Security Overview

Estimated reading time: 8 minutes

How does clariBI protect your data? This overview covers authentication, encryption, access control, and data handling practices.

Authentication

clariBI uses secure token-based authentication for all requests. Tokens are short-lived and automatically refreshed.

  • Password requirements: minimum 8 characters
  • Multi-factor authentication (MFA): TOTP-based, using authenticator apps like Google Authenticator or Authy (Professional+ plans)
  • Session management: configurable session timeouts, ability to view and revoke active sessions
clariBI Settings Account tab with profile information and timezone preferences

Access Control

clariBI uses a 5-tier role-based access control (RBAC) system:

Role Permissions Description
Owner35Full access including billing and security settings
Administrator29Broad access, limited billing/security
Analyst14Analytics and reporting focus
Member8Standard access (default for new users)
Viewer6Read-only access

See RBAC Details for the full permission matrix.

Data Encryption

  • In transit: all connections use HTTPS/TLS. Database connections support SSL. The site enforces HSTS.
  • At rest: database credentials, OAuth tokens, and API keys for every connected data source (MCP catalog, native OAuth, REST API) are encrypted with Fernet (AES-128-CBC + HMAC-SHA256) before they touch the database. The encryption key lives in the platform secrets manager, not in application config. Decryption happens server-side at request time only.
  • AI processing: data sent to the AI processing service uses encrypted connections. The AI engine is provider-hosted and stateless against your data — see AI Limitations for the full data handling story.

Per-Organization Isolation

Every record clariBI stores — data sources, dashboards, reports, goals, MCP connections, credentials, audit log entries — carries an organization_id column. Every query against those records filters by the current request's organization. Cross-tenant access isn't policy-enforced; it's structurally impossible at the query layer. The same enforcement runs across the REST API, the admin views, and the Celery background workers — there's no path where org filtering can be skipped.

MCP Catalog Security

The MCP catalog integrations follow six security principles documented in detail there. Summary:

  • Read-only scopes only — write tools are blocked at the per-vendor allowlist.
  • Fernet encryption at rest for every OAuth token.
  • Per-organization isolation (as above).
  • Disconnect = deleted in one transaction.
  • SSRF guard on Custom MCP URLs (https only, RFC1918 / cloud-metadata blocked).
  • Audit trail of connect/disconnect/use on Pro+.

Audit Logging

clariBI logs user actions for accountability and compliance:

  • Login and logout events
  • Data source connections and disconnections
  • Report generation and export
  • Dashboard creation and sharing
  • Role changes and user invitations
  • Settings changes

Audit logs are available on Professional+ plans. See Audit Logs.

API Keys

For programmatic access, generate API keys from Settings > Developer > API Keys. Keys can be given a name, description, and optional expiry date. See API Authentication.

clariBI Settings Developer tab showing API Keys section and API Documentation link

Security Guides

Ready to try clariBI?

Start your free 14-day trial. No credit card required.

Start Free Trial View Pricing