Security & Privacy FAQs

We understand the critical importance of security and privacy for internal teams, both from a commercial and legal perspective. We are committed to keeping your data private and secure. Our team brings expertise from top law firms like Clifford Chance and hedge funds like DE Shaw, with a strong background in security.

What data security does Claren offer?

Our security measures include:

• We use Neon and ensure that each user has their own private and segregated data stores, isolating data from other users.
• Authentication and user management are handled by Clerk, adhering to their security protocols.
• Encryption of user data at rest (AES-256) and in transit (TLS 1.2+).
• Claren uses SOC-2 compliant vendors and third party software providers.
• Claren is currently pursuing SOC 2 Type II and ISO 27001 certification, expected Q2 2026. Our trust centre is available on request.
• All data, including read replicas, can be stored in a data center located in a specific region upon request.
• Our pilot agreements and terms of use specify your rights to delete your data at any time and our privacy obligations.
• This security setup is similar to the top enterprise cloud providers like Microsoft Azure, Amazon AWS, and Google Cloud.
• Claren has established zero data retention agreements with LLM providers (such as OpenAI and Anthropic).
• Data Processing Agreements (DPAs) are available upon request to formalize our data handling commitments.
• Our online terms of service specify your rights to delete your data at any time and our privacy obligations.

How do you handle legally privileged and confidential information?

• All data is treated with attorney-client privilege in mind
• No cross-contamination between client matters or organizations
• Maintained audit trails for user activities

What about infrastructure security?

• Our cloud infrastructure is hosted in US, UK or EU data centers with data residency options for enterprise customers.
• Multi-factor authentication (MFA) available for administrative access.
• Regular penetration testing and vulnerability assessments.
• 24/7 security monitoring and incident response capabilities.
• Defined incident response procedures with SLA targets for initial acknowledgement, escalation, and resolution.
• Regular data backups with tested recovery procedures to ensure business continuity.

What LLM providers does Claren use? Do they train on my data?

Neither Claren nor our LLM providers train AI models on your data. Currently, Claren uses OpenAI, Anthropic and Google's models via their APIs and, on request, the latest Open Source models.

OpenAI

• Data sent to Open AI's API is not used for training (Open AI Enterprise Privacy Policy).
• Data is not retained unless for potential abuse (in which case it can be examined for a maximum of 30 days before deletion) or subject to legal requirements.
• OpenAI's models and their zero-retention policy are trusted by the US government, major banks, and law firms. Open AI's models are trusted by many existing AI tools including Microsoft Copilot.

Google

• Data sent through Google's paid Gemini API is not used for training (Gemini API Additional Terms of Service).

Anthropic

• Anthropic do not use API data for training (Anthropic Privacy terms).

What access controls do you have?

Claren uses Clerk for authentication and access control, which includes:

• Secure authentication through Clerk, which has SOC 2 Type II and ISO27001 certifications (Clerk Security Overview).
• Account-specific log-in sessions.
• API endpoints protected by authentication.
• Row-level security protocols for organization roles.

Is my data used to train an AI model?

Company information or data input into Claren is not used to train AI models by Claren or our LLM providers, except for updating your Company's specific Claren Memories or playbooks. This is formalized through our zero data retention agreements with OpenAI and Anthropic.

What about employee security practices?

• All employees undergo security awareness training as part of onboarding and on an ongoing basis.
• Access to production systems and customer data is restricted on a need-to-know basis.
• Background checks are conducted for team members with access to sensitive systems.

Any other questions?

Please contact us at security@claren.law