The below are the key legal documents and policies that govern Clearbit’s services:
Clearbit is a B2B marketing data engine that helps businesses discover and attract more ideal prospects, personalize their marketing and sales interactions, and enrich and inform their go-to-market systems.
Our Services are designed to help our customers and partners in a wide variety of ways, including by helping them determine which companies might make the best customers, identify the contacts within those organizations by department, role or seniority that might improve or expedite their interactions with those companies, and enabling them to personalize their interactions with those companies.
Clearbit processes B2B data for your use within a business context, regardless of where an individual is based, across all of our solutions. This is essentially information that is available on someone’s business card, email signatures or company websites. Clearbit does not collect or process sensitive personal data, such as health records, financial information, or economic status.
Our proprietary indexing systems ("Clearbit Indexers") collect information from a variety of sources in order to compile "Attribute Data" about corporations, non-profits, and similar entities ("Companies") and the professionals that work for them ("Professionals"). A complete list of Attribute Data we make available to users of the Site and Services (defined below) can be found at www.clearbit.com/attributes.
Clearbit acquires the data used in our Services from our customers that use certain enrichment services, public datasets, third-party paid sources and when users use our free tools such as Clearbit Connect.
At Clearbit, privacy and security are top priorities for us. Clearbit understands the importance of protecting the critical business and personal information entrusted to Clearbit by its customers.
Clearbit is a registered data broker in California, and is subject to CCPA (California Consumer Privacy Act) and other applicable US privacy laws. We’re aligned with the General Data Protection Regulation (GDPR) principles. We continue to bolster our already-strong data protection practices by continuously evaluating and updating our company privacy policies and practices.
For privacy inquiries, please contact privacy@clearbit.com.
The EU's General Data Protection Regulation (GDPR) strengthens the rights of EU individuals regarding how their personal data is used & collected.
Clearbit is headquartered in the United States. However, some of our enterprise customers may be based in the EU or engage in other activities that require them to comply with the GDPR.
Today, thousands of organizations rely on Clearbit as the data backbone for their cutting-edge sales & marketing efforts. We know that our customers take GDPR seriously and need vendors that can help accommodate their GDPR needs. Our legal, operations, and product teams therefore, consistently ensure that we have appropriate product safeguards, policies, and knowledge to facilitate our customers' continued use of Clearbit via our Platform and APIs.
Today, thousands of organizations rely on Clearbit as the data backbone for their cutting-edge sales & marketing efforts. We know that our customers take GDPR seriously and need vendors that can help accommodate their GDPR needs. Our legal, operations, and product teams therefore, consistently ensure that we have appropriate product safeguards, policies, and knowledge to facilitate our customers' continued use of Clearbit via our Platform and APIs.
Some elements of Attribute Data are not collected from data subjects directly; the legal basis for which Clearbit’s processes such data includes the legitimate interest of both Clearbit and its business customers, among other legal bases as applicable depending on the context. Clearbit’s data is processed to provide business intelligence (for sales, marketing, and operations) and help organizations drive revenue by providing users with accurate and up-to-date business information.
Many advanced privacy regimes require that personal data must be obtained and processed lawfully and fairly. Personal data should be collected and processed based on a legitimate purpose, after balancing the interests of the organization against the interests and rights of the individual whose data is processed.
The data collected by Clearbit is limited and does not contain any special categories of personal data or data related to children.
Although any personal information about data subjects that we provide our customers access to can be found on business social platforms or during the course of normal business correspondence, we do not collect data directly from the data subjects. As a result, they may not know that their data is in our database. They can always exercise their rights in relation to their data through our Privacy Request Form.
Finally, Clearbit follows data minimization principles and only collects data that are strictly necessary to achieve its purposes. Clearbit has processes in place to limit the data processed to business contact information which is professional in nature. Through our Privacy Request Form, individuals can claim control over their data.
Clearbit operates in accordance with fundamental privacy principles that underlie global privacy regulations, with respect to an individual’s right to know what personal data is collected and how it is used or otherwise processed. Clearbit has features that support customers' ability to handle data subject requests, such as requests for access, correction, or erasure, by allowing individuals to access and modify applicable personal information via our Privacy Request Form.
Clearbit periodically verifies the accuracy of all of the information in its databases. Data that is found to be inaccurate or out of date is removed from the database. In addition, we honor all opt-out requests so if any person requests deletion of their data, then such data would be deleted.
When a customer terminates their contract with us, upon request, we delete their account and remove any associations of such customer with any data in our databases promptly, and no later than 90 days of termination of their contract.
Clearbit enforces the “rule of least privilege” and has documented segregation of duties. We also enforce formal logical and account separation of the development, QA and production environments.
Currently, Clearbit stores all its data in servers of US-based cloud companies. The GDPR doesn’t require personal data of EU citizens and residents to be only stored within the EU.
We maintain a list of the subprocessors that we use as part of our products and services, including the activities and services performed by such subprocessors and their country location.
Our privacy policy is available at https://clearbit.com/privacy.
We operate in accordance with internal privacy and data protection policies that are based on privacy principles that underlie international privacy regimes, including the GDPR and the California Consumer Privacy Act (CCPA). We actively monitor and intend to comply with any new applicable privacy laws.
We require annual privacy and security training that’s mandatory for all Clearbit personnel. These trainings are actively tracked and regularly reviewed to help ensure compliance and relevance for our business activities. We also deliver periodic privacy and security communications to supplement required trainings, further reinforcing data privacy and data security best practices.
Clearbit’s privacy program is directed and overseen by the DPO , and a team of dedicated professionals. IAPP-certified privacy professionals review company activity with privacy and data protection implications, assess compliance and make recommendations to help meet compliance requirements.
Our product and engineering teams work closely with our global privacy team to embed privacy principles in our products and services and help ensure privacy compliance with respect to the various phases of product development, starting at concept, through requirements gathering, to implementation and release. Beyond product development activities, our privacy team drives our privacy by design approach on a corporate-wide basis, including assessing a variety of activities across the company involving personal data for privacy compliance.
People, process and technology are all considerations in how we approach information security and data privacy. To validate the effectiveness of our internal security controls, we engaged an independent auditor to assess our compliance with a framework which is specifically designed for software-as-a-service (SaaS) providers. Our security program is evaluated using AICPA’s SOC 2 Trust Services Criteria aligned with the controls contained in the COSO 2013 framework.
Clearbit is SOC 2 Type 2 Compliant
Clearbit has implemented a security strategy that is largely influenced by emerging trends in the cybersecurity field and common threats that impact businesses in the technology sector. We maintain a security team which provides executive-level oversight and approval for security and compliance policy initiatives.
We perform comprehensive background screenings on all new employees. All employees are required to sign non-disclosure agreements at the time of hire. Completion of our awareness and training program is required for all new hires as part of their onboarding plan. Ongoing refresher training activities are carried out throughout the year and participation is tracked.
Clearbit utilizes Amazon Web Services and Google Cloud Platform data centers located in the United States.
The AWS and GCP cloud infrastructure has been designed and managed in compliance with regulations, standards, and best practices, including SOC 2, ISO 27001, FedRAMP, GDPR, CCPA, and PCI DSS Level 1. Please visit here to learn more about the security standards and frameworks that our cloud data centers comply with: https://aws.amazon.com/compliance/programs/ https://cloud.google.com/security/compliance
The application is architected, at a minimum, with N+1 redundancy for network and power failover protection. All servers, firewalls, switches, load balancers, and routers are fully redundant. In the event of component failure, a redundant counterpart is available to handle the load, so our systems remain available.
We engage third-party security experts to perform penetration tests on an annual basis and vulnerability scanning is performed on a regular basis. Clearbit adheres to a Software Development Lifecycle Policy. Code is evaluated for design, functionality, and common security exposures. Changes to the source code are governed by standardized change management processes. In addition to automated and manual testing, our code is peer reviewed prior to being deployed to production.
Clearbit’s APIs are designed to deliver a highly available, scalable solution for customers, while maintaining core security protections.
Clearbit imposes a number of rate limiting controls to automatically block malicious traffic and protect accounts from abuse.
Clearbit supports TLS v1.2 and TLS v1.3 encryption to protect communications. Data is encrypted at rest using AES-256 bit encryption while in storage.
Clearbit limits the number of personnel with access to information systems containing sensitive data. Access to customer data is provisioned only where a requirement to fulfill job duties exists (e.g. respond to a customer support case, resolve a technical issue requiring engineering input).
Physical access controls are implemented and include electronic access doors, video surveillance, security guards, visitor access controls, and security zones.
Data center equipment is protected from environmental threats using automatic fire detection and suppression equipment, climate control which prevents overheating and reduces the possibility of service outages, water leakage detection and removal and uninterruptible Power Supply (UPS) units to provide back-up power in the event of an electrical failure.
We have implemented application health monitoring alerts to aid in detecting operational incidents early. Incident response procedures are defined, documented, and approved by management.
Customer data is backed up using automated policy-based scheduling and protected using AES-256 bit encryption. Clearbit has a disaster recovery plan that outlines roles and responsibilities for key personnel involved in business continuity, our plan to activate and respond to a disaster, target timelines and testing requirements.
Our goal is to ensure our suppliers can uphold the same level of commitment to customers that we promise. We have established a Vendor Risk Management program that is used to evaluate new sub processors and monitor existing sub processors on an annual basis. Selection and renewal of sub processors require approval from multiple stakeholders to manage risk.
If you have any questions about Clearbit’s security program or you need to escalate a security concern, please contact us at security@clearbit.com or by phone to (888) 237-8136. We have a team responsible for security incident response that can assist.
You can subscribe to real-time notifications about operational incidents and access status information about performance by visiting our status page at https://status.clearbit.com/uptime.
