ClearMatch
    // Trust & Security

    Agent-driven doesn't mean lax.

    ClearMatch runs on managed AWS infrastructure — Vercel and Convex Cloud, both SOC 2 Type II audited at the platform layer. Below: how we vet employers, what we do in code, and the controls we inherit from the cloud platforms your data lives on.

    // Employer Verification

    Manual review of every employer

    [✓]

    Manual vetting before data access

    Every employer account is reviewed by a human before the account can search the talent pool, view matches, or contact candidates. New accounts start in a pending state and are blocked from all talent-facing features until approved.
    [✓]

    Work-email only

    Employer signup rejects personal and disposable email domains (gmail, yahoo, outlook, protonmail, mailinator, etc.) at the validator layer on both client and server.
    [✓]

    US-entity attestation

    Every employer attests at signup that their company is a US-based entity hiring for US-based cleared roles. Attestations are stored with timestamps.
    // Infrastructure

    Where your data lives

    [✓]

    SOC 2 Type II audited platform stack

    Our application layer runs on Vercel and our database + auth on Convex Cloud — both SOC 2 Type II audited, both built atop AWS (also SOC 2 Type II). We don't run our own servers; the controls those platforms maintain apply by default.
    [✓]

    Encryption in transit

    HTTPS is enforced end-to-end. HTTP Strict Transport Security (HSTS) tells browsers to refuse plain-HTTP connections for 2 years.
    [✓]

    Encryption at rest

    All database rows and uploaded files (resumes, job descriptions) are encrypted at rest by our infrastructure providers.
    [✓]

    Authenticated uploads

    Resumes and job descriptions can only be uploaded against an authenticated session. Upload URLs are short-lived and single-use.
    // Application Hardening

    What we do in code

    [✓]

    Security headers

    HSTS, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, Permissions-Policy, and a restrictive Content-Security-Policy on every response.
    [✓]

    Rate limiting

    Signup, sign-in, outreach, and job-refresh endpoints are rate-limited so brute-force credential attacks and wholesale scraping attempts are bounded.
    [✓]

    Passwordless authentication

    We use one-time codes sent to your email — no stored passwords, no reusable credentials to leak.
    [✓]

    Audit trail

    Sensitive operations (outreach sent, employer approvals, admin actions) are written to an immutable audit log for forensic review.
    [✓]

    Typed schema end-to-end

    Every field on every row is validated by an explicit schema. Unexpected shapes are rejected at the database layer.
    // Roadmap

    What's next

    Our infrastructure providers — Vercel, Convex Cloud, and AWS — are SOC 2 Type II audited today. ClearMatch is pursuing its own organizational SOC 2 Type II attestation, alongside routine third-party penetration testing and expanded monitoring. We'll update this page as those land.

    Found something we missed? Email [email protected] — we read every message.