Security

Security is foundational to RealClear. We apply industry-standard controls across our infrastructure, data handling, and engineering practices. This page summarizes our current security posture and roadmap.

Infrastructure

RealClear runs on managed cloud infrastructure for the web app, backend services, workers, database, and document storage. Data is encrypted in transit using TLS and encrypted at rest by the managed storage layers we use. Administrative access is restricted, logged, and reviewed; production changes are gated through local security checks and reviewed deployment steps.

Data Handling

We practice minimal data collection. We do not store client documents or uploaded files beyond what is needed to provide the service unless you explicitly save them to your account. Waitlist and account data (email addresses, usage metadata) is stored with appropriate access controls and is never sold to third parties.

Property research requests, source records, briefs, and account actions are retained where needed for product delivery, audit logging, security, support, or legal compliance. Tenant-scoped data is separated by organization, and customer-visible brief claims are designed to tie back to source records and the research activity that produced them.

Compliance Roadmap

RealClear is actively working toward formal compliance certifications as the platform scales:

• SOC 2 Type II — planned audit engagement as we onboard enterprise customers.
• CCPA / GDPR — privacy controls and data subject rights processes are in place today. See our Privacy Policy for details.
• HTTPS everywhere — all endpoints are served over HTTPS with HSTS enforced.

Access Control

Access to production systems and customer data is restricted to authorized RealClear personnel on a need-to-know basis (principle of least privilege). We use role-based access control (RBAC) for all internal systems, with multi-factor authentication required for all team members with production access. Access rights are reviewed quarterly and revoked promptly upon employee offboarding.

Research Security

RealClear uses reviewed research services for source review, evidence checking, and cited brief generation. Different research tasks can carry different data-handling terms, so we do not make blanket zero-retention or no-training claims. We review vendor terms before integration, limit data sent to the task, and avoid exposing vendor-specific mechanics in the brief itself.

Responsible Disclosure

We appreciate the work of security researchers and the broader community in helping keep our platform safe. If you discover a potential vulnerability in RealClear, please report it responsibly to security@realclear.ai.

Please include a description of the issue, steps to reproduce, and any relevant screenshots or proof-of-concept. We will acknowledge receipt within 2 business days, investigate promptly, and keep you informed of our progress. We do not pursue legal action against researchers who act in good faith under this policy.