Security & Data Handling
We treat it that way. This page lays out — in plain terms — how ClearLine handles your data, where it goes, who can access it, and the standards we build against. No vague reassurances. Just specifics you can hand to your IT or compliance team.
How We Handle Your Data
These apply to every project, from the first discovery call onward. They're the answers to the questions a careful buyer actually asks.
All data moving between you, our systems, and our infrastructure providers is encrypted using industry-standard TLS. Data stored during a project is encrypted at rest.
Access to client data is limited to what's required to deliver the work. Where systems support it, we use role-based access controls that mirror your organizational structure, so people only see what they should.
Your data is never used to train AI models — not ours, and not our providers'. We build on enterprise AI services specifically because they contractually commit to the same. Your information is used to do your work, and nothing else.
We retain client data only for as long as a project requires it, and we delete it on request. You stay in control of your information for the entire lifecycle of an engagement.
The automations we build maintain logging across the interactions they handle, so there's a clear, reviewable record of what the system did and when.
Our Infrastructure
Mature vendors tell you exactly who touches your data. We won't pretend nothing leaves the building. Here's the stack your data passes through, and the terms that govern it.
Powers the language and reasoning in our automations. Operates under enterprise terms that prohibit training on customer data. Processing occurs in the United States.
Hosts the automations we build and run. Azure can be provisioned in the region your firm requires where data residency is a constraint.
On data residency: If your firm has a strict data-residency requirement, we'll be direct with you early. Cloud infrastructure can be provisioned in the region you need, but AI processing through Anthropic currently occurs in the United States under enterprise data-protection terms. We'd rather tell you this on the first call than surprise you during a security review.
Standards & Compliance
We design our controls and processes around the standards that matter most in Canadian insurance. Here's where we stand — stated honestly.
What We'll Sign
These are table stakes for working with a firm that handles sensitive data. We're glad to put them in writing before any data changes hands.
We'll sign a mutual non-disclosure agreement before reviewing any of your workflows or data.
We'll execute a DPA defining exactly how your data is handled, stored, and protected throughout an engagement.
If a security incident ever affects your data, we commit to notifying you promptly and transparently.
At the end of an engagement, or any time you ask, we delete your data and confirm it in writing.
Straight Talk
We'd rather under-promise and be precise than over-claim and lose your trust. If there's a security question we can't answer yet, we'll tell you. If a requirement is something we'd need to build toward, we'll say so plainly and tell you what it would take. In an industry built on assessing risk honestly, we think that's the only way worth operating.
Security Review
Send your security questionnaire, your compliance checklist, or just your concerns. We'll give you straight answers — and tell you honestly where we stand on each one.
Book a Security Conversation →