Privacy and security

Our approach to privacy

We collect non-personal information from every entity (human or automated) that accesses our websites, and we use that data for website analytics and optimization. If you request that we connect with you, you will need to give us contact information. You are not required to give us personal information but many users choose to and so we treat all provided contact information as if it was personal.

We occasionally have advertising or marketing campaigns on third party websites (such as LinkedIn). If you use a link from one of our campaigns, we will correlate the link with your browsing on our site. We do not use third party identifiers to track web activity on other sites or locations.

If you are a Clir user, you will provide us data as part of the services and analytics that we offer you. That data is typically non-personal (SCADA, meteorological, locations, etc.). You may also have user accounts on some (or all) of our services. These accounts do not need to have personal identifiers, but many clients choose to set up accounts with individual names and email addresses, so we treat the user account details as if they were all personal.

If you have technical or specific questions about cookies, pixels or other website technology, please contact us at compliance[at]clir[dot]eco.

We use Clir website browsing data for website analytics and improvements. If you request that we connect with you, then we will use your contact information for communication. We correlate browsing data with contact requests so that we know which parts of the website users find helpful.

If you are a user or customer of Clir, then you will be providing data for use in Clir services. If you use our online service platforms, we use website analytics to view activity on the platforms to improve our services. If you have given us information as part of your account creation, then that information will be correlated across the various platforms that you use.

We keep your personal data as long as we have a business requirement for it or until you request that we remove it. For non-personal data, our data models and analytics are trained on the data that our users explicitly provide. Those models are maintained, in perpetuity, as part of our service offering. Retention and management of ‘raw’ customer data is governed by the customer agreements under which it is supplied to Clir.

Clir is the controller of the data that we collect on all of our platforms, and we have several processors for our analytics and providing our services. We host our websites and services on Amazon Web Services (AWS) and Hubspot, on data centers that are in the US and the UK.

When our public website is accessed, we have three processors: Google (based in the U.S.), Hubspot (in their U.S. data center) and SalesViewer (based in Germany) for website analytics. On our Clir service platforms we use Google Analytics and we do our own internal logging in AWS and in the Clir tools and products.

If you request that we contact you, we use Hubspot’s integrated contact management tools as our data processing platform. If you are a user of Clir Portfolio (app.clir.eco), then we use Intercom as a data processor for analytics and to operate our knowledgebase. We use Auth0 as our data processor for Clir Portfolio user authentication.

We do not share your data with unrelated third parties unless required by law (which has not happened to date). If you request us to share your data with a third party (for example, as part of the Clir Risk product offering), then we will do so only at your direct request.

If you are a Clir customer, then our analysis of your data is used, in aggregate, to enhance and inform the analytics services that we provide to all of our customers. Nothing specific or private is ever shared between customers.

Yes. Salesviewer has the following information for your consideration:
This website uses SalesViewer® technology from SalesViewer® GmbH on the basis of the website operator’s legitimate interests (Section 6 paragraph 1 lit.f GDPR) in order to collect and save data on marketing, market research and optimisation purposes.

In order to do this, a javascript based code, which serves to capture company-related data and according website usage. The data captured using this technology are encrypted in a non-retrievable one-way function (so-called hashing). The data is immediately pseudonymised and is not used to identify website visitors personally.

The data stored by Salesviewer will be deleted as soon as they are no longer required for their intended purpose and there are no legal obligations to retain them.

The data recording and storage can be repealed at any time with immediate effect for the future, by clicking on https://www.salesviewer.com/opt-out in order to prevent SalesViewer^® from recording your data. In this case, an opt-out cookie for this website is saved on your device. If you delete the cookies in the browser, you will need to click on this link again.

You have the right to be in control of your personal information and we aim to comply with all applicable privacy legislation, including EU (GDPR), UK (GDPR), Brazilian (LGPD), US, and Canadian laws and guidelines.

At Clir, we believe you have the right to:

Use our services and public websites without being required to give us personal information.
Know if we have personal information about you, what that information is and whether we use the information for automated decision making.
Ask that we correct, update, or delete personal information we have about you, and to receive an explanation if the request is not feasible.
Get a copy of your personal data in a portable and simple format.
Object to processing and revoke your consent if you ever change your mind.

If you have any suggestions, questions or concerns, or if you would like to make a request to exercise your privacy-related rights, please contact us at compliance[at]clir[dot]eco.

If you are not satisfied with our response to you, please reach out to the data authority in your jurisdiction and we will work with them to resolve the issue. Some local authorities are:

Canadian CRTC website

US FTC website

European Data Protection Authorities

Brazilian Autoridade Nacional de Proteção de Dados

Our approach to security

We train all our staff, whether developers or not, in security practices and compliance. Our developers get annual training in secure software development practices and support from every level of the organization for their security requirements. We believe that secure code needs good planning, excellent execution and ongoing improvement.

Our applications and services are designed with a ‘security in depth’ mindset. We host most of our services on AWS and we design our infrastructure components to have clear security boundaries and managed conduits between the boundaries.

Even though we design our systems to be secure, we don’t take our own word for it. We have constant security monitoring and real-time alerting in place for our online and offline services and devices. We use AWS native tooling, along with third party monitoring and our internally developed tools, to let us know when things are not right. In addition to real-time monitoring, we do weekly vulnerability scans, annual external penetration tests and compliance audits. Our compliance programs run year-round, with regular evidence collection and validation of our security program.

Clir has received SOC2 Type 1 and Type 2 attestation reports. These reports are performed by external professional auditors to evaluate Clir's compliance to our policies and the effectiveness of our security controls. The most recent Type 2 report was completed in October 2023 and is available for review under an NDA. Clir’s compliance program is designed to exceed the Common Criteria guidelines laid out by the AICPA and we are continuing to expand our program beyond the AICPA requirements. The SOC 2 attestation reports are available upon request to compliance[at]clir[dot]eco.

We value the contributions of users, amateur testers and security researchers. We do not have a cash bounty program at this time, but we would like to recognize any contributions you can make to our security posture.

For reporting purposes, our ‘in-scope’ services are the public website (https://clir.eco), the Clir Portfolio application (https://app.clir.eco) and the Explore service (https://explore.clir.eco).

If you are a security researcher, here are our requested guidelines for responsible testing:

Don’t do automated scanning at a level that will degrade services or perform tests that will impact real users.
Don’t disclose a vulnerability until we have addressed it.
Don’t try to gain access to real users’ accounts or data.
Don’t copy, change or destroy any live data.

When testing, we are especially looking for any issues that you can find related to:

Database injection.
Cross-site scripting or request forgery.
Server-side request forgery.
Remote code execution.
Authentication weakness, access control issues or bypasses.
Exposed internal tooling or dashboards.
Anything else that we should know about.

We are not interested in findings that involve:

Phished information from users or staff, including spam or social engineering.
Denial of service or brute force attacks.
Issues with best practices or policies.
Spoofing content or non-compliant security headers.
Email best practices.
Frame handling on www.clir.eco

If there is an issue that you would like to inform us about, please use the email address reporting[at]clir[dot]eco and we will address your concern promptly and confidentially.

If you have a concern of an ethical nature, please contact us at ethics[at]clir[dot]eco. We will treat your communication privately and confidentially.

If you notice or suspect a security issue, we want to know. Please email our team at security[at]clir[dot]eco.

Clir would like to thank these individuals who have contributed to our security posture:

Nick Shaw
Graeme Alkins
Vaibhav Survase

If you are a customer or user of Clir's services, you share responsibility for keeping our software, services and data safe. The specific terms of your contract take precedence over these guidelines but, in general:

You agree to use strong credentials (and ideally to enable MFA on your accounts) and not to share credentials with unauthorized users.

You will not take actions that would cause degradation or disruption to our services, and you should use the services for their intended purposes.

You should not try to access data or services for which you are not authorized and, if you see or suspect a security or privacy breach, you should report it immediately.