ClearCompany is a SOC 2 Type II certified company and completes this audit on an annual basis.
Seamlessly integrate into Okta, OneLogin, Azure AD, Ping Identity or any SAML 2.0 or Active Directory connection.
Clients can enable this for all of their users and choose between getting an email, text message or using an app based authenticator.
ClearCompany can act as your identity provider for all of your SSO applications, giving you a single place to disable access when you offboard an employee.
All user accounts have this protection enabled by default.
ClearCompany has rate limiting in place on our login page and APIs to prevent this type of attack.
Customers can define their own password complexity policies within the system.
ClearCompany allows clients to set their own session timeout policy.
Customer data is always encrypted in transit. No insecure requests are allowed.
Sensitive PII and other sensitive data is encrypted at rest using AES 256.
ClearCompany manages customer encryption keys. No encryption keys are ever allowed in the ClearCompany codebase.
All database servers data drives are encrypted.
ClearCompany is a cloud-native, multi-tenancy SaaS Human Capital Management software platform hosted within AWS.
ClearCompany offices are secured against unauthorized physical access and procedures for managing visitors are also implemented. The services computing infrastructure is entirely run in the cloud and all services are hosted and managed within Amazon Web Services (AWS), a secure cloud services platform. AWS’ physical infrastructure has been subject to examination under various frameworks and reporting standards, including: ISO 27001, SOC 1/SOC 2/SSAE 18/ISAE 3402, PCI Level 1, FISMA Moderate and Sarbanes-Oxley.
ClearCompany has implemented role-based security to limit and control access within the ClearCompany software platform and any system that houses customer or confidential data. Employees are granted logical and physical access to these systems based on documented approvals by appropriate management personnel. User access is reviewed on a rolling basis or at a minimum annually.
ClearCompany’s infrastructure is monitored in real-time leveraging an IDS. Any alerts are reviewed by our 3rd party SOC and internal security team that’s available 24/7/365.
All ClearCompany services are monitored internally and externally.
The system is an n-tier architecture, a design that is the same across all ClearCompany products. ClearCompany’s infrastructure utilizes several databases and database clusters to allow for high availability and scalability. We also utilize 4 availability zones within AWS to reinforce our commitment of high availability to our customers.
All databases are backed up to remote regions on a daily basis. All databases run several real-time replicas so that no single database failure can interrupt service or cause data loss. Server configurations and files are also backed up to separate regions.
ClearCompany has distinct business continuity and disaster recovery plans in place and runs tabletop exercises on an annual basis to ensure all key stakeholders are familiar with the actions that should be followed if such a qualifying event were to take place. These policies are reviewed and updated annually.
ClearCompany has a dedicated application security team that is constantly adding security features, looking for vulnerabilities, and improving the secure posture of the ClearCompany platform.
ClearCompany conducts 2+ penetration tests per year.
Every quarter, ClearCompany conducts Red Team vulnerability testing and remediation.
System & Application Patching is ongoing and immediate should a critical vulnerability be identified.
ClearCompany's developers and Application Security team are trained to mitigate the OWASP Top 10 vulnerabilities.
Ongoing weekly Rapid7 Vulnerability Scanning.
ClearCompany does employment verification and background checks, which include financial and/or criminal checks dependent on the position, on all new hires before they start with the company. Failure to pass these will result in their offer of employment being rescinded.
All new hires undergo security training before getting access to the ClearCompany system. All employees complete security training annually.
ClearCompany implements 2FA for all critical systems and any other systems that support this.
All laptops and servers have these agents installed to protect against malware and ransomware.
All third party vendors undergo a security review that consists of reviewing relevant SOC 2, ISO27001, or supporting security documentation.