Skip to main content
Security | Clarity Decision Room

Security & Data Protection

Clarity Decision Room (CDR) is architected on secure, enterprise-grade cloud infrastructure and leverages Zoho Creator as the managed platform environment supporting application hosting and data processing.

CDR is purpose-built for structured decision governance. We intentionally limit data categories to reduce regulatory exposure and maintain a focused, security-first architecture.

The underlying infrastructure maintains internationally recognized security certifications and data protection frameworks. For details on Zoho’s compliance programs, refer to Zoho’s compliance documentation .

Infrastructure & Hosting

Zoho maintains industry certifications including SOC 2 Type II and ISO 27001-family standards.

  • AES-256 encryption at rest
  • TLS 1.2 / 1.3 encryption in transit
  • Redundant data centers and failover systems
  • Continuous infrastructure monitoring
  • GDPR-ready architecture with support for data subject rights
  • Alignment with CCPA and other regional data protection regulations

Data Ownership

Customers retain ownership of all Customer Data. CMG processes data solely to operate, maintain, and support the platform.

We do not sell Customer Data and do not use Customer Data to train generalized AI models.

Data Classification & Intended Use

CDR is designed for operational, governance, and execution tracking data. It is not intended to function as a system of record for regulated or highly sensitive data.

  • No Protected Health Information (PHI)
  • No FERPA-protected student records
  • No payment card or financial transaction data
  • No government-issued identification numbers (e.g., SSN, passport, national ID)
  • No bank account, routing, or tax identification numbers
  • No payroll system master records or HRIS full exports

CDR may contain aggregated financial impact data and de-identified workforce modeling used to support structured governance decisions. Such data must not include sensitive personal identifiers.

Customers are responsible for ensuring prohibited data is not uploaded.

Access Controls

  • Role-based access control (RBAC)
  • Application-level permissions
  • Least-privilege configuration
  • MFA available via Zoho accounts

Enterprise Documentation

A Data Processing Addendum (DPA), Security Addendum, and Subprocessor Disclosure are available upon written request.

Security inquiries: security@claritymetricsgroup.com

For a current list of subprocessors, please see our Subprocessor Disclosure.