Evidence pack contents
- Summary hash:
cf51bcea154c94e7d51f774191ec0ee1fd2cc5db5a1ef611963fc5540e598582 - Audience:
website_safe_summary - Decision scenario count:
2 - Rejected decision scenario count:
1 - Unsupported claims:
[]
Security & TrustFor security and trust reviewers
Security review starts with the request boundary.
Clariva helps teams inspect what reaches the model provider, what gets blocked, and what evidence is created for sensitive AI workflows.
Current Posture
Reviewable artifacts before broad claims.
Clariva is early-stage and does not present SOC 2, ISO 27001, FedRAMP, or similar certifications as completed. During evaluation, Clariva can provide a reviewable control path, sample request artifacts, rejection examples, audit evidence, and data-boundary assumptions for the selected workflow.
DPA terms, subprocessor disclosures, IP ownership, BAA or HIPAA requirements, retention commitments, SLA terms, and support terms are handled through customer-side security, legal, and procurement review. This website does not present them as completed certifications, universal commitments, or substitutes for that review.
Evaluation Material
Evaluation review package
During scoping, Clariva can provide a review package for the selected workflow. It is not customer proof, certification evidence, or a security certification. It is a structured set of illustrative and workflow-specific materials to help reviewers understand the control path.
Website evidence examples are generated from controlled synthetic/test-tenant scenarios. They are useful for understanding the control model, but they are not production customer proof, certification evidence, or a deployment guarantee.
Harness validation
- npm run evidence:tier1: PASS
- npm run validate:static: PASS
- npm run validate:build: PASS
- npm run typecheck: PASS
- npm run test: PASS
Synthetic evidence checks shown
- Admitted and rejected synthetic decision artifacts exist: Shown in the current website-safe synthetic evidence pack.
- Artifacts include scenario/request/decision/policy/provider/audit fields: Shown in the current website-safe synthetic evidence pack.
- Artifacts are synthetic/test-tenant and deterministic: Shown in the current website-safe synthetic evidence pack.
Fail-Closed Evidence
Rejected paths remain outside provider execution.
The fail-closed matrix records controlled rejection scenarios and the provider-execution status associated with each scenario.
| Scenario | Failure class | Caller status | Provider execution | Evidence reference |
|---|---|---|---|---|
missing_proof | proof_or_challenge_rejected | 400 | not_executed | d73cb44ef6887aca59c8c058e2048275d64a25c08ad86cd4abddf1aa2a7fd50e |
malformed_payload | request_rejected | 400 | not_executed | d73cb44ef6887aca59c8c058e2048275d64a25c08ad86cd4abddf1aa2a7fd50e |
provider_route_mismatch | provider_route_rejected | 409 | not_executed | d73cb44ef6887aca59c8c058e2048275d64a25c08ad86cd4abddf1aa2a7fd50e |
missing_runtime_config | configuration_invalid | 503 | not_executed | d73cb44ef6887aca59c8c058e2048275d64a25c08ad86cd4abddf1aa2a7fd50e |
missing_challenge_config | proof_or_challenge_rejected | 404 | not_executed | d73cb44ef6887aca59c8c058e2048275d64a25c08ad86cd4abddf1aa2a7fd50e |
replay_stale_proof | proof_or_challenge_rejected | 409 | not_executed | d73cb44ef6887aca59c8c058e2048275d64a25c08ad86cd4abddf1aa2a7fd50e |
replayed_proof | proof_or_challenge_rejected | 409 | not_executed | d73cb44ef6887aca59c8c058e2048275d64a25c08ad86cd4abddf1aa2a7fd50e |
invalidated_proof | proof_or_challenge_rejected | 409 | not_executed | d73cb44ef6887aca59c8c058e2048275d64a25c08ad86cd4abddf1aa2a7fd50e |
stale_challenge | proof_replay_rejected | 409 | not_executed | 9f11d5f0518ff656f7070ee2a48dac51242b6196a0c7ed8beb70e0a15b145112 |
reused_challenge | proof_replay_rejected | 409 | not_executed | 9f11d5f0518ff656f7070ee2a48dac51242b6196a0c7ed8beb70e0a15b145112 |
missing_proof | proof_replay_rejected | 409 | not_executed | 9f11d5f0518ff656f7070ee2a48dac51242b6196a0c7ed8beb70e0a15b145112 |
malformed_proof | proof_replay_rejected | 409 | not_executed | 9f11d5f0518ff656f7070ee2a48dac51242b6196a0c7ed8beb70e0a15b145112 |
mismatched_proof | proof_replay_rejected | 409 | not_executed | 9f11d5f0518ff656f7070ee2a48dac51242b6196a0c7ed8beb70e0a15b145112 |
tampered_proof | proof_replay_rejected | 409 | not_executed | 9f11d5f0518ff656f7070ee2a48dac51242b6196a0c7ed8beb70e0a15b145112 |
Data Boundary
Evidence surfaces define retained, omitted, transformed, and excluded fields.
Clariva's evaluation model is designed around bounded evidence surfaces. The approved data-boundary report identifies the fields retained for review, the payload content omitted, the values transformed into hashes or scoped references, and the data classes excluded from each evidence surface.
Depending on the selected workflow, transformation may occur before the request reaches the deployed control layer, inside Clariva's policy-driven sanitization step, or both. Evaluation defines which data classes are transformed, omitted, retained as metadata, or excluded from persistent evidence.
| Surface | Retained | Omitted | Transformed | Excluded |
|---|---|---|---|---|
decision_artifacts | requestId, organizationId, workspaceId, lifecycleState, effectivePolicyId, effectivePolicyVersion, policyDefinitionHash, verificationPolicyHash, canonicalPayloadHash, timelineHash, eventCount | requestBody, requestTextBody, providerTextBody, credentialMaterial | decision evidence stores scoped identifiers, policy hashes, lifecycle state, and recomputable audit hashes | unboundedPayloadContent, derivedTraceDetail, intermediateState, providerTextBody |
rejection_responses | requestId, organizationId, workspaceId, lifecycleState, lastErrorCode, summaryCode, reasonCodesJson, eventHash | requestBody, requestTextBody, providerTextBody, credentialMaterial | caller-facing rejection inputs are represented as reason codes, lifecycle status, and audit references | unboundedPayloadContent, secretValue, providerTextBody |
logs_telemetry | requestId, organizationId, workspaceId, eventType, category, severity, status, summaryCode, normalizedReasonCategory, eventHash | requestBody, requestTextBody, providerTextBody, credentialMaterial | log and telemetry evidence is reduced to audit categories, status, reason codes, and hashes | unboundedPayloadContent, derivedTraceDetail, secretValue, providerTextBody |
audit_exports | exportId, organizationId, workspaceId, queryHash, filtersJson, recordCount, contentHash, eventHash | requestBody, requestTextBody, providerTextBody, credentialMaterial | export manifests retain filter and content hashes plus scoped audit references | unboundedPayloadContent, secretValue, providerTextBody |
evidence_bundle | requestId, organizationId, workspaceId, contentHash, timelineHash, auditEventCount, deletedArtifactsJson | requestBody, requestTextBody, providerTextBody, credentialMaterial | bundle inputs contain hashes, counts, deletion flags, and scoped references only | unboundedPayloadContent, derivedTraceDetail, intermediateState, providerTextBody, secretValue |
replay_freshness | replayKey, expiresAt, createdAt | requestBody, providerTextBody, credentialMaterial | tenant workspace and integration identifiers are encoded by callers into replayKey | secretValue, oauthValue, providerTextBody |
challenge_lifecycle | canonicalKey, challengeType, status, issuedAt, expiresAt, consumedAt, invalidatedAt, terminalReasonCode, mobileChallengeNonce, mobilePolicyHash | requestBody, providerTextBody, credentialMaterial | proof challenge context is stored as bounded identifiers, hashes, status, and timestamps | secretValue, intermediateState, providerTextBody |
audit_storage | requestId, organizationId, workspaceId, eventType, category, severity, status, summaryCode, reasonCodesJson, eventHash, contentHash | requestBody, providerTextBody, credentialMaterial | event body is retained as bounded audit metadata and hashes | secretValue, requestBody, providerTextBody |
retention_delete_scope | retentionDeleteAfterAt, deletionRequestedAt, deletedAt, deletionReasonCode, complianceRecordHash, timelineHash, auditEventCount, deletedArtifactsJson | requestBody, providerTextBody, credentialMaterial | deletion evidence stores hashes, counts, actor metadata, and deletion flags | secretValue, requestBody, providerTextBody |
Source evidence hash: 6821d11e8ac00b5ae1faf63db440e6edb1696aaf11954d9fb1a73835b1eb7c60
Review Links
Related review material.
Technical reviewers can inspect sample request artifacts and common security questions before requesting an evaluation.
Boundary Clarity
What Clariva does not do
Clariva is designed to make the request boundary reviewable without turning the product into a general AI assistant or an unsupported compliance shortcut.
Scope limits
- Clariva does not replace your model provider.
- Clariva does not act as a general-purpose chatbot or AI assistant.
- Clariva's control layer is not designed to train or fine-tune models on customer request data. Customer-specific data handling, retention, and provider-routing terms are finalized during evaluation and contract review.
- Clariva does not claim SOC 2, ISO 27001, FedRAMP, or similar certification at this stage.
- Clariva does not allow a request that fails configured policy or proof checks to silently fall through to a provider.
- Clariva does not remove the need for your own security, privacy, legal, or procurement review.
Retention scoping
Clariva's default evaluation posture is to minimize persistent storage of sensitive payload content. During evaluation, Clariva and the customer define which request metadata, policy decisions, provider-route decisions, rejection reasons, and audit artifacts are retained, and which payload elements should be omitted or transformed before persistence.
Security & Trust Review
Review one AI workflow with concrete evidence.
Clariva can support a focused review of boundary, policy, provider routing, rejection, and audit behavior.