ClearPoint Logic

Trust at ClearPoint Logic.

Audit-grade evidence. Vendor-neutral governance. Independent system of record.

Request our security package
01Compliance posture

Frameworks we map to.

We treat compliance as a deliverable, not a marketing claim. Below is the current state of each framework, with realistic timelines. Detailed mappings and audit reports are available under NDA in our security package.

  • SOC 2 Type II

    In progress
    Target: Q4 2026

    Independent attestation of our security, availability, and confidentiality controls. Type I report under Type II observation window.

    Auditor: Big-four firm under NDA

  • HIPAA

    Controls mapped
    Available on Enterprise

    Administrative, physical, and technical safeguards mapped to HIPAA Security Rule. Business Associate Agreement available.

    BAA on Enterprise contracts

  • HITRUST CSF

    In progress
    Mapping in progress

    r2 assessment scoping underway. Control mapping to v11.3 covering NIST CSF, ISO 27001, and HIPAA overlays.

    Validated assessment H2 2027

  • ISO 27001

    Planned
    Planned 2027

    ISMS scope defined. Stage 1 readiness audit planned alongside SOC 2 Type II completion. Annex A control alignment in place.

    Stage 1 audit planned

  • NIST AI RMF

    Controls mapped
    Govern · Map · Measure · Manage

    Platform controls mapped to all four NIST AI RMF functions. Crosswalk document available under NDA in the security package.

    AI RMF 1.0 crosswalk

  • EU AI Act

    Supported
    High-risk system support

    Logging, transparency, human oversight, and risk management features support customers deploying high-risk AI systems under Title III.

    Article 12, 13, 14, 15 controls
02The AI Bill of Materials

What ships, signed.

An AI Bill of Materials (AI BOM) is a signed manifest of every component that makes up an agent: the model and version, the prompts, the tools and their permissions, the datasets, the libraries, the operator identity, and the policies in force at run time.

Without an AI BOM, you cannot answer the simplest audit questions: what model produced this decision, on which prompt, with what tool access, for which user? Every CPL agent ships with one. Every change is a new signed version.

Vendor-neutral
Same format whether the agent runs on Microsoft, Google, Anthropic, or BYOA.
Cryptographically signed
Tamper-evident. Verifiable offline by auditors and regulators.
Diff-able
Two AI BOMs can be diffed. Promotion is a reviewable change.
Exportable
JSON, CycloneDX-compatible. Your evidence system, your retention.
aibom.compliance-sentinel.3.4.1.json
Signature verified
{
  "aibom_version": "1.2",
  "agent": {
    "id": "agt_compliance_sentinel",
    "name": "Compliance Sentinel",
    "version": "3.4.1",
    "package_digest": "sha256:9f2e1c…7a3b"
  },
  "passport": {
    "id": "pp_8a2c91…",
    "issuer": "anchor.cpl",
    "issued_at": "2026-03-12T14:08:21Z"
  },
  "models": [
    {
      "vendor": "anthropic",
      "name": "claude-sonnet-4.5",
      "role": "primary_reasoning",
      "fingerprint": "claude-sonnet-4.5-20260218"
    }
  ],
  "prompts": [
    { "id": "pr_intake_v8",   "digest": "sha256:c1…" },
    { "id": "pr_summarize_v3","digest": "sha256:b2…" }
  ],
  "tools": [
    { "id": "salesforce_read",   "scopes": ["account.read"] },
    { "id": "evidence_writer",   "scopes": ["bucket.append"] }
  ],
  "datasets": [
    { "id": "kb_policies_2026q1", "rows": 1284, "pii": "redacted" }
  ],
  "dependencies": [
    { "name": "adk-go", "version": "0.42.0" }
  ],
  "policies": ["pol_hipaa_baseline_v6","pol_pii_redact_v2"],
  "signature": {
    "algo": "ed25519",
    "value": "MEUCIQDk…rA=="
  }
}
03Evidence and audit

Replayable runs. Signed traces.

Every agent run produces a signed evidence record: inputs, decision context, tool calls, approvals, model outputs, and the AI BOM in force at the time. Records are append-only, retained per policy, and exportable.

  • Signed telemetry
    Per-step traces signed with tenant-scoped keys. Tamper-evident.
  • Decision context
    The exact prompts, retrieved context, and tool responses that produced an output.
  • Audit replay
    Reconstruct any past run with the same AI BOM. Useful for incident review and discovery.
  • Retention controls
    Per-tenant, per-agent retention. Legal hold supported.
Evidence record · ev_71c8a9e2
Compliance Sentinel · run_3f12 · 2026-03-12
Sealed & verified
  1. 14:08:21.044INPUT
    POST /v1/agents/agt_compliance_sentinel/run
    op:usr_a91 · req:req_3f12
  2. 14:08:21.118POLICY
    pol_hipaa_baseline_v6 · ALLOW (pii_check ok)
    envelope: anchor.policy
  3. 14:08:21.402MODEL
    claude-sonnet-4.5 · 1842 in / 318 out tokens
    fingerprint: 20260218
  4. 14:08:21.488TOOL
    salesforce_read · account.read · 200 OK
    scope verified · 142ms
  5. 14:08:21.612APPROVAL
    dual_control_required · routed to risk@
    awaiting human-in-loop
  6. 14:08:48.901APPROVED
    usr_b22 · approved · note: "checked exposure"
    reversible: yes
  7. 14:08:48.953OUTPUT
    evidence_writer · bucket.append · 200 OK
    sealed
  8. 14:08:48.981SIGNED
    ed25519 · MEUCIQDk…rA==
    record_id: ev_71c8…
04Data residency and BYOK

Your keys. Your region. Your network.

Standard tenancy is multi-tenant on Google Cloud with logical isolation, AES-256 at rest, TLS 1.3 in transit. Enterprise tier adds the controls below.

  • BYOK

    Customer-managed encryption keys via Google Cloud KMS or external HSM (AWS KMS XKS pattern). Per-tenant key hierarchy. Revocation cuts access to data and evidence.

  • Data residency

    Region pinning available for US (us-central1, us-east4), EU (europe-west4), and UK (europe-west2). Evidence and memory stay in region; cross-region replication is opt-in only.

  • Private connectivity

    Private Service Connect, VPC Service Controls, customer VPN/IPSec. Egress allowlist for tool endpoints. No data plane traffic over the public internet on Enterprise.

  • Tenant isolation

    Per-tenant encryption keys, per-tenant pgvector schemas, per-tenant signing keys for evidence and AI BOMs. No shared model fine-tunes across tenants.

  • PII handling

    Redaction at ingest with deterministic tokenization. PII never sent to model providers without an explicit, logged policy decision. Right-to-erasure workflows.

  • Backup & DR

    Daily encrypted backups, point-in-time recovery to 7 days standard, 35 days on Enterprise. Multi-region DR with documented RTO/RPO under NDA.

05Documentation

Documents and resources.

Public documents are linked directly. Documents marked under NDA are bundled in the security package and shared after a brief mutual NDA exchange.

06Frequently asked

Common security questions.

The questions enterprise security teams ask us most often. If yours isn’t here, email security@clearpointlogic.com.

  • Who are your subprocessors?

    The subprocessors below process customer data on our behalf. We notify customers 30 days before adding or replacing a subprocessor; subscribe to changes in the Trust Center.

    • Google Cloud PlatformCloud infrastructure, compute, storage, networkingUS, EU, UK
    • AnthropicLLM inference (Claude family) for reasoning workloadsUnited States
    • Google (Gemini)LLM inference (Gemini family) for reasoning workloadsUS, EU
    • CloudflareEdge networking, DDoS protection, WAFGlobal
    • StripeSubscription billing and payment processingUnited States
    • Auth0 (Okta)Identity and access managementUS, EU
    • DatadogApplication performance monitoring and loggingUS, EU
    • SentryError and exception trackingUnited States
    • HubSpotCRM and marketing automationUnited States
    Last updated: April 2026. Full list with effective dates is included in the security package.
  • Where is customer data stored?

    Standard tenancy is multi-tenant on Google Cloud with logical isolation, AES-256 at rest, TLS 1.3 in transit. Enterprise customers can pin data to US (us-central1, us-east4), EU (europe-west4), or UK (europe-west2). Evidence and memory stay in region; cross-region replication is opt-in only.

  • Do you support customer-managed encryption keys (BYOK)?

    Yes, on Enterprise. We support Google Cloud KMS customer-managed keys, with an external HSM pattern available for customers who require their keys never to leave their own KMS. Each tenant has an independent key hierarchy; revocation cuts access to data and evidence immediately.

  • How is customer data isolated between tenants?

    Per-tenant encryption keys, per-tenant pgvector schemas in the memory layer, and per-tenant signing keys for evidence and AI BOMs. We do not share model fine-tunes, prompt caches, or retrieval indexes across tenants.

  • How do you handle PII sent to model providers?

    By default, PII is redacted at ingest using deterministic tokenization, and is never sent to model providers without an explicit, logged policy decision. Redaction is configurable per agent and per tool; every send is captured in the evidence record.

  • What is your incident response process?

    We follow a documented IR playbook with on-call rotations, severity-tiered escalation, and customer notification commitments under our DPA. For confirmed security incidents affecting customer data, we notify in writing within 72 hours, with regular updates through resolution and a post-incident report.

  • Do you penetration-test the platform?

    Yes — annual third-party penetration test plus continuous internal testing. Executive summary is public; full report is shared under NDA with the security package. We also run a private bug-bounty program for invited researchers.

  • How do you support audit and discovery requests?

    Every agent run produces a signed evidence record that is retained per your policy and exportable to your evidence system. Customers can replay any past run with the AI BOM in force at the time, which is useful for incident review, regulator requests, and litigation discovery.

  • Where do I report a security vulnerability?

    Email security@clearpointlogic.com. We acknowledge within 1 business day and triage within 3. Researchers acting in good faith are protected from legal action; full policy and PGP key are provided in our security package.

Have a security question?

Our security team responds within one business day. For deeper reviews, schedule a 45-minute walkthrough with our CISO and a platform architect.

Email security@clearpointlogic.comSchedule a security review