete background verification before access is granted
Security training
Annual security awareness training with role-specific modules for privileged users
Confidentiality
All personnel bound by written confidentiality obligations that survive engagement termination
Subprocessor vetting
Subprocessors assessed against the same standards required of our clients; complete list available on this page and updated as changes occur

Subprocessor Transparency

Every vendor that touches your data.

ClearPath uses the following subprocessors. Each is assessed against the same standards we apply to our clients. We update this list when subprocessors change and notify clients of material additions in advance under our DPA.

VendorPurposeData CategoryRegion
Microsoft AzurePrimary cloud hosting, compute, storage, networkingAll platform dataUnited States
AnthropicAI compliance advisor (CMMC Readiness Calculator analysis only)User-submitted assessment answers; no persistent storage by vendorUnited States
FormspreeContact form submission deliverySubmitter name, email, messageUnited States
ResendTransactional email delivery (readiness report copies)Recipient email, report contentUnited States
VercelMarketing site hosting and edge deliveryMarketing site traffic only; no client platform dataUnited States

Last updated: April 2026. Existing clients receive 30 days written notice of material changes to this list before they take effect.

Compliance Posture

What we align to.

We do not claim attestations we do not hold. Below is an honest accounting of the frameworks we align to, the ones we are pursuing, and the ones we inherit from our hosting provider.

NIST SP 800-171 Rev. 2

Aligned

Internal control implementation mirrors what we deliver to clients

CMMC Level 2

Aligned

Platform architecture designed for CMMC-scoped deployments

SOC 2 Type II

On roadmap

Targeted Type II report; readiness work underway

HIPAA

Aligned

Controls available for healthcare-scoped tenants

Azure FedRAMP / DoD IL inheritance

Inherited

Underlying cloud platform attestations apply to hosted workloads

Responsible Disclosure

Report a security issue.

We welcome reports of potential security issues in the ClearPath platform from security researchers, clients, and the broader community. Submit through our contact formwith “Security Disclosure” in the message. All submissions route to our security team, not general support.

We commit to:

  • Acknowledge receipt within 2 business days
  • Provide an initial assessment within 5 business days
  • Keep you informed of remediation progress with a target close date
  • Credit you in any public disclosure (with your permission)

Please do not test vulnerabilities against production data or attempt to access data belonging to other clients. We ask researchers to follow responsible-disclosure norms and give us reasonable time to remediate before any public disclosure.

Due Diligence

Documentation available under NDA.

Prospective clients and existing clients performing vendor due diligence may request the following:

  • Detailed security architecture (per-service data flow, key hierarchy, network topology)
  • Written responses to CAIQ / SIG / custom security questionnaires
  • Penetration test executive summary
  • Business continuity and disaster recovery test results
  • Incident response plan and runbook excerpts
  • Subprocessor security assessments and DPA addendums
  • Applicable compliance attestations as they are issued

Request these through our contact formwith “Security Due Diligence” in the message.

Questions about our security posture?

Submit a due-diligence request and a member of the team will respond within one business day.

Contact the Team