Compliance Overview
Last Updated: April 20, 2026
This page summarizes Clarus's security-compliance posture for prospects, customers, and reviewers. It lists the policies, control matrix, evidence runbook, and supporting artifacts that make up our SOC 2 readiness program. The full bodies are available under NDA — this page names what exists so you can ask for the specific document you need.
What "SOC 2 readiness" means here
Clarus has not yet undergone a SOC 2 Type I audit. The program described below is a readiness pack: every policy an auditor would expect is authored, every control those policies describe is implemented in code or operationally, and every piece of evidence an auditor would ask for has a documented retrieval procedure. When funding allows, the audit should be close to a formality. We publish this inventory rather than claim a certification we do not hold.
Policies, controls, and evidence locations are maintained in the repository and version-controlled with the rest of the product. Material changes are announced on the Trust Center at least 30 days in advance when they affect sub-processors or public posture.
Compliance artifacts (titles only)
The documents below live in the internal documentation set. Full texts are available under NDA — contact security@clarus.page with a short note describing your review context and we will send the current versions.
Umbrella and supporting artifacts
- Information Security Policy — umbrella policy; every other policy implements one or more of its principles
- Control Matrix — map from SOC 2 Trust Services Criteria (CC1.1 through CC9.2) to the policy, control, and evidence that addresses each one
- Evidence-Collection Runbook — procedures for producing evidence artifacts when an auditor asks
- Gap Register — known gaps between current controls and full posture, with severity, owner, and target resolution
- Annual Review Calendar — recurring compliance tasks (monthly, quarterly, annually, event-triggered)
Policy pack (22 policies)
Listed in review order — the Information Security Policy frames everything that follows. TSC mappings in parentheses reference the applicable Common Criteria in the Control Matrix.
- Information Security Policy (CC1.2, CC2.2, CC3.1)
- Access Control Policy (CC6.1–CC6.3)
- Acceptable Use Policy (CC1.5)
- Asset Management Policy (CC3, CC5)
- Authentication Policy (CC6.1, CC6.2)
- Cryptography and Encryption Policy (CC5.2, CC6.7)
- Data Classification and Handling Policy (CC3, CC5)
- Data Retention and Deletion Policy (CC6.5)
- Incident Response Plan (CC4.2, CC7.3, CC7.4)
- Business Continuity and Disaster Recovery (CC7.5)
- Change Management Policy (CC3.4, CC5.3, CC7.1, CC8.1)
- Backup Policy (CC7.5)
- System Monitoring and Logging Policy (CC2.1, CC4.1, CC7.2)
- Third-Party / Vendor Management Policy (CC9.2)
- Sub-processor Management Policy (CC9.2)
- Vulnerability Management Policy (CC6.6)
- Secure Development Policy (CC5.2, CC6.8)
- Risk Assessment Policy (CC3.2, CC9.1)
- Physical Security Policy (CC6.4)
- HR Security Policy — activates on first hire (CC1.4)
- Security Awareness Policy — activates on first hire (CC1.4)
- Code of Conduct (CC1.1, CC1.5)
A separate Internal Access Policy governs operator access to production systems. A public summary is on the Trust Center; the full policy is available under NDA.
Requesting the full set
Full policy texts, the control matrix, the evidence-collection runbook, and the gap register are available under NDA. Email security@clarus.page with:
- The name of your organization
- The review context (vendor assessment, procurement review, audit, etc.)
- Which artifacts you need (the full set, or a named subset)
We return an NDA for countersignature and, once executed, send the current versions. Turnaround is typically 2 business days.
Related pages
- Trust Center — public posture summary, encryption, sub-processors, and security contact
- Sub-processors — vendor list with DPA links and 30-day change notice
- Privacy Policy — data-handling commitments and user rights