Security & Compliance

Our Approach

ClientCommit is built with a security-first mindset. Our security practices are designed to align with the trust service criteria used in SOC 2 assessments, and we implement security controls informed by ISO 27001 standards.

While we are not currently certified, our architecture and processes are designed to meet these standards as we scale.

Infrastructure & Trusted Partners

We partner with best-in-class infrastructure and security providers to ensure reliability, scalability, and protection of your data.

• Railway — Application hosting and infrastructure. SOC 2 compliant.
• Auth0 — Authentication and identity management. SOC 2 compliant.
• Supabase — Database, storage, and backend services. SOC 2 compliant.

These providers maintain SOC 2-compliant environments and security programs, allowing us to build on a strong, industry-standard foundation. This allows us to inherit key security controls across infrastructure, identity, and data layers.

Infrastructure Security

Our platform is deployed on secure, cloud-based infrastructure with modern security practices.

• Data encryption in transit (TLS 1.3)
• Data encryption at rest (AES-256)
• Secure environment isolation
• Continuous infrastructure monitoring and logging
• Regular updates and patching of systems

Application Security

ClientCommit is designed to protect customer data at the application level.

Access Control

• Role-based access (Admin, Account Manager, Finance, and more)
• Principle of least privilege
• Secure authentication powered by Auth0

Data Isolation

• Logical separation of customer data
• Tenant-level isolation enforced by Postgres Row Level Security (RLS) at the database engine level — not by application code

Auditability

• Activity tracking for key actions
• Visibility into who did what and when
• Foundation for audit logs and compliance reporting

Data Protection & Privacy

We treat your data with strict confidentiality.

• No selling of customer data
• No use of customer contracts for AI model training — we use commercial AI APIs where your data is processed and discarded
• Controlled and limited internal access to production systems
• Data minimization principles applied where possible

For full details on how we handle your data, including our anonymization pipeline, see our Privacy Policy.

Commitment Tracking as Compliance

ClientCommit helps organizations strengthen operational compliance by turning agreements into trackable commitments. The platform enables:

• Visibility into contractual obligations
• Assignment of ownership for every commitment
• Tracking of execution status
• Historical records of completed work

This creates a system of record for what was promised versus what was delivered, supporting audits, client reviews, and dispute resolution.

Internal Practices

We maintain disciplined internal processes to protect customer data:

• Restricted access to production environments
• Secure development and deployment practices
• Monitoring and logging of system activity
• Incident response and issue management procedures

Roadmap

As we grow, we plan to further strengthen our compliance posture:

• We are actively working toward a SOC 2 Type I assessment
• SOC 2 Type II certification to follow
• Expanded security audits and penetration testing

Responsible Disclosure

If you discover a security issue or vulnerability, please contact us at security@clientcommit.com.

We take all reports seriously and will acknowledge receipt within 48 hours. We will not pursue legal action against individuals who report vulnerabilities in good faith and follow responsible disclosure practices.

We ask that you:

• Report vulnerabilities promptly and provide enough detail for us to reproduce the issue
• Avoid accessing, modifying, or deleting data belonging to other users
• Do not perform denial-of-service testing or social engineering attacks