Trust

Trust & Security

How we protect your firm's data and the documents your clients upload.

Last updated: 10 June 2026
Summary:

Your documents are encrypted in transit (HTTPS/TLS) and at rest, hosted on DigitalOcean in the United States (NYC), and reached only through your authenticated account or a time-limited client portal link. We log access, back data up regularly, and commit to notifying you within 72 hours of any breach affecting your data. Operated by DIGITFORGE LTD (UK), aligned with GDPR and UK GDPR. We do not hold SOC 2 or ISO 27001 certifications today — if your firm requires either, please contact us before signing up.

1.What this page covers

This page is a single, plain-English overview of how ClearBinder handles security and trust. It pulls together what's already documented in our Privacy Policy and Data Processing Addendum, so accountants and their compliance teams don't have to read both end-to-end to answer the questions that come up most.

If you need a contract that legally binds these commitments, the Data Processing Addendum is the controlling document.

2.Where your data lives

Application servers, the primary database, and encrypted file storage all run on DigitalOcean, LLC infrastructure in New York (NYC) datacenters, United States. We do not replicate customer data to any other region without notice.

For customers and clients in the EEA or UK, the EU Standard Contractual Clauses (Module Two: Controller to Processor) and the UK International Data Transfer Addendum apply to that transfer, as set out in the DPA.

3.Encryption in transit and at rest

  • In transit. All traffic to and from ClearBinder — including the marketing site, the accountant dashboard, and every client portal link — is served over HTTPS with TLS. Plain HTTP is redirected.
  • At rest. Uploaded documents are stored in encrypted file storage. Database backups are stored encrypted.
  • Credentials. Account passwords are stored using industry-standard hashing — never in plaintext, never recoverable in their original form. Two-factor authentication recovery codes are stored hashed where possible.

4.Access controls

Different actors get different doors:

  • Accountant accounts. Email and password sign-in, with optional two-factor authentication via authenticator app. Recovery codes are issued when 2FA is enabled. Anti-forgery tokens protect every state-changing request.
  • Client portal access. Clients never need an account, password, or login. They open documents through time-limited, single-use access links sent to the email address you provided. The link grants access to the specific request they were sent — nothing else.
  • Internal staff. Internal access to production systems follows the principle of least privilege. Everyone authorised to handle Personal Data is bound by confidentiality obligations.
  • Rate limiting. Sensitive endpoints — sign-in, registration, password reset, portal link redemption — are rate-limited to slow down credential stuffing and link-guessing attempts.
  • Audit logs. Every meaningful action on the platform is logged with a timestamp, the responsible actor, and the affected record, supporting both your day-to-day review and any future security investigation.

5.Sub-processors

We use a deliberately small set of vendors. Each is contractually bound to data-protection obligations no less protective than those in our DPA.

Sub-processor What they do for us Location
Stripe, Inc. Subscription billing and card processing. Stripe receives card details; we never see your full card number. US / EU (SCCs applied)
Resend Transactional email delivery (account verification, magic links, request notifications, billing receipts). US (SCCs applied)
DigitalOcean, LLC Application hosting and primary database. United States (NYC) (SCCs applied)
DigitalOcean, LLC Encrypted file storage for uploaded documents. United States (NYC) (SCCs applied)

We notify customers of any intended change to this list at least 30 days in advance, giving you the opportunity to object on reasonable grounds.

6.Backups and retention

  • Backups. The database is backed up on a regular schedule. Backups are stored encrypted and access to them is restricted.
  • Active accounts. We keep your data while your account is active and for the duration of your subscription.
  • Closed accounts. After you close your account, we keep account metadata for up to 30 days to allow recovery, then delete or anonymise it. Some data — like invoices — may be retained longer to meet legal obligations.
  • Documents and uploads. Controlled by you. You can delete documents and requests at any time. Deleted items are removed from active systems immediately and from backups within a reasonable retention cycle.
  • Audit logs. Retained as long as needed to support security investigations and legal obligations, typically up to 24 months.

7.Incident response

If we become aware of a Personal Data breach affecting your data, we will notify you without undue delay — and in any event within 72 hours of becoming aware. The notification will include, to the extent known at the time:

  • The nature of the breach, including the categories and approximate number of data subjects and records concerned;
  • The likely consequences of the breach;
  • The measures we've taken or proposed to address it and mitigate its effects;
  • Contact details for follow-up.

We'll reasonably assist you in meeting any breach notification obligations you have to authorities or affected individuals.

We operate continuous error and uptime monitoring. Issues we detect operationally are triaged the same way we'd triage a security event: investigate root cause, contain, notify if customer data was involved.

8.Compliance posture — what we do and don't claim

We'd rather tell you the truth than over-claim. Here's the honest picture:

What we do

  • Operate under the EU and UK GDPR. Our Data Processing Addendum follows the structure of Article 28 (controller / processor obligations).
  • Sign a DPA with every paying customer who needs one. The current version is published, can be downloaded directly from the DPA page, and incorporates the EU SCCs (Module Two) and the UK IDTA for international transfers.
  • Respect Data Subject access, correction, deletion, portability, restriction, and objection rights under the GDPR — see the Privacy Policy for how those are exercised.
  • Apply the technical and organisational measures described in this page and in DPA Section 5.

What we don't claim

  • We do not currently hold SOC 2 Type I or Type II certification.
  • We do not currently hold ISO 27001 certification.
  • We are not currently audited under HIPAA and the platform is not intended for Protected Health Information.
  • We do not operate a public bug-bounty programme today. Reports are still very welcome — see the next section.

If your firm or a regulator requires any of the above and it's blocking onboarding, get in touch before signing up. We'd rather know up front.

9.Reporting a security issue

If you believe you've found a security vulnerability in ClearBinder, please report it to [email protected]. Include:

  • A description of the issue and its potential impact;
  • Steps to reproduce, ideally with a minimal example;
  • The URL, endpoint, or screen affected;
  • Any logs, screenshots, or proof-of-concept that helps us reproduce it.

We commit to acknowledging your report within 2 business days. We ask that, while we investigate, you act in good faith: do not access or modify other people's data, do not perform testing that could degrade service for other users, and do not publicly disclose the issue before we've had a reasonable opportunity to fix it.

We're a small company, but we take this seriously. Responsible disclosure earns a sincere thank-you and, where appropriate, public credit.

10.Contact

General privacy and data protection questions: [email protected].

Security reports: [email protected].

Postal: DIGITFORGE LTD (Company No. 17091016), Office 9489, 321-323 High Road, Chadwell Heath, Essex, RM6 6AX, United Kingdom.