Security
Clara is built for lawyers who handle sensitive client matters. We take confidentiality seriously.
100% EU Infrastructure
All data stored and processed in the EU
End-to-End Encryption
TLS 1.2+ in transit, AES-256 at rest
No AI Training
Your documents never train AI models
CLOUD Act Immunity
No US company in our data chain
1. Our Commitment
Clara is designed for lawyers handling sensitive client matters. We understand that your professional obligations — including attorney-client privilege and legal professional secrecy — require the highest standards of data protection.
Our security principles:
- Privacy by design: Security is built into every feature from the start
- Minimal data exposure: We collect only what's necessary and retain it only as long as needed
- EU-first architecture: All data processing happens within the European Union
- No training on your data: Your documents are never used to train AI models
2. Data Residency
All Clara infrastructure is hosted in the European Union. Your documents, analysis results, and account data never leave EU boundaries.
| Data Type | Location |
|---|---|
| Documents you upload | EU (France) |
| Contract analysis results | EU (France) |
| User accounts & authentication | EU (France) |
| Application logs | EU (France) |
| Backups | EU (France) |
| AI processing | EU (France) |
3. CLOUD Act Immunity
The US CLOUD Act (2018) allows US law enforcement to compel US-headquartered companies to produce data stored on their servers, regardless of where that data is physically located. This creates jurisdictional risk for lawyers using US-based legal AI tools.
Clara's architecture places all customer data outside CLOUD Act jurisdiction.
| Provider | Function | Ownership | CLOUD Act |
|---|---|---|---|
| Scaleway | Cloud infrastructure | French (Iliad Group) | None |
| Mistral AI | Contract analysis | French | None |
| Brevo | Transactional email | French | None |
| Plausible | Analytics | Estonian | None |
No US company has “possession, custody, or control” of your documents — the jurisdictional trigger for CLOUD Act authority. This means US authorities cannot compel production of Clara customer data through any provider in our stack.
For lawyers handling sensitive matters — whether trade secrets, M&A negotiations, or privileged communications — this architectural choice provides meaningful protection against extraterritorial data requests.
4. Encryption
In Transit
All data transmitted between your browser and Clara is encrypted using TLS 1.2 or higher with strong cipher suites that support Forward Secrecy. This includes:
- Document uploads and downloads
- Analysis results
- Authentication credentials
- All API communications
We enforce HTTPS on all connections. HTTP requests are automatically redirected to HTTPS.
At Rest
All stored data is encrypted using AES-256 encryption. This includes:
- Uploaded documents
- Analysis results and extracted text
- Database records
- Backups
5. AI & Document Processing
Clara uses AI to analyze contracts and identify risks. Here's what you need to know:
| Question | Answer |
|---|---|
| Is my data used to train AI models? | No. Your documents are never used for model training. |
| Who can see my documents? | Only you. Clara staff cannot access your document contents. |
| Are documents stored after analysis? | Documents are stored in your account until you delete them. |
| What AI provider do you use? | Mistral AI, a French company. All processing happens on EU infrastructure. |
Mistral AI does not use customer data to train or improve foundation models. This is part of their standard terms of service.
6. Access Controls
Your Account
- Email verification: All accounts require verified email addresses
- Strong passwords: We enforce minimum password requirements
- Two-factor authentication: Optional TOTP-based 2FA available
- Session management: View and revoke active sessions from your settings
- Account deletion: Delete your account and all associated data at any time
Our Team
Clara operates on a principle of least privilege:
- Production systems have no standing human access to customer data
- Infrastructure access requires multi-factor authentication
- All access is logged and audited
- Document contents are not accessible to Clara staff
7. Infrastructure Security
- Private networks: All services run in private networks with no direct internet exposure
- Managed database: Database has no public endpoint — accessible only from within our infrastructure
- Automatic backups: Daily backups with 30-day retention, all encrypted
- Environment separation: Production and development environments are strictly separated
8. Confidentiality Model
Clara is designed to avoid accidental exposure of client-confidential information:
- No human access to document contents: Clara staff do not access your document text, analysis results, or embeddings as part of normal operations
- Redaction-first debugging: We debug using correlation IDs, metrics, and redacted error details (never raw contract text)
- No document content in telemetry: We do not send contract text, extracted text, embeddings, prompts, or model outputs to analytics or error tracking
9. Subprocessors
Clara relies on a small set of subprocessors to deliver the Service:
| Subprocessor | Purpose | Location |
|---|---|---|
| Scaleway | Infrastructure (compute, database, storage) | EU (France) |
| Mistral AI | AI contract analysis | EU (France) |
| Brevo | Transactional email | EU (France) |
| Plausible | Privacy-first analytics | EU (Estonia) |
| Paddle | Payment processing | United Kingdom |
All subprocessors are EU-owned and EU-hosted (except Paddle UK, which benefits from UK adequacy decision). A Data Processing Agreement (DPA) is available on request.
10. Incident Response
- 24/7 automated monitoring for security events
- Alerting on suspicious activity
- Documented incident response procedures
- Commitment to notify affected users within GDPR timelines (72 hours) in case of a data breach
11. Vulnerability Disclosure
We welcome responsible security research. If you discover a security vulnerability:
- Email us at support@clara.legal
- Include a description of the vulnerability and steps to reproduce
- Allow us reasonable time to address the issue before public disclosure
We commit to:
- Acknowledging receipt within 2 business days
- Providing regular updates on remediation progress
- Not pursuing legal action against good-faith security researchers
12. Contact
If you have questions about our security practices or need documentation for your firm's compliance requirements:
Astor Ventures B.V.KvK: 83221298
Amsterdam, Netherlands
Email: support@clara.legal
Data Processing Agreement (DPA): Available on request for business customers.