# Clarity — Security

> Clarity is a read-only financial visibility platform. It never has permission to move, transfer, or withdraw funds from any connected account.

## Read-Only Architecture

- Bank connections via Plaid use tokenized, read-only access — Clarity never sees bank login credentials
- Crypto exchange connections require read-only API keys only — no trading or withdrawal permissions
- Blockchain wallet connections use public addresses only — no private keys required
- This is a visibility and analysis platform, not a custodial or transfer service

## Data Encryption

- **In transit:** TLS 1.3 for all client-server communication
- **Credentials at rest:** Application-layer authenticated encryption for sensitive integration credentials
- **General data at rest:** Provider-managed encryption via managed cloud database

## Operational Controls

- Automated CI checks for risky patterns in code changes
- Code review required for all production releases
- Monitoring, logging, and alerting for errors and unusual access patterns
- Incident response procedures with containment and remediation steps
- Incident notification within 72 hours if a data breach occurs

## Credential Management

- Secrets are never committed to source control
- Credential exposure events are treated as security incidents
- Key and token rotation performed as needed

## Infrastructure

- Managed cloud infrastructure with environment isolation
- Environment isolation between development and production
- DDoS mitigation and network protection via hosting providers

## Key Links

- Security: https://clarity-app.vercel.app/legal/security
- Privacy: https://clarity-app.vercel.app/legal/privacy
- Terms: https://clarity-app.vercel.app/legal/terms