// Trust & Security

Agent-driven doesn't mean lax.

ClearMatch runs on managed AWS infrastructure — Vercel and Convex Cloud, both SOC 2 Type II audited at the platform layer. Below: how we vet employers, what we do in code, and the controls we inherit from the cloud platforms your data lives on.

// Employer Verification

Manual review of every employer

[✓]

Manual vetting before data access

Every employer account is reviewed by a human before the account can search the talent pool, view matches, or contact candidates. New accounts start in a pending state and are blocked from all talent-facing features until approved.
[✓]

Work-email only

Employer signup rejects personal and disposable email domains (gmail, yahoo, outlook, protonmail, mailinator, etc.) at the validator layer on both client and server.
[✓]

US-entity attestation

Every employer attests at signup that their company is a US-based entity hiring for US-based cleared roles. Attestations are stored with timestamps.
// Infrastructure

Where your data lives

[✓]

SOC 2 Type II audited platform stack

Our application layer runs on Vercel and our database + auth on Convex Cloud — both SOC 2 Type II audited, both built atop AWS (also SOC 2 Type II). We don't run our own servers; the controls those platforms maintain apply by default.
[✓]

Encryption in transit

HTTPS is enforced end-to-end. HTTP Strict Transport Security (HSTS) tells browsers to refuse plain-HTTP connections for 2 years.
[✓]

Encryption at rest

All database rows and uploaded files (resumes, job descriptions) are encrypted at rest by our infrastructure providers.
[✓]

Authenticated uploads

Resumes and job descriptions can only be uploaded against an authenticated session. Upload URLs are short-lived and single-use.
// Application Hardening

What we do in code

[✓]

Security headers

HSTS, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, Permissions-Policy, and a restrictive Content-Security-Policy on every response.
[✓]

Rate limiting

Signup, sign-in, outreach, and job-refresh endpoints are rate-limited so brute-force credential attacks and wholesale scraping attempts are bounded.
[✓]

Passwordless authentication

We use one-time codes sent to your email — no stored passwords, no reusable credentials to leak.
[✓]

Audit trail

Sensitive operations (outreach sent, employer approvals, admin actions) are written to an immutable audit log for forensic review.
[✓]

Typed schema end-to-end

Every field on every row is validated by an explicit schema. Unexpected shapes are rejected at the database layer.
// Roadmap

What's next

Our infrastructure providers — Vercel, Convex Cloud, and AWS — are SOC 2 Type II audited today. ClearMatch is pursuing its own organizational SOC 2 Type II attestation, alongside routine third-party penetration testing and expanded monitoring. We'll update this page as those land.

Found something we missed? Email [email protected] — we read every message.