Built for organizations that take security seriously
Multi-factor authentication, OAuth and SAML SSO, org-wide audit logging, session management, and export-on-demand. Everything you need to clear an InfoSec review.
Security Settings
HEALTHYInfoSec questionnaires are where most BI tools die
You find a BI tool your team loves. You send the InfoSec questionnaire. It comes back marked "missing: MFA enforcement, SAML SSO, audit export, session controls." The purchase stalls for three months while you figure out compensating controls.
clariBI is built to pass that questionnaire on the first read. Authentication, authorization, and auditing are first-class features, not checkboxes added in response to a lost deal.
"We have MFA... via SMS"
SMS MFA is phishable and SIM-swappable. If your BI tool's MFA is SMS-only, it's not actually MFA for any threat model you care about.
SSO as an expensive upsell
"SSO tax" — where the BI vendor doubles your bill to unlock SAML. It's a punishment for doing the right thing.
Audit logs you can't export
"Yes, we log everything. No, you can't download it." That's not an audit trail, that's a marketing claim.
No way to kill a stale session
An employee leaves and their laptop is still logged in. Without session management, your only option is hoping the token expires on its own.
Security features that actually ship
Not aspirations. Not roadmap items. Features you can turn on today.
Multi-factor authentication Pro+
TOTP-based authenticator apps (Google Authenticator, Authy, 1Password, etc.) plus backup recovery codes. Per-user enforcement and brute-force lockouts on repeated failures.
SMS MFA is intentionally disabled — it's phishable and SIM-swappable and we don't ship security theatre.
- ✓ TOTP compatible with any standard authenticator app
- ✓ Backup codes for device loss
- ✓ Org-wide enforcement policy
OAuth & SAML SSO Pro+ / Ent
Sign in with Google, Microsoft, GitHub, or LinkedIn on Professional. SAML 2.0 with Okta, Azure AD, OneLogin, or any SAML-compliant identity provider on Enterprise, with multi-provider support for different teams.
New users can be provisioned automatically from your existing IdP. No more "I forgot my password" tickets.
- ✓ Google, Microsoft, GitHub, LinkedIn OAuth
- ✓ SAML 2.0 with any compliant IdP (Enterprise)
- ✓ Multi-provider support per team (Enterprise)
Org-wide audit trail & export Pro+ / Ent
Every login, permission change, API call, dashboard share, role modification, and failed auth attempt is logged. Searchable, filterable, and retained.
Enterprise adds on-demand export as JSON or CSV for your own retention, downstream SIEM ingestion, or compliance review. Schedule periodic exports for continuous archival.
- ✓ Searchable, filterable audit viewer (Pro+)
- ✓ On-demand JSON/CSV export (Enterprise)
- ✓ Scheduled export jobs (Enterprise)
Session management & anomaly detection Pro+
See active sessions for any user, kill them remotely, and get alerts on anomalies: new device, new country, impossible travel (two logins from different continents within an hour).
Configurable idle-timeout policies organization-wide. When someone leaves the company, revoke all their sessions from the admin panel in one click.
- ✓ Active session inventory per user
- ✓ Remote kill from the admin panel
- ✓ New device / new country / impossible travel alerts
- ✓ Configurable idle-timeout policy
Built for organizations under security review
The teams most BI tools lose to InfoSec.
Companies running InfoSec reviews
If your procurement process includes a security questionnaire, clariBI is designed to answer "yes" to most of it without compensating-control essays. MFA, SSO, audit export, and session management are all checkable line items.
Pass the review, close the deal, stop losing weeks to back-and-forth with InfoSec.
Regulated industries adopting BI
Financial services, healthcare-adjacent, legal, and other industries with strict access governance need audit trails that are complete, tamper-evident, and exportable. clariBI supports your compliance program without pretending to be a certified compliance tool.
The audit trail is comprehensive enough to satisfy internal auditors.
Teams tracking contractor access
Combine session management with granular RBAC to track exactly what contractors did and when. Kill their sessions the moment the contract ends. Export the audit trail for the project file.
Clean offboarding, every time.
Orgs migrating from homegrown BI
Your internal dashboard tool doesn't have audit logging, MFA enforcement, or SSO. Migrating to clariBI gives you all three at once without a multi-year platform project.
Kill the tool-nobody-maintains and upgrade your security posture in the same week.
Supported identity providers
OAuth providers are available on Professional. SAML 2.0 providers are available on Enterprise.
Pairs with the rest of the platform
More security capabilities
Smaller features that matter in aggregate when you're protecting a real business.
Encrypted at rest and in transit
Database encryption at rest, TLS 1.2+ in transit. Data source credentials encrypted separately with a rotating key.
Failed-login alerts
Org owners get notified when a user hits repeated login failures. Cross-reference with audit logs to identify account targeting attempts.
Password policy enforcement
Minimum length, complexity, and rotation policies configurable organization-wide. New passwords checked against common breach datasets.
IdP group-based role mapping
On Enterprise, map IdP group claims to clariBI roles. Members of "Finance-Leads" in your IdP become Analysts in clariBI automatically.
Backup MFA codes
Users generate a set of one-time backup codes when they enable TOTP. Losing the authenticator phone doesn't mean losing the account.
Scheduled audit export
Enterprise customers can schedule nightly or weekly audit exports to an object store. Feed it straight into your SIEM.
Under the hood
Authentication runs through Django's battle-tested auth layer, extended with TOTP, OAuth, and SAML support. JWT access tokens are short-lived; refresh tokens are rotated on every use and can be revoked instantly from the session manager.
The audit trail is written to a dedicated append-only table with an immutable row hash, so modifications are detectable. A background worker flushes audit events asynchronously so your request latency isn't affected by log writes.
Session anomaly detection runs on a periodic job that looks at recent login geolocations, device fingerprints, and inter-login travel time. Alerts fire when something unusual is detected — no machine learning magic, just sensible heuristics.
JWT with rotating refresh tokens
Short-lived access tokens. Refresh tokens rotate on every use. Revocation is instant and global.
Append-only audit table
Dedicated Postgres table with row hashes so tampering is detectable. Background-flushed so it doesn't slow requests.
Anomaly detection heuristics
Looks at recent geolocations, device fingerprints, and travel time. Simple, explainable, and tuneable.
Clear the InfoSec review on the first pass.
MFA, SSO, audit export, session management. All included on Professional and Enterprise.
Hardening your clariBI org in 30 minutes
The security settings every team should turn on.
Enforce MFA org-wide
Turn on the "require MFA for all users" policy. Existing users are prompted to enroll on their next login; new users enroll during onboarding. Total effort: a few clicks plus a heads-up Slack message to your team.
Connect your SSO provider
On Professional, switch logins to Google / Microsoft / GitHub / LinkedIn OAuth. On Enterprise, configure SAML to your Okta, Azure AD, or OneLogin tenant. Disable password login once you're confident SSO is working.
Set a session idle timeout
Pick an idle timeout that matches your risk profile. 30 minutes is a good default for internal use; 15 for regulated industries; 8 hours if your team lives in the tool all day. Enforced org-wide, users can't override.
Schedule audit log reviews
Put a recurring 30-minute block on your calendar once a month to scan the audit log for unusual patterns: failed logins, new-device alerts, permission escalations. On Enterprise, pipe the log into your SIEM and let it do the work.
How we think about security
The principles behind clariBI's auth and audit design.
Security theatre is worse than no security
SMS MFA feels secure but is trivially phishable and SIM-swappable. A "compliance certification" with no teeth is worse than honest "we're not certified" wording. We ship controls that actually work and we're honest about what we don't have yet.
SSO is not a premium upsell
The "SSO tax" — where BI vendors charge extra for the single security control most enterprises require — is indefensible. We include OAuth SSO on Professional and reserve SAML for Enterprise because of IdP-integration support cost, not as a pricing lever.
Audit logs you can actually use
An audit log you can't export, search, or filter is just a feature checkbox. clariBI audit logs are searchable from day one, exportable on Enterprise, and structured so they drop cleanly into any SIEM that speaks JSON.
Session control is offboarding control
When a person leaves your company, the last thing you want is their laptop staying logged in for days because the access token hasn't expired yet. Session management lets you kill everything in one click and sleep at night.
Defense in depth, not defense in one place
No single control is sufficient. MFA protects the login. RBAC protects the authorization. Audit logs protect the investigation. Session management protects offboarding. Together they form overlapping layers that each compensate for the others' weaknesses.
Honest about what we don't have yet
WebAuthn, SCIM, and a formal bug bounty program are on the roadmap but not yet shipped. We'd rather be transparent about that than pretend to have them. If a capability isn't listed on this page, assume it's not in the product today.
Security features across plans
What's included at each tier.
| Feature | Starter | Professional | Enterprise |
|---|---|---|---|
| Password auth | Yes | Yes | Yes |
| TOTP MFA | No | Yes | Yes |
| OAuth SSO (Google, MS, GH, LI) | No | Yes | Yes |
| SAML 2.0 SSO | No | No | Yes |
| Audit trail viewer | No | Yes | Yes |
| Audit log retention | — | 90 days | 1 year+ |
| Audit export (JSON/CSV) | No | No | Yes |
| Session management | No | Yes | Yes |
| Anomaly alerts | No | Yes | Yes |
| IdP group-based role mapping | No | No | Yes |
See pricing for full plan details.
Audit & Security FAQ
Common questions from InfoSec reviewers.
Do you support SCIM provisioning?
SCIM user provisioning is on the Enterprise roadmap. Today, SAML SSO supports just-in-time provisioning when a user logs in for the first time, and role assignment via IdP group claims is supported on Enterprise.
How long are audit logs retained?
Professional retains 90 days of audit events. Enterprise retains 1 year by default, with longer retention available on request. On Enterprise you can also export to your own SIEM for indefinite retention on your side.
Can I configure session timeouts?
Yes. Owners can set an organization-wide idle timeout from the Security Settings page. Individual users cannot override the org policy.
Do you support hardware security keys (WebAuthn)?
WebAuthn/FIDO2 support is on the roadmap. Today, MFA uses TOTP authenticator apps plus backup recovery codes, which covers the vast majority of phishing-resistant MFA use cases.
How does SSO work with the trial?
OAuth SSO (Google, Microsoft, GitHub, LinkedIn) is available as a sign-in option on all plans including the 14-day trial. SAML SSO is an Enterprise feature and is configured once you're on an Enterprise plan.
How is data encrypted?
Database volumes are encrypted at rest using standard disk-level encryption. All traffic between clients and the clariBI API is TLS 1.2 or higher. Data source credentials are encrypted separately with a rotating key so even a database dump doesn't expose the downstream credentials.
What identity providers are supported for SAML?
Any SAML 2.0 compliant IdP works — Okta, Azure AD, OneLogin, JumpCloud, PingFederate, and others. We've tested the most common ones end-to-end. If you run into issues with a less common IdP, reach out and we'll help you configure it.
Do you have a bug bounty or vulnerability disclosure program?
We welcome responsible disclosure of security issues. Email our security team with details and a reproduction, and we'll acknowledge within one business day. A formal bug bounty program is on the roadmap for Enterprise customers.
Where can I read your security whitepaper?
Reach out to your clariBI contact or contact us and we'll share our current security documentation, subprocessor list, and architecture overview under NDA.