> ## Documentation Index
> Fetch the complete documentation index at: https://docs.clarityq.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security and Compliance

> Authentication options, access control, and how ClarityQ handles your data.

This page covers the security-relevant features available in the ClarityQ product. Certifications and policies (SOC 2, GDPR, sub-processor lists) are maintained outside the product — reach out to your ClarityQ contact for the current documentation.

## Authentication

ClarityQ uses Auth0 for identity. The following sign-in methods are supported:

* **Email and password** — Standard email-based sign-in.
* **Google sign-in** — One-click sign-in for organizations using Google Workspace.
* **SAML SSO** — Federated sign-in through your identity provider (Okta, Azure AD, OneLogin, or any SAML-compliant IdP). When enabled, ClarityQ provisions new users automatically the first time they sign in through your IdP — there's no separate invite step.

To enable SAML SSO for your organization, contact your ClarityQ team. Once configured, the **Invite User** button on the User Management page is replaced with an **SSO Enabled** badge.

## Access Control

Permissions are enforced by [role](/admin/user-management-and-roles). Every API call and UI action checks the calling user's role against the permission required by the action. Roles can be assigned org-wide and overridden per product.

Programmatic access uses product-scoped **API keys**, also subject to the role of the user who created them. Keys are created, listed, and revoked under **Settings → API**.

## Data Handling

* **Warehouse connections** — ClarityQ reads from your data warehouse using the credentials you provide during [warehouse setup](/get-started/connect-your-data-warehouse). Credentials are stored encrypted and used only by the agent and discovery jobs.
* **Mandatory filters** — Apply org-wide rules that scope every query the agent runs (see [Filters](/admin/filters)).
* **User deletion** — Removing a user permanently deletes their chats, saved queries, dashboards, and other personal content. There's no recovery, so transfer ownership of anything the team still needs before deleting the account.

## Asking for More

Audit logs, IP allowlists, region selection, and similar controls aren't surfaced in the product UI today. If your organization needs any of these, reach out — we'll let you know what's available and what's on the roadmap.
