Data residency
Core TrueClara data is hosted in the United States through Supabase, with Vercel and Cloudflare providing global edge delivery. Connected services like PostHog, Mixpanel, Amplitude, Gmail, Paddle, Anthropic, and OpenAI process data only when the workspace enables them.
Subprocessors
| Subprocessor | Purpose |
|---|---|
| Supabase | Database, auth, and storage |
| Paddle | Billing |
| Resend | Transactional email and email campaigns |
| PostHog | Customer-connected analytics |
| Mixpanel | Customer-connected analytics |
| Amplitude | Customer-connected analytics |
| Gmail API and Pub/Sub, when connected by the customer | |
| Cloudflare | CDN and edge protection |
| Vercel | Hosting |
| Anthropic | Clara observations |
| OpenAI | Bet embeddings |
Encryption
TLS 1.3 in transit. AES-256 at rest (Supabase-managed).
Authentication
Supabase Auth with magic link and password. Email-based MFA available; SSO/OAuth in a future release.
Data deletion
Workspace deletion removes all associated data within 30 days. Operator and Studio workspaces can also generate self-service data exports with signed download links and a 7-day retention window.
Compliance
SOC 2 documentation available on request. Formal Type 2 audit is a planned V2 deliverable.
Contact
Security questions: security@trueclara.com.