Jurisdictions & Standards Alignment
UK vs EU clarity, and how we align to ISO/IEC 27001 control domains
Clear Decisions maintains a strong SOC 2 security posture with third-party testing and security controls designed to align with SOC 2 principles.
Independent testing occurs regularly; full certification updates will be communicated when available.
We operate an information security management program aligned with ISO/IEC 27001 control domains.
Certification pathway under evaluation; progress will be shared transparently.
Alignment with UK GDPR and NCSC guidance for UK customers, and EU GDPR for EU customers.
Data Processing Addendum and sub‑processor transparency available on request.
Google Cloud Security
Data Centre and Physical Security powered by Google Cloud Platform
Google Cloud Infrastructure
Clear Decisions utilizes Google Cloud Platform (GCP) for Infrastructure as a Service (IaaS) with enterprise-grade security.
Data Hosting Locations
The Clear Decisions Platform offers secure data hosting locations for customer data:
Google Cloud Security
Clear Decisions has partnered with Google Cloud for infrastructure and cloud services. We perform annual third-party risk assessments of Google Cloud Platform (GCP) to review data center security.
Network Security
Security by Design
Clear Decisions operates a security program where security is everyone’s responsibility. We build with security in mind from the start (secure SDLC, reviews, and training).
Network Vulnerability Scanning
Clear Decisions utilizes various internal security tools to perform weekly internal network vulnerability scans against all production environments. Additionally, external network scans are performed using open source tooling as a routine part of our third-party penetration tests.
Third-Party Penetration Tests (Planned)
Independent CREST/PCI penetration testing is planned as part of our SOC 2 posture improvements. Results will be shared with customers on request once available.
Security Information and Event Management
Clear Decisions utilizes Google Cloud Security Command Center and Chronicle SIEM to perform continuous monitoring and log aggregation. Our Information Security Team reviews logs and alerts for performance and security considerations.
Application Security
Secure Code Training
Clear Decisions has mandatory security education training for anyone with access to Clear Decisions systems. Training is required at initial access and annually thereafter.
Framework Security Controls
Clear Decisions leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks.
Quality Assurance
Clear Decisions has a detailed change control process governed by the Information Security Policy that applies to all changes to the environment.
Application Security Testing
We run an active application security testing program combining automated scanning and periodic manual reviews across the SDLC.
Dependency & Code Hygiene
Automated dependency risk management, code review, and secure change processes reduce exposure to common vulnerabilities.
Responsible Disclosure Program
Clear Decisions maintains a security.txt page and responsible disclosure program for external security researchers.
Secure Authentication
Multiple layers of authentication and access control
Single Sign-On (SSO)
The Clear Decisions Platform includes industry standard SAML 2.0 based Single Sign-On solutions, encompassing both IdP and SP initiated login capabilities for stringent security measures and seamless user experiences.
Multi-Factor Authentication (MFA)
The Clear Decisions platform's multi-factor authentication uses time-based one-time passwords (TOTP) and email verification. Users receive a 6-digit code to complete the login flow.
SCIM 2.0 Integration
The Clear Decisions Platform offers standard SCIM 2.0 capability to streamline user management, emphasizing data integrity and enhancing security through automated provisioning and deprovisioning.
Browser Validation
The Clear Decisions Platform employs browser validation during login to ensure heightened security measures, verifying the presence of valid MFA tokens.
Encryption
Encryption in Transit
Clear Decisions uses TLS versions 1.2 and 1.3 with digital certificate identification. In addition, the Clear Decisions platform utilizes HTTP Strict Transport Security (HSTS) for further protection.
Encryption at Rest
All Clear Decisions Platform data is stored encrypted with Advanced Encryption Standard (AES) 256-bit algorithm using Google Cloud KMS (Key Management Service).
Key Management
Clear Decisions leverages Google Cloud Key Management Service (KMS) for secure key generation, rotation, and management with hardware security modules (HSMs).
Availability and Continuity
Clear Decisions provides status through our website and commits to a 99.9% uptime SLA within contracts.
Clear Decisions relies on multiple Google Cloud data centers and regions to provide operational redundancy, distributing and replicating data across multiple systems.
The Clear Decisions Platform includes high availability through redundant Google Cloud infrastructure with automated failover capabilities.
Human Resources Security
Policies
Clear Decisions has developed a set of risk-based security policies covering a range of topics. These policies are shared with and provided in training to all employees and contractors.
Training
Clear Decisions has mandatory security education training for anyone with access to Clear Decisions systems. Training is required at initial access and annually thereafter.
Background Checks
Clear Decisions conducts background checks to the extent allowed by law for all employees in accordance with local laws and regulations.
Confidentiality Agreements
Clear Decisions has non-disclosure agreements with employees and third-parties with logical access to systems and information.
Enterprise-Grade Security You Can Trust
Clear Decisions provides comprehensive security for your compliance management platform with industry-leading certifications and Google Cloud infrastructure.