TRUST CENTER
Built to handle your revenue data with care
ClearSync connects your Stripe billing data to HubSpot. We take our responsibility to handle that data seriously. Here's exactly how we do it.
Last updated: March 19, 2026
OUR APPROACH
ClearSync security principles
A few commitments that shape every decision we make about how your data is handled.
Read-only by design
ClearSync reads subscription and revenue data from Stripe and writes derived metrics to HubSpot. We never modify your Stripe billing data, payment methods, or customer records. Your billing system stays untouched.
Minimal data collection
We read only what's necessary: subscription IDs, invoice & billing metadata, & email address. We don't collect or store full payment card numbers, CVVs, bank details, or sensitive credentials.
You control your data
ClearSync does not sell, share, or monetize your customer data. When you delete your account, your data is deleted from our systems. You can request full data deletion at any time via our self-service tools.
Secure authentication
All access to the ClearSync platform is gated through Clerk, our third-party identity provider, supporting SSO and organization-based access. Production system access is limited to authorized personnel only.
DATA FLOW
What data we read and where it goes
ClearSync sits between Stripe and HubSpot. Here's the complete picture of how data moves.
Stripe
We read subscription metadata, invoice data, MRR events. We use read-only Stripe access.
ClearSync
We push derived Stripe subscription & MRR data to ClearSync.
HubSpot
We push subscription records, MRR change event records, and company & contact records from ClearSync to HubSpot.
What we read from Stripe
Subscription IDs, status, product info, billing interval, recurring line item payments, invoice events, customer ID, billing email, and payment method descriptor (card brand + last 4 only).
What we write to HubSpot
ClearSync Subscription app object records, ClearSync Event app object records, associated to existing Company and Contact records, or records we create. We never overwrite your existing HubSpot CRM data.
What we never access
Full card numbers, CVVs, bank account details, Stripe secret keys, HubSpot private content, passwords, or any data outside the defined integration scope.
SUBPROCESSORS
Third-party services we use
ClearSync uses the following subprocessors to deliver the service. We will notify customers at least 10 business days in advance of any changes to our subprocessor list.
TECHNICAL SECUIRTY
Encryption & infrastructure controls
Industry-standard protections at every layer of the stack.
Encryption in Transit
All data transmitted between your browser, the ClearSync service, & third-party APIs is encrypted using industry-standard TLS protocols. No data is transmitted over unencrypted connections.
Encryption at Rest
Customer data stored in ClearSync's database is encrypted at rest using AES-256 encryption provided by our cloud infrastructure and managed database provider (Neon).
Access Control
Access to the ClearSync application is managed through Clerk, which supports Google SSO login & organization-level access controls. Production access is restricted to authorized ClearSync personnel only.
Logging & Monitoring
The service maintains application and access logs for operational monitoring, troubleshooting, and security audit purposes. Logs are access-restricted and retained for a defined period.
CERTIFICATIONS
SOC 2 Status
Data Processing Agreement
Our DPA is available to all customers and prospects. It covers GDPR, CCPA, EEA Standard Contractual Clauses, and UK GDPR.
EEA & UK Transfers Covered
EEA Standard Contractual Clauses (Module 2 & 3) and UK GDPR Addendum are incorporated by reference. Governing Member State: Netherlands.
Approved Subprocessors Disclosed
All three subprocessors (Neon, Clerk, Render) are named in the DPA with their location, role, and data processing scope.
Data Deletion Rights
Customers can request full data deletion at any time via self-service account deletion or by contacting support@clearsync.ai.
72-Hour Breach Notification
In the event of a confirmed security incident, ClearSync commits to notifying affected customers within 72 hours of confirmation.
RESPONSE & CONTACT
Security incident response
How we handle and communicate security events.
Incident Response Timeline
Within 1 business day: We acknowledge receipt of any reported vulnerability or security concern.
Within 2 business days: Initial severity assessment completed and communicated.
Within 72 hours of confirmed breach: Affected customers notified with full details of the incident, categories of data involved, and recommended next steps per our DPA and GDPR Article 33.
Contact Us
For security reviews or compliance questions, contact us directly:
Security & Privacy:
security@clearsync.ai
General support:
support@clearsync.ai
Mailing address:
ClearSync, Inc.
125 Mt. Auburn St. #380773
Cambridge, MA 02238, USA
Relevant policies: Privacy Policy, Terms of Service