Security
Security-first infrastructure
Machine-initiated commerce requires infrastructure-level trust. Security is not an afterthought.
Security practices
Concrete measures we implement to protect all parties.
Token-based authorization
All confirmation tokens are high-entropy, single-use, and expire. Rate limiting prevents brute-force attacks.
No raw card data
We never collect or store raw payment card data. All payment processing uses PSP-hosted tokenization.
Isolated execution
Merchant integrations are fully isolated. No cross-tenant data exposure or shared credentials.
Cryptographic logging
Every transaction is cryptographically signed. Immutable audit trails with correlation IDs for all operations.
Data handling
Minimal PII storage
We minimize personally identifiable information storage. Prefer profile references over raw addresses in logs.
HTTPS everywhere
All communications are encrypted in transit. No exceptions.
Structured logging
Logs include tenant/merchant IDs but no raw PII. Correlation IDs enable tracing without data exposure.
Compliance
Clarify Systems maintains compliance with applicable data protection regulations and payment industry standards.
PCI DSS
Payment processing standards
GDPR
EU data protection
SOC 2
Security controls (roadmap)
Audit & receipts
Receipts are immutable. All transaction logs are preserved for audit, compliance, and dispute resolution.