This Security Overview / Security Addendum provides a high-level summary of the current security posture, architectural safeguards, and operational considerations for the Services provided by Klarefi B.V. ("Klarefi," "we," "us," or "our"). Klarefi is an intake operating system for regulated businesses and may support hosted intake, document upload, operator workspace functions, workflow execution, AI-assisted extraction and routing, audit-relevant logs, and enterprise administrative controls.

This document is intended to support customer diligence, procurement, and security review. It should be read together with the applicable customer agreement, order form, data processing addendum ("DPA") where applicable, and any implementation-specific documentation. Some controls and security characteristics depend on product configuration, deployment model, subscribed plan, or separately documented operational practices.

Klarefi is responsible for operating and securing the application and service components under Klarefi's control, providing platform capabilities for authentication, authorization, logging, workflow control, and audit support, maintaining reasonable application security and vulnerability-management practices, and responding to security incidents affecting Klarefi-controlled systems.

Customers remain responsible for determining what information is collected and processed through their workflows, configuring prompts, routing rules, review thresholds, retention settings where available, and human-review steps, administering users and organizational access, and deciding whether any automated output is appropriate for their legal, regulatory, or operational requirements. Klarefi supports workflow execution and information handling, but final workflow governance and final business or regulated decisions remain the customer's responsibility.

Klarefi supports authenticated access to operator and administrative surfaces. Enterprise identity features may include organization-linked identity controls and single sign-on ("SSO") where implemented and enabled for the customer's environment.

WorkOS may be used to support identity, login, organization membership, and SSO-related flows. Access to some enterprise features may also depend on subscribed entitlements, commercial packaging, or implementation-specific configuration. This overview does not imply that every identity feature is available in every deployment or plan.

Klarefi is designed to use organization-scoped roles and permission-based access patterns to limit access to case-related, workflow, administrative, privacy, developer, and billing functions. Organization membership and role assignments may be used as RBAC inputs, and permissions may be mapped by role. Some enterprise controls may also be gated by plan entitlements.

Effective authorization depends on accurate customer administration of users, roles, organizational membership, and deprovisioning. Customer user administration remains an important part of the overall security posture even where enterprise authentication and entitlement controls are enabled.

Klarefi is designed to use industry-standard transport encryption for data transmitted over public networks. Customer data stored by Klarefi-controlled application components or managed infrastructure is intended to be protected at rest where supported by the applicable hosting or storage provider layer and where implemented in the relevant deployment path.

This overview is intentionally high level and does not make specific claims regarding cipher suites, key-management architecture, or provider-specific encryption implementations unless separately documented in customer-facing materials.

Klarefi seeks to build and operate the service using controlled engineering and application-security practices appropriate for an early-stage SaaS platform serving regulated workflow use cases. Code changes are expected to go through development review and testing processes. Input validation, permission checks, and explicit workflow state handling are used to reduce unsafe or unauthorized actions.

Where implemented, sensitive values such as API secrets or access keys may be hashed, tokenized, scoped, or otherwise handled in a way that avoids unnecessary plaintext persistence. Klarefi favors controlled, typed, gated workflow progression over unconstrained autonomous system behavior.

Klarefi may rely on managed cloud infrastructure and operational controls for hosting, networking, and administrative access. Specific provider, region, and environment-separation details are governed by the applicable deployment documentation or customer agreement.

Klarefi may maintain authentication and access-related records, workflow status changes and operational events, upload and submission lifecycle events, administrative or configuration changes, usage-related and billing metering events, and service error, monitoring, and troubleshooting records.

These records may be used to support security review, operational support, troubleshooting, service integrity, billing administration, abuse prevention, and audit support. Log content, retention, and availability may vary based on service configuration, dependencies, and the operational purpose of the relevant record type.

Klarefi is designed for regulated workflows that benefit from traceable progression and reviewable operational history. Hosted intake submissions, uploads, workflow state transitions, and certain operator or administrative actions may be recorded for auditability, support, and workflow troubleshooting.

Workflow execution is designed to preserve an operational trail of how a case moved through intake and review states. Audit-relevant records may include timestamps, event identifiers, state changes, workflow-related context, and other service records useful for review or reconstruction. AI-assisted extraction and workflow support are intended to operate inside this broader traceable system rather than as opaque standalone decisions.

Klarefi is designed around organization-scoped application data and access boundaries. The precise tenancy and isolation model may differ by deployment, and customer-facing guarantees are set out in the applicable agreement or architecture documentation.

Klarefi maintains internal processes intended to support the identification, triage, investigation, containment, remediation, and follow-up of suspected security incidents affecting Klarefi-controlled systems.

Where required by applicable law or contract, Klarefi expects to notify affected customers in accordance with those obligations. This overview does not establish specific notification timelines unless they are expressly stated in the customer's agreement or other binding documentation.

Klarefi uses backup and recovery practices appropriate to the service environment. Specific scope, cadence, restore testing, recovery objectives, and dependency coverage are governed by the applicable operational documentation or customer agreement.

Klarefi seeks to identify and address vulnerabilities through routine engineering maintenance, dependency updates, defect remediation, and issue triage. Security issues identified internally, by customers, or by service providers may be prioritized based on severity, exploitability, exposure, and operational impact.

Remediation timing varies based on the nature of the issue and the affected service surface. This overview does not imply a public bug bounty, formal penetration-testing program, or fixed remediation SLA unless separately documented.

Klarefi may rely on third-party providers to support specific service functions. Examples may include identity and organization management, billing and subscription administration, managed hosting and storage, observability, and AI-related processing services depending on the customer's configuration and deployment.

Klarefi may use WorkOS for identity, SSO, organization membership, and RBAC-related inputs. Klarefi may use Stripe for billing, invoicing-related functions, subscription administration, and entitlements support. Subprocessor and vendor information is provided through the applicable agreement, DPA, diligence materials, or a maintained subprocessor notice where applicable.

Klarefi may use AI-assisted methods for extraction, classification, summarization, gap detection, routing support, and workflow assistance. Such outputs may be probabilistic, incomplete, inconsistent, or unsuitable for a particular customer use without review.

AI-assisted functions operate within configured workflows, business rules, review states, and broader operational controls rather than replacing customer governance. Depending on customer configuration and use case, human review may be required before downstream action, escalation, or final decisioning. Customers remain responsible for evaluating whether their workflow design, review thresholds, and overall control environment satisfy applicable legal and regulatory obligations.

Customers are responsible for selecting what information they request from applicants or end users, configuring workflow rules, review paths, approvals, and escalation logic, assigning appropriate user roles, and removing access promptly when it is no longer needed.

Customers are also responsible for managing SSO and identity-provider settings where applicable, deciding whether human review is required before taking regulated action, and validating downstream integrations, exports, and system-of-record updates. Enterprise authentication and entitlement controls can help support access control, but they do not replace customer-side user administration and governance.

Security inquiries and vulnerability reports may be sent to mike@klarefi.com.

No internet-connected software or managed service can guarantee absolute security, uninterrupted availability, or error-free automated outputs. Security and control outcomes depend in part on customer configuration, user administration, provider dependencies, workflow design, and operational context.

This overview is provided for general informational purposes and does not amend the customer agreement, DPA, order form, or any other binding commitment. Klarefi does not by this document assume responsibility for legal, underwriting, claims, compliance, medical, or other regulated determinations that remain the responsibility of the customer or its authorized personnel.