Security
Our customers coordinate interconnection filings, regulatory dockets, and deal rooms worth billions. The security posture has to match. This page is what we commit to publicly — enterprise customers get the formal controls package under NDA.
At a glance
SOC 2 Type II
In progress · Q3 2026
Audit in flight with a Big 4 firm. We publish a report and readiness statement to customers under NDA.
Data residency
US-only (AWS us-east-1 + us-west-2)
All customer data stays in-region. EU residency available on Enterprise tier with additional regulatory review.
Encryption
TLS 1.3 in transit · AES-256 at rest
Customer-managed keys (CMK) are available for enterprise customers via AWS KMS.
Tenant isolation
Per-tenant database
Every customer lives in its own logical database. Cross-customer queries are impossible by construction, not just by policy.
Authentication
SSO (SAML + OIDC)
Okta, Azure AD, Google Workspace, JumpCloud supported. MFA required for all human logins.
Logging
Append-only audit log
Every privileged action is logged. Logs are tamper-evident and exportable on request.
Principles
We collect the minimum customer data needed to run the product. No shadow profiles, no third-party enrichment, no quiet data hoarding. The product works because of the regulatory graph, not because we held onto your deal data past your contract.
We never train shared or public models on customer workflow data. Per-tenant fine-tuning is only performed under signed agreement and only with data scoped to that tenant.
Every artifact generated by the platform cites its source. Every action is logged. Customer security reviews can trace any given output back to the inputs and the prompts. We consider this non-negotiable.
Deal rooms, filings, interconnection memos, and candidate site lists are private by default. Sharing requires explicit opt-in and an audit entry. Cross-deal visibility is off by default, even for users at the same customer.
Operational practices
Access to customer data requires just-in-time approval and is logged. Production access is limited to a small on-call rotation and revoked automatically after shift.
Dependencies are pinned, signed, and verified. We run Dependabot and Trivy. Build artifacts are reproducible. Zero-day CVE watch is automated with alerts into on-call.
All secrets live in AWS Secrets Manager. No plaintext secrets in code, config, or logs. Automatic rotation where the upstream service supports it.
Tested quarterly. A documented runbook covering detection, containment, customer notification, and post-mortem. Customers are notified within 24 hours of confirmed impact.
Point-in-time recovery for customer databases. Daily full backups encrypted and cross-region replicated. Quarterly DR exercises. Target RPO 1 hour, RTO 4 hours.
External pen test performed annually by an independent firm. Summary available to customers under NDA. Critical findings trigger immediate remediation and customer notification.
Subprocessors
Our current subprocessor list. We notify enterprise customers in advance of any change.
| Subprocessor | Purpose | Region |
|---|---|---|
| AWS | Cloud infrastructure (compute, database, object storage) | US (us-east-1, us-west-2) |
| Resend | Transactional email delivery | US |
| Stripe | Billing and payments | US |
| Sentry | Error monitoring | US |
| PostHog | Product analytics (self-hosted) | US |
| Linear | Customer support workflow | US |
| Notion | Internal knowledge base (no customer data) | US |
Vulnerability disclosure
We take security research seriously. Email security@cliffcenter.com with details of any vulnerability you find. We acknowledge within one business day and aim to remediate high and critical issues within seven days.
We operate a responsible disclosure program with a 90-day embargo as the default, shorter if the issue is being actively exploited. We credit reporters in our public security advisories unless you prefer anonymity.
We do not currently run a paid bug bounty, but exceptional reports receive recognition and swag — and a reference from our team if you want one.
Security
We return SOC 2 readiness statements, DPAs, subprocessor lists, penetration test summaries, and signed security questionnaires within three business days. No gatekeeping.