Security

How we protect your data, your callers' data, and the integrity of the Claryn platform.

Our Security Commitment

Security is not a feature at Claryn — it is a baseline requirement. Voice data is sensitive. Call recordings contain real conversations between real people. We treat this data with the seriousness it deserves at every layer of the stack.

Infrastructure Security

  • All data encrypted in transit using TLS 1.3
  • All data encrypted at rest using AES-256
  • Infrastructure hosted on SOC 2 Type II compliant cloud providers
  • Network isolation with VPCs, private subnets, and strict firewall rules
  • DDoS protection and rate limiting on all public endpoints
  • Automated vulnerability scanning on all production systems
  • Annual third-party penetration testing

Application Security

  • Role-based access control (RBAC) — team members only see what they need
  • Multi-factor authentication (MFA) supported and encouraged for all accounts
  • API keys with scoped, least-privilege permissions
  • All API requests authenticated and authorised server-side
  • Input validation and output encoding to prevent injection attacks
  • Audit logs for all sensitive operations (agent changes, data exports, billing actions)
  • Automated dependency scanning for known CVEs on every deployment

Data Protection

  • Voice recordings and transcripts stored in isolated, encrypted object storage
  • Data retention policies configurable per account — set your own retention window
  • Complete data deletion within 90 days of account closure
  • No data used for training third-party AI models without explicit consent
  • No cross-customer data access — strict multi-tenant isolation
  • Caller memory profiles stored under your account — you own and control them

Access Controls

  • Internal access to production data is restricted to on-call engineers
  • All internal data access is logged and reviewed
  • Background checks for all team members with production access
  • Access is revoked immediately upon employee offboarding

Incident Response

We maintain a documented incident response plan with defined escalation paths. In the event of a confirmed security incident affecting customer data, we will:

  • Notify affected customers within 72 hours of discovery, as required by GDPR and applicable laws
  • Provide a full post-incident report within 14 days
  • Implement remediations and publish a summary of actions taken

Responsible Disclosure

If you discover a security vulnerability in Claryn, please do not post it publicly. Email support@tryclaryn.live with:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any proof-of-concept code (if applicable)

We will acknowledge your report within 24 hours, triage it within 5 business days, and keep you updated throughout the remediation process. We do not pursue legal action against researchers who act in good faith.

Compliance

  • GDPR compliant — see our GDPR page for details
  • SOC 2 Type II (via infrastructure providers)
  • PCI DSS compliant billing (via Stripe)
  • UK PECR compliant for callers in the United Kingdom

Contact

Security reports: support@tryclaryn.live
General security questions: support@tryclaryn.live