Security

Hosting

Clearmargin runs on Vercel's serverless infrastructure, which provides:

• Global edge network with automatic failover and redundancy
• Automatic scaling that responds to demand without manual intervention
• DDoS protection built into the platform
• Isolated execution environments for each request

Database

Your data is stored in Neon, a managed PostgreSQL service that provides:

• Encryption at rest for all stored data
• Encryption in transit using TLS for all database connections
• Automated backups with point-in-time recovery
• Isolated tenant environments ensuring your data stays separate

Network Security

• HTTPS everywhere: All connections to Clearmargin are encrypted using TLS. We do not support unencrypted connections.
• Secure headers: We implement modern security headers including Content Security Policy, X-Frame-Options, and Strict-Transport-Security.

Authentication

Clearmargin uses modern authentication with:

• Secure password hashing using bcrypt with appropriate cost factors
• Session management with configurable expiration and automatic refresh
• Two-factor authentication (2FA) available for all accounts
• Passkey support for passwordless authentication
• Email verification required for all new accounts

Access Control

We implement a robust multi-tenant access control system:

• Organization-based isolation: All business data is scoped to organizations. Users can only access data within organizations they belong to.
• Role-based permissions: Four permission levels (Owner, Admin, Member, Viewer) control what actions users can perform.
• Invitation-only access: New team members must be explicitly invited by organization administrators.

API Security

• API key authentication available for integrations
• Session tokens are cryptographically secure and expire appropriately
• Rate limiting protects against abuse

What We Collect

Clearmargin collects only the data necessary to provide the service:

• Account information (email, name)
• Business data you enter (clients, projects, time entries, invoices, expenses)
• Usage data for service improvement

What We Don't Do

• We don't sell your data. Your business information is yours.
• We don't train AI models on your data. Your client and financial information stays private.
• We don't share data with third parties except as necessary to provide the service (payment processing, email delivery).

Data Portability

Your data belongs to you. We provide export features for core data types in your dashboard. You are responsible for maintaining your own backups of important data.

Internal Access

• All team members with production access use multi-factor authentication
• Access to production systems follows the principle of least privilege
• We maintain audit logs of administrative actions

Development Practices

• Code changes require peer review before deployment
• We use dependency scanning to identify vulnerable packages
• Production and development environments are strictly separated

If we discover a security incident affecting your data, we will:

1. Investigate and contain the issue as quickly as possible
2. Notify affected users promptly
3. Provide clear information about what happened and what we're doing
4. Document lessons learned and improve our systems

If you discover a security vulnerability in Clearmargin, we want to hear from you. Please email security@clearmargin.app with details.

We ask that you:

• Give us reasonable time to address the issue before public disclosure
• Avoid accessing or modifying other users' data
• Act in good faith to avoid privacy violations and service disruption

We appreciate security researchers who help us keep Clearmargin safe.