ClarisTXM
Try it free
Security & Trust Center

Security at ClarisTXM

We take the security and privacy of your data seriously. This page outlines the technical, organizational, and compliance measures we employ to protect your information.

Last updated: February 19, 2026

1. Infrastructure Security

  • Hosting: Render.com — a SOC 2 Type II compliant platform with continuous security monitoring and automated patching.
  • Region: US-based servers for all production workloads and data storage.
  • Network: TLS 1.2+ encryption enforced for all data in transit between clients and our servers.
  • HSTS: Strict-Transport-Security header with preload directive, ensuring browsers always use HTTPS.
  • Disk: Encrypted storage at rest via Render infrastructure-level disk encryption.

2. Application Security

  • Authentication: Passwords are hashed using PBKDF2-SHA512 with 100,000 iterations and a unique cryptographic salt per user. Plaintext passwords are never stored.
  • Sessions: JWT-based sessions with 24-hour expiry and short-lived beacon tokens for sensitive operations.
  • Rate Limiting: Per-IP, per-path rate limiting — 60 requests/min for API endpoints, 10 requests/min for authentication routes, and 5 requests/min for admin operations.
  • Account Lockout: After 5 consecutive failed login attempts, the account is locked for 15 minutes to mitigate brute-force attacks.
  • Input Validation: UUID-based path traversal protection, email validation per RFC 5322, and payload size limits on all endpoints.
  • Security Headers: Content-Security-Policy (CSP), X-Frame-Options DENY, HSTS, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and Permissions-Policy with restrictive defaults.

3. Data Protection

  • Encryption in Transit: TLS 1.2+ for all connections between clients, servers, and third-party services.
  • Encryption at Rest: Render infrastructure-level disk encryption protects all stored data.
  • Data Isolation: Per-user directory structure with UUID-validated paths prevents unauthorized cross-user data access.
  • Backup: Atomic writes with .bak recovery on every save operation, ensuring data integrity and recoverability.
  • Disk Quota: 50 MB per user enforced server-side to prevent storage abuse and ensure fair resource allocation.

4. Payment Security

  • PCI DSS Level 1: All payment processing is fully delegated to Stripe, a PCI DSS Level 1 certified service provider.
  • No Card Data on Our Servers: Credit card numbers, CVVs, and other payment card data never touch ClarisTXM servers. All card handling occurs entirely within Stripe's PCI-compliant environment.
  • Webhook Verification: All Stripe webhook events are verified using HMAC-SHA256 signature validation to prevent tampering and replay attacks.

5. AI Processing Security

  • Providers: OpenAI and Anthropic are used for AI-powered artifact generation via their secure API endpoints.
  • API-Only Access: Both providers are accessed exclusively through their APIs and do not use customer data for model training.
  • Data Handling: Content is sent to AI providers only for artifact generation and is not stored by providers beyond the scope of processing the request.

Sensitive Data Warning: Users should not upload protected health information (PHI), payment card industry (PCI) data, passwords, API keys, or other credentials to the platform. ClarisTXM is not designed to process or store regulated sensitive data.

6. Compliance & Privacy

GDPR

  • Data export capabilities (Art. 15 & 20) — users can download a copy of their data at any time.
  • Right to erasure (Art. 17) — account and data deletion available through Settings.
  • Consent tracking — explicit consent collected at registration and for AI processing.

CCPA / CPRA

  • Notice at Collection provided through our Privacy Policy.
  • Right to know, delete, and correct personal information.

Audit & Retention

  • Audit Logging: All security-relevant events are logged with automated rotation.
  • Data Retention: Active account data retained indefinitely. Upon deletion request, all personal data is removed within 30 days.

7. Incident Response

  • Dedicated Security Contact: security@claristxm.com
  • Breach Notification: Affected users will be notified within 72 hours of a confirmed security breach, in compliance with GDPR and applicable regulations.
  • Post-Incident Review: Every confirmed incident undergoes a thorough review with root-cause analysis, remediation steps, and preventive measures documented and implemented.

8. Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability in ClarisTXM, please report it to us so we can address it promptly.

  • Report To: security@claristxm.com
  • Safe Harbor: Good-faith security researchers will not be pursued legally for responsibly disclosing vulnerabilities.
  • Response Commitment: We will acknowledge your report within 48 hours and provide a status update within 7 days.

9. Enterprise Readiness

CapabilityStatus
SOC 2 Type IIPlannedLeverages Render's SOC 2 compliance
Data Processing Agreement (DPA)AvailableOn request for enterprise customers
MSA / SLAAvailableOn request for enterprise customers
SSO / SAMLPlannedEnterprise tier

10. Certifications & Compliance Roadmap

Current

  • GDPR
  • CCPA / CPRA
  • PCI DSS (via Stripe)

In Progress

  • SOC 2 Type II

Planned

  • ISO 27001
  • HIPAA BAA (enterprise tier)

See also: Privacy Policy · Terms of Service · security@claristxm.com