PolicyStrata

Security Addendum

Legal-review draft. This page is published for transparency and must not be represented as counsel-approved or incorporated into a customer agreement until its status is updated.

Status: legal-review draft. Do not execute without counsel review.

Security Program

Clearance uses a metadata-only hosted data boundary by default, organization-scoped access controls, RBAC, audit logging, TLS, production secret management, and provider-managed database backup controls.

Access Control

  • Organization data is scoped by organization_id.
  • Product records that belong to a project include project_id where applicable.
  • Administrative actions require server-side RBAC checks.
  • Runner and SCIM bearer tokens are stored as hashes with nonsecret prefixes.

Encryption And Secrets

  • TLS is required for production traffic.
  • Integration credentials are encrypted before storage.
  • Production secrets live in the deployment secret manager.
  • Real production secrets must not be committed, logged, or exported.

Audit And Monitoring

  • Sensitive actions emit metadata-only audit events.
  • Evidence exports include integrity hashes.
  • Minimum alert rules are defined in docs/monitoring-alert-rules.md.

Incident Response

Security incidents follow docs/incident-response.md, including containment, audit/log preservation, customer-notification decisioning, and post-incident regression work.