Our Commitment to Data Security and Privacy
At Claras, we prioritise the security and privacy of your client data and practice information. Our commitment to robust cybersecurity practices ensures a secure and reliable platform that supports your practice and licensee standards. This document outlines our comprehensive security measures and data privacy protocols.
Need a summary to send to your licensee? Request our Security and Privacy Information Sheet.
Visit trust.claras.ai for live, transparent updates to our security status.
- Cloud Infrastructure: We leverage industry-leading cloud services, benefiting from their world-class security measures.
- Network Security: Our systems are protected by enterprise-grade firewalls and intrusion detection systems to prevent unauthorised access.
- Multi-Factor Authentication (MFA): Mandatory MFA (also known as 2FA) for all user accounts, internal systems access, and service provider accounts.
- Regular Security Audits: We conduct frequent internal security reviews to identify and address potential vulnerabilities.
- Encryption:
- All data is encrypted at rest using industry-standard encryption.
- Data in transit is protected using secure protocols.
- Sensitive information (e.g., access tokens, API keys) undergoes additional application-level encryption before database storage.
- Access Controls: Strict role-based access control ensures that employees only have access to the data necessary for their job functions.
- Data Redundancy: Regular backups protect against data loss.
- Continuous Monitoring: We use GitHub to scan our codebase for vulnerabilities.
- Patch Management: Critical security updates are applied promptly, with a comprehensive update schedule for all systems.
- Incident Response Plan: A defined incident response plan is in place to address potential security events promptly.
- Data Minimisation: We collect and retain only the data necessary for providing our services.
- AI Processing: No Personally Identifiable Information (PII) is ever shared with AI systems processing transcripts.
- Data Localisation: All client data is hosted on servers located in Australia, ensuring compliance with local data sovereignty requirements.
- Data Retention: Clear policies on data retention periods, with options for clients to request data deletion.
- Transparency: Detailed privacy policy explaining how we collect, use, and protect data.
- User Empowerment: Clients have full control over their data, including the ability to access, modify, or delete their information.
- Australian Privacy Principles: Full compliance with the Australian Privacy Principles under the Privacy Act 1988.
- Industry Standards: Claras is SOC2 compliant, and we are continually monitoring and enhancing our security posture and best practices in data protection and information security management. Please visit trust.claras.ai to see our controls and policies.
Here's how we address the five Trust Services Criteria (TSC) defined by SOC2:
- Security:
- We employ industry-leading security protocols to protect your data from unauthorised access
- Our measures include encryption and multi-factor authentication
- We continuously update our defences to stay ahead of potential threats
- Availability:
- Our infrastructure is designed for high availability and reliability
- We utilise redundant systems and perform daily backups
- Processing Integrity:
- We prioritise the accuracy and reliability of our systems
- Continuous monitoring and validation processes automated testing maintain data integrity
- Our processes ensure data processing is complete, valid, and timely
- Confidentiality:
- Protecting your confidential information is paramount
- We implement strict access controls and encryption
- Only authorised personnel have access to production data
- Privacy:
- We adhere to stringent privacy policies and practices, as published on our website
- Our approach aligns with global data protection regulations
- We collect, use, and disclose personal data only in ways that respect user consent and regulatory requirements
- Security Training: Regular security awareness training for all employees.
- Vendor Assessment: Thorough security assessments for all third-party vendors and partners.
- Transparency: We are committed to clear communication about our security practices and any potential incidents.
For any questions or concerns about our security measures, please contact our team at hello@claras.ai.
Claras aligns with Level 1 of the Essential Eight Maturity Model, as part of our broader security program.
While the Essential Eight is primarily written for internal system management, we apply the same principles across our cloud-native platform architecture. Our SOC 2 compliance provides independent verification of the policies and controls we have in place, and can be viewed at trust.claras.ai.
Here's how we align with each of the eight strategies:
Patch applications
We maintain a robust patching policy as part of our Operations Security Policy. The AWS infrastructure supporting Claras is routinely patched as part of regular maintenance and in response to identified vulnerabilities. This ensures that the servers supporting the service are hardened against security threats.
Patch operating systems
Claras includes operating systems in our patching policy as part of our automated and routine maintenance and security protocols.
Multi-factor authentication
MFA is enforced for all internal systems and administrative tools, and also for our users. Claras enterprise customers can also enable SSO, which supports MFA at the identity provider level.
Restrict administrative privileges
We operate on a principle of least privilege. Admin access is restricted to authorised personnel, with audit logs and role-based access controls enforced.
Application control
As a SaaS platform, only approved services are deployed into our environment. No external code can be run by users or staff outside of controlled pipelines.
Restrict Microsoft Office macros
Claras does not run or support macros within Office documents.
User application hardening
We implement application hardening as part of our security protocols as per our Secure Development Policy. This ensures that information security is designed and implemented within the development lifecycle for applications and information systems.
Regular backups
All production data is backed up daily using AWS-managed services. Backups are encrypted, stored in-region, and retained with a 30-day recovery window.
Client file notes contain sensitive information that requires the highest level of protection. Here's why Claras offers peace of mind:
Your data never leaves home. All your client data is stored exclusively in Australian AWS data centres in Sydney. This isn't just a preference—it's a fundamental part of our security architecture.
We anonymise before AI processing. When processing file notes:
We automatically detect and redact personally identifiable information (PII)
Names, contact information, and addresses are replaced with generic placeholders
Only after this anonymisation does any AI processing occur
Once completed, the real information is restored in Australia
Security by design. End-to-end encryption:
All data is encrypted at rest (AES 256) and in transit (TLS)
Mandatory multi-factor authentication: Extra protection for all user accounts
Practice-level controls: Set your own data retention policies
Full ownership: Your practice owns all content created in Claras
Delete anytime: Permanently remove recordings and transcriptions after use
Your control, your way. You decide how long data is retained and who can access it. When deletion is requested, it's permanently removed from both the databases and backups, following AWS secure data destruction protocols.
Need a summary to send to your licensee? Request our Security and Privacy Information Sheet.
Trust Centre
Visit trust.claras.ai for live, transparent updates to our security status.
Cybersecurity Practices
Infrastructure Security
- Cloud Infrastructure: We leverage industry-leading cloud services, benefiting from their world-class security measures.
- Network Security: Our systems are protected by enterprise-grade firewalls and intrusion detection systems to prevent unauthorised access.
- Multi-Factor Authentication (MFA): Mandatory MFA (also known as 2FA) for all user accounts, internal systems access, and service provider accounts.
- Regular Security Audits: We conduct frequent internal security reviews to identify and address potential vulnerabilities.
Data Protection
- Encryption:
- All data is encrypted at rest using industry-standard encryption.
- Data in transit is protected using secure protocols.
- Sensitive information (e.g., access tokens, API keys) undergoes additional application-level encryption before database storage.
- Access Controls: Strict role-based access control ensures that employees only have access to the data necessary for their job functions.
- Data Redundancy: Regular backups protect against data loss.
Vulnerability Management
- Continuous Monitoring: We use GitHub to scan our codebase for vulnerabilities.
- Patch Management: Critical security updates are applied promptly, with a comprehensive update schedule for all systems.
Incident Response
- Incident Response Plan: A defined incident response plan is in place to address potential security events promptly.
Data Privacy
Data Handling
- Data Minimisation: We collect and retain only the data necessary for providing our services.
- AI Processing: No Personally Identifiable Information (PII) is ever shared with AI systems processing transcripts.
- Data Localisation: All client data is hosted on servers located in Australia, ensuring compliance with local data sovereignty requirements.
- Data Retention: Clear policies on data retention periods, with options for clients to request data deletion.
User Control
- Transparency: Detailed privacy policy explaining how we collect, use, and protect data.
- User Empowerment: Clients have full control over their data, including the ability to access, modify, or delete their information.
Compliance
- Australian Privacy Principles: Full compliance with the Australian Privacy Principles under the Privacy Act 1988.
- Industry Standards: Claras is SOC2 compliant, and we are continually monitoring and enhancing our security posture and best practices in data protection and information security management. Please visit trust.claras.ai to see our controls and policies.
Here's how we address the five Trust Services Criteria (TSC) defined by SOC2:
- Security:
- We employ industry-leading security protocols to protect your data from unauthorised access
- Our measures include encryption and multi-factor authentication
- We continuously update our defences to stay ahead of potential threats
- Availability:
- Our infrastructure is designed for high availability and reliability
- We utilise redundant systems and perform daily backups
- Processing Integrity:
- We prioritise the accuracy and reliability of our systems
- Continuous monitoring and validation processes automated testing maintain data integrity
- Our processes ensure data processing is complete, valid, and timely
- Confidentiality:
- Protecting your confidential information is paramount
- We implement strict access controls and encryption
- Only authorised personnel have access to production data
- Privacy:
- We adhere to stringent privacy policies and practices, as published on our website
- Our approach aligns with global data protection regulations
- We collect, use, and disclose personal data only in ways that respect user consent and regulatory requirements
Ongoing Commitment
- Security Training: Regular security awareness training for all employees.
- Vendor Assessment: Thorough security assessments for all third-party vendors and partners.
- Transparency: We are committed to clear communication about our security practices and any potential incidents.
For any questions or concerns about our security measures, please contact our team at hello@claras.ai.
Essential Eight
Claras aligns with Level 1 of the Essential Eight Maturity Model, as part of our broader security program.
While the Essential Eight is primarily written for internal system management, we apply the same principles across our cloud-native platform architecture. Our SOC 2 compliance provides independent verification of the policies and controls we have in place, and can be viewed at trust.claras.ai.
Here's how we align with each of the eight strategies:
Patch applications
We maintain a robust patching policy as part of our Operations Security Policy. The AWS infrastructure supporting Claras is routinely patched as part of regular maintenance and in response to identified vulnerabilities. This ensures that the servers supporting the service are hardened against security threats.
Patch operating systems
Claras includes operating systems in our patching policy as part of our automated and routine maintenance and security protocols.
Multi-factor authentication
MFA is enforced for all internal systems and administrative tools, and also for our users. Claras enterprise customers can also enable SSO, which supports MFA at the identity provider level.
Restrict administrative privileges
We operate on a principle of least privilege. Admin access is restricted to authorised personnel, with audit logs and role-based access controls enforced.
Application control
As a SaaS platform, only approved services are deployed into our environment. No external code can be run by users or staff outside of controlled pipelines.
Restrict Microsoft Office macros
Claras does not run or support macros within Office documents.
User application hardening
We implement application hardening as part of our security protocols as per our Secure Development Policy. This ensures that information security is designed and implemented within the development lifecycle for applications and information systems.
Regular backups
All production data is backed up daily using AWS-managed services. Backups are encrypted, stored in-region, and retained with a 30-day recovery window.
Data security FAQ
Client file notes contain sensitive information that requires the highest level of protection. Here's why Claras offers peace of mind:
Your data never leaves home. All your client data is stored exclusively in Australian AWS data centres in Sydney. This isn't just a preference—it's a fundamental part of our security architecture.
We anonymise before AI processing. When processing file notes:
We automatically detect and redact personally identifiable information (PII)
Names, contact information, and addresses are replaced with generic placeholders
Only after this anonymisation does any AI processing occur
Once completed, the real information is restored in Australia
Security by design. End-to-end encryption:
All data is encrypted at rest (AES 256) and in transit (TLS)
Mandatory multi-factor authentication: Extra protection for all user accounts
Practice-level controls: Set your own data retention policies
Full ownership: Your practice owns all content created in Claras
Delete anytime: Permanently remove recordings and transcriptions after use
Your control, your way. You decide how long data is retained and who can access it. When deletion is requested, it's permanently removed from both the databases and backups, following AWS secure data destruction protocols.
Updated on: 28/04/2025
Thank you!