© Clairvoyant 2026. All Rights Reserved
Infrastructure security
- Unique production database authentication enforced
- Encryption key access restricted
- Unique account authentication enforced
Clairvoyant
Intelligence, Inc.
At Clairvoyant, our security practices are regularly reviewed by independent auditors, who evaluate our controls across key areas such as data protection, availability, confidentiality, and privacy. This rigorous process demonstrates our dedication to safeguarding customer information and maintaining transparency–so you can trust Clairvoyant to keep your software supply chain secure.
Customers and external users may use [email protected] to report any actual or suspected security, confidentiality, data integrity, or service availability issue related to Clairvoyant services. Reports sent to this address are monitored by Clairvoyant’s security and incident response personnel.
Clairvoyant Intelligence is the Enterprise Software Control Plane for your software perimeter. It provides independent, pre‑approval insight into software wherever it originates or runs—across vendors, pipelines, and internal AI‑driven development—so enterprises can reduce reliance on attestations and ensure only trusted software runs in their environment.
Organizational security
- Production inventory maintained
- Portable media encrypted
- Anti-malware technology utilized
Product security
- Data encryption utilized
- Control self-assessments conducted
- Penetration testing performed
Internal security procedures
- Continuity and Disaster Recovery plans established
- Continuity and Disaster Recovery plans tested
- Cybersecurity insurance maintained
Data and privacy
- Data retention procedures established
- Customer data deleted upon leaving
- Data classification policy established
Data collected
Customer personally identifiable information
Employee personally identifiable information
Credit card information
Personal health information
Subprocessors
View all
Amazon Web Services•United StatesInfrastructure security
| CONTROL | STATUS |
|---|---|
| Unique production database authentication enforcedThe company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key. | |
| Encryption key access restrictedThe company restricts privileged access to encryption keys to authorized users with a business need. | |
| Unique account authentication enforcedThe company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys. | |
| Production application access restrictedSystem access restricted to authorized access only | |
| Access control procedures established | |
| Production database access restrictedThe company restricts privileged access to databases to authorized users with a business need. | |
| Firewall access restrictedThe company restricts privileged access to the firewall to authorized users with a business need. | |
| Production OS access restrictedThe company restricts privileged access to the operating system to authorized users with a business need. | |
| Production network access restrictedThe company restricts privileged access to the production network to authorized users with a business need. | |
| Access revoked upon terminationThe company completes termination checklists to ensure that access is revoked for terminated employees within SLAs. | |
| Unique network system authentication enforcedThe company requires authentication to the ”production network” to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys. | |
| Remote access MFA enforced | |
| Remote access encrypted enforced | |
| Intrusion detection system utilized | |
| Log management utilized | |
| Infrastructure performance monitoredAn infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met. | |
| Network segmentation implemented | |
| Network firewalls reviewedThe company reviews its firewall rulesets at least annually. Required changes are tracked to completion. | |
| Network firewalls utilizedThe company uses firewalls and configures them to prevent unauthorized access. | |
| Network and system hardening standards maintained | |
| Service infrastructure maintainedThe company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats. |
Organizational security
| CONTROL | STATUS |
|---|---|
| Production inventory maintainedThe company maintains a formal inventory of production system assets. | |
| Portable media encryptedThe company encrypts portable and removable media devices when used. | |
| Anti-malware technology utilizedThe company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems. | |
| Employee background checks performedThe company performs background checks on new employees. | |
| Code of Conduct acknowledged by contractorsThe company requires contractor agreements to include a code of conduct or reference to the company code of conduct. | |
| Code of Conduct acknowledged by employees and enforcedThe company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy. | |
| Confidentiality Agreement acknowledged by contractorsThe company requires contractors to sign a confidentiality agreement at the time of engagement. | |
| Confidentiality Agreement acknowledged by employeesThe company requires employees to sign a confidentiality agreement during onboarding. | |
| Performance evaluations conductedThe company managers are required to complete performance evaluations for direct reports at least annually. | |
| Password policy enforced | |
| MDM system utilizedThe company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service. | |
| Visitor procedures enforcedThe company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas. | |
| Security awareness training implementedThe company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter. |
Product security
| CONTROL | STATUS |
|---|---|
| Data encryption utilized | |
| Control self-assessments conductedThe company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA. | |
| Penetration testing performed | |
| Data transmission encryptedThe company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks. | |
| Vulnerability and system monitoring procedures established |
Internal security procedures
| CONTROL | STATUS |
|---|---|
| Continuity and Disaster Recovery plans establishedThe company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel. | |
| Continuity and Disaster Recovery plans testedThe company has a documented Business Continuity/Disaster Recovery (BC/DR) plan and tests it at least annually. | |
| Cybersecurity insurance maintainedThe company maintains cybersecurity insurance to mitigate the financial impact of business disruptions. | |
| Configuration management system establishedThe company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment. | |
| Change management procedures enforcedThe company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment. | |
| Production deployment access restrictedThe company restricts access to migrate changes to production to authorized personnel. | |
| Development lifecycle establishedThe company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements. | |
| SOC 2 - System DescriptionComplete a description of your system for Section III of the audit report | |
| Whistleblower policy establishedThe company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns. | |
| Board oversight briefings conducted | |
| Board charter documented | |
| Board expertise developed | |
| Board meetings conducted | |
| Backup processes established | |
| System changes externally communicatedThe company notifies customers of critical system changes that may affect their processing. | |
| Management roles and responsibilities definedThe company management has established defined roles and responsibilities to oversee the design and implementation of information security controls. | |
| Organization structure documentedThe company maintains an organizational chart that describes the organizational structure and reporting lines. | |
| Roles and responsibilities specifiedRoles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy. | |
| Security policies established and reviewed | |
| Support system availableThe company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel. | |
| System changes communicatedThe company communicates system changes to authorized internal users. | |
| Access reviews conductedThe company conducts access reviews at least quarterly for the in-scope system components to help ensure that access is restricted appropriately. Required changes are tracked to completion. | |
| Access requests requiredThe company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned. | |
| Incident response plan testedThe company tests their incident response plan at least annually. | |
| Incident response policies establishedThe company has security and privacy incident response policies and procedures that are documented and communicated to authorized users. | |
| Incident management procedures followed | |
| Physical access processes establishedThe company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners. | |
| Data center access reviewedThe company reviews access to the data centers at least annually. | |
| Company commitments externally communicated | |
| External support resources availableThe company provides guidelines and technical support resources relating to system operations to customers. | |
| Service description communicatedThe company provides a description of its products and services to internal and external users. | |
| Risk assessment objectives specifiedThe company specifies its objectives to enable the identification and assessment of risk related to the objectives. | |
| Risks assessments performed | |
| Risk management program establishedThe company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks. | |
| Third-party agreements establishedThe company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity. | |
| Vendor management program established | |
| Vulnerabilities scanned and remediatedHost-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation. |
Data and privacy
| CONTROL | STATUS |
|---|---|
| Data retention procedures establishedThe company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data. | |
| Customer data deleted upon leavingThe company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service. | |
| Data classification policy establishedThe company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel. |
No controls match your search.
Amazon Web Services•United StatesNo subprocessors match your search.