Trust & Safety
Security
Privacy
Compliance
FAQs

Welcome to Clear trust and safety center.

We protect your data so that you can use our services worry-free.

We safeguard your data

We value your data as if it were ours. All our certifications and licenses, including GSP, were awarded after rigorous scrutiny of our systems and multiple VAPT audits.

Security

Security is the first of our key pillars which is built into the fabric of our applications. We ensure security of your data and apps so that you work worry-free on what matters to you.

Privacy

We use the industry best practices to prevent unauthorised access of your data. Your data is encrypted so that only our applications are able to use it only when you allow them to.

Compliance

We are ISO 27001:2013 and SOC2 Type 2 compliant to instill trust into the hearts of our customers. We are secured with SSL and a certified GSP (GST Suvidha Provider).

Security at Clear

Security is built into the fabric of our cloud products, infrastructure, and processes, so you can rest assured that your data is safeguarded.

See all security practices

Confidentiality

Keeping our customers' data safe and secure is very important for us. We use various techniques during data transfer so that your data remains hidden from any interceptions.

Processing integrity

We ensure the complete and timely processing of your information. Our robust infrastructure is capable of scaling to any number of requests at any given point of time.

Encryption

Your data is transmitted across SSL certified pathways, which means an encrypted link is created between your browser and our servers every time you connect to us. We are SOC 2 Type 2 compliant.

Cloud security

We monitor our AWS infrastructure on a continuous basis for any attacks. We also release regular security updates to patch any vulnerabilities and to keep up with the latest trends.

Privacy at Clear

At Clear, your data is your data. We don’t share it with any third party and we don’t use it for any other purposes than your own.

See all security practices

No sharing

Once you enter your data into our system, it is kept in an encrypted storage over cloud. We do not allow any third parties to have access to your data unless you explicitly allow it. At Clear, your data is our responsibility.

Restricted Data access

No one at Clear can view your data except our applications. We do not view your data unless you explicitly allow it. We also maintain encryption standards so that only our applications can go through your data.

For further details, please refer to our privacy policy and terms of use.

Compliance at Clear

We protect your data so that you can use our services worry-free.

GST Suvidha Provider (GSP)

GST Suvidha Provider (GSP) is considered as an authorised intermediary for businesses to access GST portal services. It was awarded after rigorous scrutiny of our systems and multiple VAPT audits.

ISO 27001:2013

We were awarded this coveted certification after systematic examination of our information security risks, threats, vulnerabilities, and impacts. We comply with all the latest standards of enterprise information security.

SOC2 Type 2

We have successfully completed SOC 2 Type 2 audit that defines criteria for process management. We've implemented security, availability, processing integrity, confidentiality & privacy. With Clear, you're secure.

SSL Secure

There is a Secure Sockets Layer (SSL), the internet standard security technology used to establish an encrypted link between our servers and your devices. SSL is one of the basic building blocks of our security system.

Trust and safety FAQs

Where has ClearTax hosted its production systems?

ClearTax uses AWS for hosting its production systems. We use “ap-south-1” (Mumbai region) for spinning all of our cloud infrastructure. 

What are the certifications that Clear has?

We have ISO27001:2013 Certificate (Expiry: 22 July, 2022).

We have SOC 2 Type 2 Audit report dated 8 August, 2021 (Audit time frame from: July 16, 2020 to Jul 15, 2021)

Up to date VAPT reports for our applications. For some of the critical applications, we perform VAPT at least twice in a calendar year. The open issues are fixed within 30 days and retested from the VAPT vendor. 

For the GSP, the VAPT is performed by a CERT-In empanelled vendor. Vendor # 50, Sumasoft as mentioned in
here (VAPT performed between 6th July to 13th July). Next test will be performed during the last week of May 2022).

Does ClearTax has “Access Control” policy?

Yes. We have an “Access Control” policy in place and the access is provided to the individuals on a “Need to know” basis only after its approved by the respective manager / BU head. 

As we follow the ISO27001:2013, SOC 2 Type 2 audit process, we review the access controls at least on a quarterly basis. 

Does ClearTax have a setup for “Disaster Recovery” (DR)?

“Disaster Recovery” : We have a policy for DR. Our production systems are deployed in multiple availability zones within the AWS Mumbai region. In order to handle resiliency, we spin multiple copies of all our services. The database server also runs as a 2 node cluster which is spinned up across 2 availability zones. We perform the secondary to primary switch for our database servers at least once in 2 months to test the smooth roll-back of the database servers. 

Does ClearTax have a policy for “Business Continuity Planning” (BCP)?

Yes, we have the required BCP process in place. We perform table-top exercise wherein all the major stakeholders like IT, Support, HR, Engineering meet, discuss the open points, come up with the action items and work on them. 

As a testimony, when the current Covid-19 struck us, we didn’t have to do anything major in order to facilitate the WFH for all our employees. 

Does ClearTax undergo VAPT frequently?

Yes. We perform VAPT on a frequent basis for all our products. For some of the important ones, its done at least twice in a calendar year.

The open issues from the VAPT will be fixed and retested within 30 days from the VAPT vendor and we obtain the retesting report for the fixes done by us. 

The timelines for fixing the issues reported in the VAPT report. 
- CRITICAL - 2-4 hours
- HIGH - 24-48 hours
- MEDIUM - 1-2 weeks
- LOW - Before the next VAPT. 

What all are captured as a part of the VAPT?

Following are some of the areas covered in VAPT:

- Authenticated user testing for session and authentication issues
- Authorization testing for privilege escalation and access control issues
- Input injection tests (SQL injection, XSS, and others)
- Platform configuration and infrastructure tests
- OWASP Top 10 Assessment

Is ClearTax compliant with OWASP Top 10?

Yes. Our applications are tested against the OWASP Top 10 vulnerabilities.

Does ClearTax use customer’s data for any other purposes?

No. The data ingested by the customers belong to them and Cleartax or its employees or partners don’t have access to the customer data. 

How does ClearTax monitor its production systems for any security incidents?

The VPC Flow logs are enabled in our AWS account, these logs are in turn ingested into AWS GuardDuty. In case of any of the anomalies, AWS Guard Duty triggers an alert. This alert is in turn integrated with PagerDuty.

Our on-call engineers will get notified on their mobile phones in case of any such incidents. 

Our application / load balancer logs are ingested into logs analytics tool and any outliers, we get notified accordingly. 

How does ClearTax handle security incidents?

We have a security incident disclosure policy in place. The security researchers reach out to us at security-reports@cleartax.in with their findings. 

Whenever any security researcher reports incidents, it gets triaged internally and the teams work on fixing these issues and are rolled out to production. We reward such researchers if they report high severity issues. 

Does ClearTax maintain different environments for the Development, Testing, Demo, PreProd, Production?

Yes, we use different environments for the testing, demo, preprod, staging, production. 

For the lower environments, the access is provided to the engineering teams. 

For the production environment, except the 5 member DevOps team, nobody else has the access.

How does ClearTax segregate the customer’s data in the database?

Customers’ data is logically segregated in our database. The segregation is done using any of the uniquely identifiable fields. For ex: GSTIN, CustomerIds, OrgIds etc.

We have an authorization service that makes sure that incoming requests are validated against the uniquely identifiable field. 

The business logic in the application will fetch data only pertaining to a particular customer and nobody else. 

There’s no physical segregation of customer’s data. It will not be possible to create a new database cluster for every single customer / enterprise that we onboard. 

Does ClearTax’s applications support SSO (Single Sign-on?

Yes. If the customers have GSuite license, they will be able to enable SSO and they will in turn be able to enable Multi Factor Authentication (MFA) for their accounts. 

Does ClearTax support IP white-listing for accessing their applications?

No. Cleartax doesn’t support IP white-listing on its infrastructure. It’s the responsibility of the customer to white-list Cleartax’s IP address in their firewall settings. 

A lot of our CA / SME customers doesn’t have a static IP, due to this, it’ll not be possible to whitelist each of our customer’s IP.

How does ClearTax make sure that the data resides within the boundaries of India?

Whenever a new database cluster is created, it goes through the review and verification process that its created only in ap-south-1 region. ap-south-1 refers to the Mumbai region. 

We have a declaration provided by our “Cloud Service Provider” (CSP) that they undergo STQC audits and is recognized by “Ministry of Electronics and Information Technology” (MeitY). As per this declaration, AWS creates the infrastructure in Mumbai region. 

Book a demo