Identity
WorkOS — SAML 2.0, OIDC, SCIM 2.0
Customer IdP is source of truth. Claresia never stores passwords.
Trust Center · Updated 2026-05-03
Security, compliance, and architecture — out in the open.
Claresia is the agent operations platform for the enterprise. This page is the single source of truth for what we run, how we run it, and what we hold ourselves accountable to. Everything below is current, honest about where we are, and explicit about what comes next.
Operating posture
Encryption
AES-256 at rest · TLS 1.3 in transit
CMEK opt-in for Mode B/C, customer-rotatable key.
Data residency
eu-south-1 (Milano) + eu-central-1 (Frankfurt) + eu-west-1 (Ireland) · BYOC any EU region
Region-pinned per tenant. EU residency guaranteed in Mode B+C.
Deployment modes
Shared SaaS · Dedicated · BYOC
Customer can choose: shared, single-tenant, or in-customer-cloud.
Sub-processors
16 listed publicly
Including 3 LLM providers, all with zero-retention contracts.
Status & SLA
99.5% (Mode A) · 99.9% (Mode B/C)
Live incident feed at status.claresia.com. SLA in legal pack.
What's real today, what's planned
We don't claim certifications we don't hold. As of 2026-05-03, Claresia has GDPR posture and a published DPA, has SOC 2 Type 1 work in flight (Q1 2026), and has the Type 2 observation window opening through Q4 2026. ISO 27001 and ISO 42001 (AI Management) are sequenced behind SOC 2. NIS2 + EU AI Act readiness packs are in progress (Q2 + Q3 2026). All sub-processors are listed. The first annual external pen test is scheduled Q2 2026. Bug bounty opens Q3 2026.
If your procurement timeline depends on a specific certification we haven't completed yet, talk to us — we'll share the audit firm, the kickoff date, and what evidence we can offer in the interim under NDA.
Compliance & certifications
The audits and frameworks Claresia is held to
SOC 2 Type 1
AICPA Trust Services Criteria
Point-in-time attestation that Claresia controls (Security, Availability, Confidentiality) are designed appropriately.
Next: Q1 2026 — audit window opens with Vanta + 3PA
GDPR
EU Regulation 2016/679
EU General Data Protection Regulation compliance posture, controller / processor obligations, Schrems II safeguards.
Next: Quarterly review (next: 2026-07-15)
Data Processing Agreement (DPA)
Claresia Legal
Pre-signed customer-facing DPA template with sub-processor flow-down, SCC module 2 + module 3 selectable, security annex aligned to ISO 27001 controls.
Next: Annual review (next: 2027-03-20)
Deployment modes
Pick the topology your security team can live with
Mode A
Claresia Cloud (Shared)
Multi-tenant SaaS with Row-Level Security per tenant. 24-hour go-live. 99.5% SLA. Best for organisations under 200 seats with no residency requirement.
See topology
Mode B
Claresia Cloud Dedicated
Single-tenant Postgres with customer-managed encryption keys, regional pinning, dedicated subnet, IP allowlisting. 5-day go-live. 99.9% SLA. The default for 200–5,000 seat organisations.
See topology
Mode C
Customer Cloud (BYOC)
Hub data plane lives entirely in your cloud. Only telemetry envelopes (no payloads) flow back over mTLS. For regulated industries: pharma, finance, defense, public sector, sovereign clouds.
See topologySub-processors
Every vendor that touches your data
16 sub-processors, broken out by category, region, and data type. All with executed DPAs. LLM providers carry zero-retention clauses contractually.
View full list- LLM providers (Anthropic, OpenAI, Vertex, Azure OpenAI) 4 Zero retention
- Cloud infrastructure (AWS, Azure, GCP, Cloudflare, GitHub) 5 DPA active
- Database (Supabase, Neon, ClickHouse) 3 CMEK in B/C
- Identity (WorkOS) 1 us+eu
- Observability (Datadog, Honeycomb, Sentry) 3 PII scrubbed
- Comms · Support · Billing · Marketplace · Compliance 10 No payload access
Status page
All systems operationalLive component health, 90-day uptime per region per service, planned maintenance, incident timeline.
Visit status.claresia.com
Security incidents
No incidents to datePast 12 months of customer-impacting security incidents with root-cause and remediation. 0 active advisories.
See history
Procurement-ready in one Slack thread.
Need a CAIQ-Lite, SIG-Lite, DPA, sub-processor list, security questionnaire, or pen test exec summary by tomorrow? Pick what you need, request it under NDA, and we'll have it in your inbox within one business day.