Security Overview

Estimated reading time: 8 minutes

How does clariBI protect your data? This overview covers authentication, encryption, access control, and data handling practices.

Authentication

clariBI uses secure token-based authentication for all requests. Tokens are short-lived and automatically refreshed.

  • Password requirements: minimum 8 characters
  • Multi-factor authentication (MFA): TOTP-based, using authenticator apps like Google Authenticator or Authy (Professional+ plans)
  • Session management: configurable session timeouts, ability to view and revoke active sessions
clariBI Settings Account tab with profile information and timezone preferences

Access Control

clariBI uses a 5-tier role-based access control (RBAC) system:

Role Permissions Description
Owner35Full access including billing and security settings
Administrator29Broad access, limited billing/security
Analyst14Analytics and reporting focus
Member8Standard access (default for new users)
Viewer6Read-only access

See RBAC Details for the full permission matrix.

Data Encryption

  • In transit: all connections use HTTPS/TLS. Database connections support SSL. The site enforces HSTS.
  • At rest: database credentials, OAuth tokens, and API keys for every connected data source (MCP catalog, native OAuth, REST API) are encrypted with Fernet (AES-128-CBC + HMAC-SHA256) before they touch the database. The encryption key lives in the platform secrets manager, not in application config. Decryption happens server-side at request time only.
  • AI processing: data sent to the AI processing service uses encrypted connections. The AI engine is provider-hosted and stateless against your data. See AI Limitations for the full data handling story.

Per-Organization Isolation

Every record clariBI stores (data sources, dashboards, reports, goals, MCP connections, credentials, audit log entries) carries an organization_id column. Every query against those records filters by the current request's organization. Cross-tenant access isn't policy-enforced; it's structurally impossible at the query layer. The same enforcement runs across the REST API, the admin views, and the Celery background workers, so there's no path where org filtering can be skipped.

MCP Catalog Security

The MCP catalog integrations follow six security principles documented in detail there. Summary:

  • Read-only scopes only; write tools are blocked at the per-vendor allowlist.
  • Fernet encryption at rest for every OAuth token.
  • Per-organization isolation (as above).
  • Disconnect = deleted in one transaction.
  • SSRF guard on Custom MCP URLs (https only, RFC1918 / cloud-metadata blocked).
  • Audit trail of connect/disconnect/use on Pro+.

Audit Logging

clariBI logs user actions for accountability and compliance:

  • Login and logout events
  • Data source connections and disconnections
  • Report generation and export
  • Dashboard creation and sharing
  • Role changes and user invitations
  • Settings changes

Audit logs are available on Professional+ plans. See Audit Logs.

API Keys

For programmatic access, generate API keys from Settings > Developer > API Keys. Keys can be given a name, description, and optional expiry date. See API Authentication.

clariBI Settings Developer tab showing API Keys section and API Documentation link

Security Guides

Ready to try clariBI?

Start your free 14-day trial. No credit card required.