This page covers the security-relevant features available in the ClarityQ product. Certifications and policies (SOC 2, GDPR, sub-processor lists) are maintained outside the product — reach out to your ClarityQ contact for the current documentation.Documentation Index
Fetch the complete documentation index at: https://docs.clarityq.ai/llms.txt
Use this file to discover all available pages before exploring further.
Authentication
ClarityQ uses Auth0 for identity. The following sign-in methods are supported:- Email and password — Standard email-based sign-in.
- Google sign-in — One-click sign-in for organizations using Google Workspace.
- SAML SSO — Federated sign-in through your identity provider (Okta, Azure AD, OneLogin, or any SAML-compliant IdP). When enabled, ClarityQ provisions new users automatically the first time they sign in through your IdP — there’s no separate invite step.
Access Control
Permissions are enforced by role. Every API call and UI action checks the calling user’s role against the permission required by the action. Roles can be assigned org-wide and overridden per product. Programmatic access uses product-scoped API keys, also subject to the role of the user who created them. Keys are created, listed, and revoked under Settings → API.Data Handling
- Warehouse connections — ClarityQ reads from your data warehouse using the credentials you provide during warehouse setup. Credentials are stored encrypted and used only by the agent and discovery jobs.
- Mandatory filters — Apply org-wide rules that scope every query the agent runs (see Filters).
- User deletion — Removing a user permanently deletes their chats, saved queries, dashboards, and other personal content. There’s no recovery, so transfer ownership of anything the team still needs before deleting the account.