Data Security and Privacy at Clearbit

Last Updated: April 14, 2022

Our privacy policy and terms of service can be found on our website. 

đź“ť Please note: Additional MSAs or agreements may be in place with your company that supersede these terms of service. 

Skip Ahead to:

Physical Security & Disaster Recovery

Clearbit’s services are hosted on Amazon Web Services, which enforces strong physical security practices at its data centers (details about which can be found in this whitepaper). As described in the whitepaper, this includes, but is not limited to:

  • Nondescript, unmarked facilities
  • Strict physical access controls, including security staff, video surveillance, intrusion detection, and two-factor authentication
  • Logging and regular auditing of all employee access
  • Fire detection and suppression equipment
  • Fully redundant power supply, including the use of an Uninterruptible Power System and backup generators
  • Precise climate and temperature controls
  • Continuous monitoring and preventative maintenance of critical infrastructure
  • Storage device decommissioning process using techniques detailed in the NIST 800-88 guidelines

In addition to AWS’s physical security practices, Clearbit also adheres to the following practices with regards to its physical headquarters and offices:

  • Nondescript, unmarked facilities
  • Strict physical access controls, including security staff, video surveillance, and intrusion detection
  • Fire detection and suppression equipment
  • Logging and regular auditing of all employee access using an electronic access control system
  • Visitor access logging

Information and Data Security

  • Clearbit’s information security policy is reviewed with all new employees and available to all employees via Clearbit’s internal wiki
  • Employees are made aware of any information security policy updates and other security-related process updates
  • Clearbit’s network, application(s), and other services are subject to regular penetration testing
  • To report an identified security vulnerability in our services, please email us at
  • Clearbit’s network and AWS instances are continuously monitored for malicious and unauthorized behavior
  • Clearbit’s codebase is continuously and automatically scanned for critical vulnerabilities and other security issues

Device Management

A fleet management system is used to maintain a real-time inventory and manage all company laptops, allowing our team to enforce: 

  • Software updates and patches
  • Full hard disk encryption
  • Local firewall enablement
  • Password strength and re-use policies
  • Screen lock / idle timeout guidelines
  • Prevention of app installation from untrusted sources

Network Access

  • Access to internal Clearbit services requires a connection to Clearbit’s VPN
  • All network traffic to Clearbit services is encrypted via TLS
  • Sensitive data stores are protected using Amazon’s Virtual Private Cloud service, which restricts ingress and egress to known subnets
  • Access to production systems and other sensitive services is restricted to authorized employees only
  • Access rights are regularly audited and revoked the day an employee or contractor separates from Clearbit
  • The minimal level of access to Clearbit’s production systems required for the performance of an employee’s duties is enabled
  • All inbound email is scanned for viruses and other malware

Accounts and Passwords

  • Employees are required to use a password manager for all internal and third-party user accounts and are encouraged to use strong, frequently changed, random, non-shared passwords
  • Passwords to Clearbit user accounts are salted and hashed using industry standard encryption algorithms before storage
  • Clearbit user sessions expire after a period of inactivity


Amazon Web Services maintains certifications and is audited regularly to maintain SOC 2 and ISO 27001 compliance, as well as other programs (see the full list here: In addition, Clearbit’s credit card payment provider (Stripe) has been independently certified to PCI Service Provider Level 1 compliance and Clearbit’s use of Stripe addresses Clearbit’s PCI compliance obligations under SAQ A. No sensitive credit card data is stored on Clearbit’s services.


What kind of data does Clearbit collect?

In order to allow you to create segmentation based on intent data from website activity, Clearbit collects website pageview data from any page you place the Clearbit tag on, as well as any custom trait that you send us via an identify event or Segment. 

Additionally, if you explicitly authorize Clearbit to do so, Clearbit X syncs with your sales/marketing database (ie Salesforce). This data is deleted upon account termination.

Does Clearbit share my data with other customers?

Clearbit does not share your identifiable data with any third parties. 

What does Clearbit do with my data?

All account specific data is available exclusively for your use in Clearbit, and is deleted upon termination. However, we may combine that data in aggregate and anonymous form (removing any personally identifiable information or any account specific details) with other datasets and use it to train machine learning models and otherwise improve the quality of our data.