<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2059727120931052&amp;ev=PageView&amp;noscript=1">

Security & Privacy

From compliance to service and maintenance, ClearCompany is a leader in data security and privacy.

security-page-header-mockups-1

About Security and Privacy with ClearCompany

An award-winning and secure software suite to power your talent management strategy. 

Security Certifications

SOC 2 Type II

 SOC-2-Type-Icon
ClearCompany is a SOC 2 Type II certified company and completes this audit on an annual basis.

Security Features

SSO

Seamlessly integrate into Okta, OneLogin, Azure AD, Ping Identity or any SAML 2.0 or Active Directory connection.

Two-Factor Authentication

Clients can enable this for all of their users and choose between getting an email, text message or using an app based authenticator.

Identity Provider

ClearCompany can act as your identity provider for all of your SSO applications, giving you a single place to disable access when you offboard an employee.

Account Lockout

All user accounts have this protection enabled by default.

Brute Force Mitigation

ClearCompany has rate limiting in place on our login page and APIs to prevent this type of attack.

Password Policy

Customers can define their own password complexity policies within the system.

Custom Session Timeouts

ClearCompany allows clients to set their own session timeout policy.

 

Encryption

SSL Everywhere

Customer data is always encrypted in transit. No insecure requests are allowed.

Sensitive Data Encrypted at Rest

Sensitive PII and other sensitive data is encrypted at rest using AES 256.

Key Management

ClearCompany manages customer encryption keys. No encryption keys are ever allowed in the ClearCompany codebase.

Database Data Encrypted on Disk

All database servers data drives are encrypted.

Infrastructure & Network Security

Cloud Platform

ClearCompany is a cloud-native, multi-tenancy SaaS Human Capital Management software platform hosted within AWS.

Physical Security

ClearCompany offices are secured against unauthorized physical access and procedures for managing visitors are also implemented. The services computing infrastructure is entirely run in the cloud and all services are hosted and managed within Amazon Web Services (AWS), a secure cloud services platform. AWS’ physical infrastructure has been subject to examination under various frameworks and reporting standards, including: ISO 27001, SOC 1/SOC 2/SSAE 18/ISAE 3402, PCI Level 1, FISMA Moderate and Sarbanes-Oxley.

Logical Access Control

ClearCompany has implemented role-based security to limit and control access within the ClearCompany software platform and any system that houses customer or confidential data. Employees are granted logical and physical access to these systems based on documented approvals by appropriate management personnel. User access is reviewed on a rolling basis or at a minimum annually.

Intrusion Detection & Prevention

ClearCompany’s infrastructure is monitored in real-time leveraging an IDS. Any alerts are reviewed by our 3rd party SOC and internal security team that’s available 24/7/365.

Uptime Monitoring

All ClearCompany services are monitored internally and externally.

Disaster Recovery

High Availability

The system is an n-tier architecture, a design that is the same across all ClearCompany products. ClearCompany’s infrastructure utilizes several databases and database clusters to allow for high availability and scalability. We also utilize 4 availability zones within AWS to reinforce our commitment of high availability to our customers.

Disaster Recovery Backups to Different Geographic Regions

All databases are backed up to remote regions on a daily basis. All databases run several real-time replicas so that no single database failure can interrupt service or cause data loss. Server configurations and files are also backed up to separate regions.

Business Continuity & Tabletop Exercises

ClearCompany has distinct business continuity and disaster recovery plans in place and runs tabletop exercises on an annual basis to ensure all key stakeholders are familiar with the actions that should be followed if such a qualifying event were to take place. These policies are reviewed and updated annually.

Application Security

Dedicated Team for Application Security

ClearCompany has a dedicated application security team that is constantly adding security features, looking for vulnerabilities, and improving the secure posture of the ClearCompany platform.

2+ Penetration Tests Per Year

ClearCompany conducts 2+ penetration tests per year.

Quarterly Red Team Vulnerability

Every quarter, ClearCompany conducts Red Team vulnerability testing and remediation.

System & Application Patching

System & Application Patching is ongoing and immediate should a critical vulnerability be identified.

OWASP Top 10

ClearCompany's developers and Application Security team are trained to mitigate the OWASP Top 10 vulnerabilities.

Rapid7 Vulnerability Scanning

Ongoing weekly Rapid7 Vulnerability Scanning.

Corporate Security

Background Checks

ClearCompany does employment verification and background checks, which include financial and/or criminal checks dependent on the position, on all new hires before they start with the company. Failure to pass these will result in their offer of employment being rescinded.

Employee Onboarding and Offboarding

corportate-security-image

  • Asset Management - ClearCompany uses our own World of Work Asset Management tool to track all employee assets such as laptops, phones, and much more.
  • Identity Provider - ClearCompany uses our own World of Work Identity Provider service so that employee accounts can be provisioned and de-provisioned quickly.

Security Training

All new hires undergo security training before getting access to the ClearCompany system. All employees complete security training annually.

2FA Everywhere

ClearCompany implements 2FA for all critical systems and any other systems that support this.

Endpoint Protection

All laptops and servers have these agents installed to protect against malware and ransomware.

Third Party Vendor Management

All third party vendors undergo a security review that consists of reviewing relevant SOC 2, ISO27001, or supporting security documentation.