Trust & Security

Security at ClearAnalytics

Last updated: July 2026

In short: Security and privacy are the same goal for us. We collect no personal data from your visitors, keep all data inside the EU, isolate every customer in its own database, and protect accounts with modern authentication. Below is a factual overview of the measures built into the product.

Data residency & isolation

  • All data is processed and stored exclusively on infrastructure within the European Union (Hetzner, Germany).
  • Every customer runs in a separate, isolated database (database-per-tenant), so one customer's data is never mixed with another's.
  • Identifiers use non-sequential ULIDs, so records cannot be guessed or enumerated.

Encryption

  • All traffic is served over HTTPS/TLS. Data is encrypted in transit end to end.
  • Sensitive third-party credentials and OAuth tokens are encrypted at the application layer (AES-256) before they are stored.
  • Account passwords are never stored in plain text; they are hashed with bcrypt.

Authentication & access

  • Optional two-factor authentication (TOTP) for dashboard accounts.
  • Passwordless login with passkeys (WebAuthn / FIDO2).
  • Email verification on registration and secure password reset flows.
  • Team access is role-based, so members only see what they are permitted to.

API & MCP security

  • API access uses scoped Bearer tokens with optional expiry and last-used tracking, revocable at any time.
  • A one-time-password (OTP) flow protects programmatic login.
  • All authenticated endpoints and the MCP server are rate limited to prevent abuse.
  • Tokens are tenant-scoped, so an API token can only reach the data it is authorised for.

Privacy by design

  • No cookies, no localStorage, no fingerprinting, no cross-site tracking.
  • Visitor IP addresses are hashed with a daily-rotating salt and immediately discarded — they are never stored.
  • We collect no personal data from your website visitors, which minimises what could ever be exposed.

Operational resilience

  • Automated database backups protect against data loss.
  • The application is built on Laravel and PostgreSQL, kept current with security updates.
  • Rate limiting and abuse detection guard the tracking and dashboard endpoints.

Responsible disclosure

Found a vulnerability? We appreciate your help. Please email security@clearanalytics.eu with the details and steps to reproduce. Give us a reasonable window to investigate and fix the issue before public disclosure, and please do not access or modify data that is not yours. We do not pursue legal action against researchers who act in good faith.

Machine-readable contact: /.well-known/security.txt