Clearbit’s Commitment
to Trust

At Clearbit, your data always remains your data. We do our best to safeguard it by investing in security and honoring privacy principles as core tenets of our business. Our Trust Center provides helpful information about our legal terms of service, data privacy and compliance practices, security measures and our service performance. We're here to help!

The below are the key legal documents and policies that govern Clearbit’s services:

Data Governance and Privacy at Clearbit

Overview

Clearbit is a B2B marketing data engine that helps businesses discover and attract more ideal prospects, personalize their marketing and sales interactions, and enrich and inform their go-to-market systems.

Our Services are designed to help our customers and partners in a wide variety of ways, including by helping them determine which companies might make the best customers, identify the contacts within those organizations by department, role or seniority that might improve or expedite their interactions with those companies, and enabling them to personalize their interactions with those companies.

Clearbit primarily processes B2B data for your use within a business context, regardless of where an individual is based, across all of our solutions. This is essentially information that is available on someone’s business card, email signatures or company websites. Clearbit does not provide or collect consumer data, which includes, but is not limited to, things like web browsing history, health records, financial information, or economic status.

Our proprietary indexing systems ("Clearbit Indexers") collect information from a variety of sources in order to compile "Attribute Data" about corporations, non-profits, and similar entities ("Companies") and the professionals that work for them ("Professionals"). A complete list of Attribute Data we make available to users of the Site and Services (defined below) can be found at www.clearbit.com/attributes.

Clearbit acquires the data used in its Services either through public datasets, third-party paid sources or when users use our free tools such as our Logo API, and they contribute data back to us as a result of their use.

Data Privacy

At Clearbit, privacy and security are top priorities for us. Clearbit understands the importance of protecting the critical business and personal information entrusted to Clearbit by its customers.

Clearbit is a registered data broker in California and Vermont, and is subject to CCPA (California Consumer Privacy Act) and other applicable US privacy laws. We’re aligned with the General Data Protection Regulation (GDPR) principles. We continue to bolster our already-strong data protection practices by continuously evaluating and updating our company privacy policies and practices.

For privacy inquiries, please contact privacy@clearbit.com.

ccpa logo gdpr logo soc logo

Clearbit and the GDPR

The EU's General Data Protection Regulation (GDPR) strengthens the rights of EU individuals regarding how their personal data is used & collected.

Clearbit is headquartered in the United States. Our websites and services are controlled and operated by us from the United States and are not intended to subject us to the laws or jurisdiction of any state, country or territory other than that of the United States. However, some of our enterprise customers may be based in the EU or engage in other activities that require them to comply with the GDPR.

Today, thousands of organizations rely on Clearbit as the data backbone for their cutting-edge sales & marketing efforts. We know that our customers take GDPR seriously and need vendors that can help accommodate their GDPR needs. Our legal, operations, and product teams therefore, consistently ensure that we have appropriate product safeguards, policies, and knowledge to facilitate our customers' continued use of Clearbit via our Platform and APIs.

Since some elements of Attribute Data are not collected from data subjects directly, Clearbit’s processing activities are based on (i) consent or (ii) the legitimate interest of both Clearbit and its business customers, among other legal bases as applicable depending on the context. Clearbit’s data is processed to provide business intelligence (for sales, marketing, and operations) and help organizations drive revenue by providing users with accurate and up-to-date business information.

Legitimate Interest and Data Protection Impact Assessment

Many advanced privacy regimes claim that personal data must be obtained and processed lawfully and fairly. Personal data should be collected and processed based on a legitimate purpose, after balancing the interests of the organization against the interests and rights of the individual whose data is processed.

Clearbit conducted a Data Privacy Impact Assessment (“DPIA”) with the help of privacy experts. The DPIA confirms that Clearbit’s processing of business profile information satisfies the grounds for the processing of personal data for a legitimate interest. It also determined that this legitimate interest is not overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data. Here are the findings:

  • Nature of the data. The information collected by Clearbit is extremely limited. It does not contain any special categories of personal data and is not related to children.
  • Reasonable expectations of Contacts. Although any personal information about data subjects that we provide our customers access to can be found on business social platforms or during the course of normal business correspondence, we do not collect data directly from the data subjects. As a result, they may not know that their data is in our database. They can always exercise their rights in relation to their data through our Privacy Request Form.
  • Processing proportionate to the purpose. Clearbit follows data minimization principles and only collects data that are strictly necessary to achieve its purposes. Clearbit has processes in place to limit the data processed to business contact information which is professional in nature. Through our Privacy Request Form, individuals can claim control over their data.

Data subject rights

Clearbit operates in accordance with fundamental privacy principles that underlie global privacy regulations, with respect to an individual’s right to know what personal data is collected and how it is used or otherwise processed. Clearbit has features that support customers' ability to handle data subject requests, such as requests for access, correction, or erasure, by allowing individuals to access and modify applicable personal information via our Privacy Request Form.

Data deletion and retention

Clearbit periodically verifies the accuracy of all of the information in its databases. Data that is found to be inaccurate or out of date is removed from the database. In addition, we honor all opt-out requests so if any person requests deletion of their data, then such data would be deleted.

When a customer terminates their contract with us, we delete their account and remove any associations of such customer with any data in our databases promptly, and no later than 90 days of termination of their contract.

Data access

Clearbit enforces the “rule of least privilege” and has documented segregation of duties. We also enforce formal logical and account separation of the development, QA and production environments.

Data residency

Currently, Clearbit stores all its data in servers of US-based cloud companies. The GDPR doesn’t require personal data of EU citizens and residents to be only stored within the EU.

Subprocessors

We maintain a list of the subprocessors that we use as part of our products and services, including the activities and services performed by such subprocessors and their country location.

Privacy notices

Our privacy policy is available at https://clearbit.com/privacy.

We operate in accordance with internal privacy and data protection policies that are based on privacy principles that underlie international privacy regimes, including the GDPR and the California Consumer Privacy Act (CCPA). We actively monitor and intend to comply with any new applicable privacy laws.

Training and awareness

We require annual privacy and security training that’s mandatory for all Clearbit personnel. These trainings are actively tracked and regularly reviewed to help ensure compliance and relevance for our business activities. We also deliver periodic privacy and security communications to supplement required trainings, further reinforcing data privacy and data security best practices.

Governance and accountability

Clearbit’s privacy program is directed and overseen by its VP, Legal and Privacy and a team of dedicated professionals. IAPP-certified privacy professionals review company activity with privacy and data protection implications, assess compliance and make recommendations to help meet compliance requirements.

Privacy by design

Our product and engineering teams work closely with our global privacy team to embed privacy principles in our products and services and help ensure privacy compliance with respect to the various phases of product development, starting at concept, through requirements gathering, to implementation and release. Beyond product development activities, our privacy team drives our privacy by design approach on a corporate-wide basis, including assessing a variety of activities across the company involving personal data for privacy compliance.

Compliance

People, process and technology are all considerations in how we approach information security and data privacy. To validate the effectiveness of our internal security controls, we engaged an independent auditor to assess our compliance with a framework which is specifically designed for software-as-a-service (SaaS) providers. Our security program is evaluated using AICPA’s SOC 2 Trust Services Criteria aligned with the controls contained in COSO 2013 framework.

Clearbit is SOC 2 Type 2 Compliant

AICPA SOC

Security

Clearbit has implemented a security strategy that is largely influenced by emerging trends in the cybersecurity field and common threats that impact businesses in the technology sector. We maintain a security leadership committee which provides executive-level oversight and approval for security and compliance policy initiatives and planning through various actions. The security leadership committee will be required to review, recommend edits or changes, and accept internal Information Security policy and processes.

Personnel Security

We perform comprehensive background screenings on all new employees. All employees are required to sign non-disclosure agreements at the time of hire. Completion of our awareness and training program is required for all new hires as part of their onboarding plan. Ongoing refresher training activities are carried out throughout the year and participation is tracked.

Cloud and Network Architecture

Clearbit utilizes Amazon Web Services and Google Cloud Platform data centers located in the United States.

The AWS and GCP cloud infrastructure has been designed and managed in compliance with regulations, standards, and best practices, including SOC 2, ISO 27001, FedRAMP, GDPR, CCPA, and PCI DSS Level 1. Please visit here to learn more about the security standards and frameworks that our cloud data centers comply with: https://aws.amazon.com/compliance/programs/ https://cloud.google.com/security/compliance

The application is architected, at a minimum, with N+1 redundancy for network and power failover protection. All servers, firewalls, switches, load balancers, and routers are fully redundant. In the event of component failure, a redundant counterpart is available to handle the load, so our systems remain available.

Securing Clearbit Applications

We engage third-party security experts to perform comprehensive penetration tests annually or in response to significant architectural or application changes. Nessus is used to perform monthly vulnerability scans and Dependabot detects vulnerabilities in our third party package dependencies. Results of these tests are shared with our engineering team to review and prioritize remediation.

Clearbit adheres to a Software Development Lifecycle Policy. Code is evaluated for design, functionality, and expected security exposures, including common OWASP Top 10 for web applications and APIs. Changes to the source code are governed by standardized change management processes. In addition to automated and manual testing, our code is peer reviewed prior to being deployed to production.

Clearbit’s APIs are designed to deliver a highly available, scalable solution for customers, while maintaining core security protections. Every request requires authentication using an account holder’s secret API key via HTTP Basic Auth. OAuth 2.0 is also supported for enabling third-party application access to the service. Clearbit imposes a number of rate limiting controls to automatically block malicious traffic and protect accounts from abuse.

Protecting Customer Data

Clearbit supports TLS v1.2 encryption to protect communications between a customer web application and Clearbit systems. All data received from customers is encrypted at rest using AES-256 bit encryption while in storage. We highly recommend that customers configure webhooks using TLS v1.2+.

Clearbit limits the number of personnel with access to information systems containing sensitive data. Access to customer data is provisioned only where a requirement to fulfill job duties exists (e.g. respond to a customer support case, resolve a technical issue requiring engineering input). This includes members of our customer support team and engineering who are full-time Clearbit employees; we do not outsource these functions.

Data is deleted from our systems using automated policy-based expiration periods once data has met the retention schedule. We also perform data removals through manual delete operations to fulfill an ad-hoc request (e.g. privacy request, contractual obligation).

Physical and Environmental Protection

Physical access controls to safeguard employees and protect systems that access, store, transmit, or process user information are implemented and include electronic access doors, video surveillance, security guards, visitor access controls, and security zones.

Data center equipment is protected from environmental threats using automatic fire detection and suppression equipment, climate control which prevents overheating and reduces the possibility of service outages, water leakage detection and removal and uninterruptible Power Supply (UPS) units to provide back-up power in the event of an electrical failure.

Monitoring

We have configured a robust health monitoring alerts that include database read/write errors, disk space utilization, free memory, CPU utilization, system scaling policies, service specific alarms, HTTP errors to aid in detecting operational incidents early.

Incident response procedures are defined, documented, and approved by management. Alerts for potential malicious activity are monitored using a combination of sources to provide us with insight into container activity, tracking unauthorized file system access, suspicious network communications and process executions, and anomalous container events.

Business Continuity & Disaster Recovery

Customer data is backed up using automated policy-based scheduling and protected using AES-256 bit encryption. Any failures in the backup process would trigger an alert or automatically re-attempt the backup process depending on the database technology.

Clearbit has a disaster recovery plan that outlines roles and responsibilities for key personnel involved in business continuity, our plan to activate and respond to a disaster, target timelines and testing requirements. Exercises are performed at least annually to assess the responsible parties understanding of the plan, their intended response and approach to recovering from a particular incident scenario.

Supplier Security

Our goal is to ensure our suppliers can uphold the same level of commitment to customers that we promise. We have established a Vendor Risk Management program that is used to evaluate new vendors and monitor existing vendors on an annual basis. Selection and renewal of suppliers require approval from security, finance, and legal counsel to provide oversight and management of vendor risk.

Incident Reporting

If you have any questions about Clearbit’s security program or you need to escalate a security concern, please contact us at security@clearbit.com or by phone to (888) 237-8136. We have a team responsible for security incident response that can assist.

To report an identified security vulnerability in our applications, please submit your report via this form.

Status

You can subscribe to real-time notifications about operational incidents and access status information about performance by visiting our status page at https://status.clearbit.com/uptime.

colors-backgroundcolors-background

Ready to chat?

See how the world's fastest-growing companies use Clearbit to power efficient revenue engines.

To learn how Clearbit handles your information,
please see our privacy policy.