Encryption At Rest
Clarus encrypts all document content at rest in the database. This means your writing, AI-generated feedback, annotations, comments, and scratch pads are stored as ciphertext — not readable plaintext.
What This Means For You
- Your content is protected in storage. Even if the underlying database were ever exposed, your writing would not be readable without the encryption keys.
- Encryption is automatic. You do not need to enable or configure anything. Every document you create is encrypted from the start.
- AI features work seamlessly. Writing coach feedback, research results, and other AI-generated content are encrypted the same way your documents are.
- Key rotation on share revocation. When you revoke someone's access to a shared document, the encryption key for that document is automatically rotated so previously shared keys can no longer decrypt the content.
How It Works
Clarus uses AES-256-GCM encryption — the same standard used by banks and government agencies — to protect your content before it is written to the database.
Encryption keys are organized in layers so that each user and each document has its own key. This means:
- Your documents can only be decrypted with your keys
- Shared documents use separate keys per collaborator
- Revoking a share automatically rotates the document's encryption key
What Is Encrypted
| Content | Encrypted |
|---|---|
| Document body and preview | Yes |
| AI coach feedback and annotations | Yes |
| Research assistant results | Yes |
| Comments and discussion threads | Yes |
| Scratch pads | Yes |
| Version history snapshots | Yes |
| Document title | No (kept searchable) |
| Timestamps, IDs, and status fields | No (non-content metadata) |
Key Rotation
When you revoke someone's access to a shared document, Clarus automatically:
- Generates a new encryption key for that document
- Re-encrypts all content under the new key
- Ensures the revoked user's old key can no longer decrypt the content