Security and SSO

Contracts are sensitive. This page covers how Clment handles your data, the auth options available, and where to look for an audit trail.

Data residency

Clment runs as a set of regional planes. Each region keeps its data physically within that region — contracts uploaded into a US org live in US Cosmos + Blob Storage and never leave. Available regions:

• US — Azure East US 2, with paired-region failover to West US 3.
• EU — Azure West Europe (Amsterdam), with paired-region failover to North Europe (Dublin).
• AU — Azure Australia East (Sydney), with paired-region failover to Australia Southeast (Melbourne).

Cross-region work — like a multi-region admin viewing usage stats — happens via aggregated metadata only; the underlying contract data stays in-region.

Single sign-on (SSO)

Clment supports two SSO providers out of the box:

• Microsoft Entra ID (formerly Azure AD) — see Setting up Microsoft Entra SSO.
• Google Workspace — see Setting up Google SSO.

Setup happens under Settings → Security → Single sign-on. Both providers take about 15–20 minutes including testing.

Once SSO is configured, you can disable password sign-in for the whole organisation under Settings → Security → Allowed sign-in methods — Clment then rejects password sign-in attempts at the auth layer and routes users to your IdP.

User accounts are created via the Team page; the email you invite needs to match what the IdP returns at sign-in time. We don’t currently auto-create accounts from SSO sign-ins.

Multi-factor authentication

For non-SSO sign-in, MFA is optional on Free and enforceable org-wide on paid plans. Clment supports TOTP (Google Authenticator, Authy, 1Password, etc.) plus backup codes.

Org admins can require MFA org-wide under Settings → Security → Require MFA. Existing users without MFA are walked through enrollment on their next sign-in.

SSO-only users are exempt — their identity provider’s MFA policy applies. Forcing a second TOTP factor on top of an IdP’s existing MFA is redundant.

See MFA and account protection for the user-side walkthrough.

Encryption

• At rest: Azure Storage Service Encryption is on by default for all storage.
• In transit: TLS 1.3 (TLS 1.2 minimum). HSTS enabled on every public hostname.
• Backups: encrypted with the same keys as the live data; retained 90 days.

Audit log

Every state-changing action against a contract or review writes an audit row. You can see the per-contract trail under the contract’s Activity tab. The trail includes the user, the action, the resource id, and the timestamp.

For SOC 2 / compliance evidence, contact support — we can produce an organisation-wide export covering whatever window you need.

Reporting a security issue

If you’ve found a vulnerability, please email security@clment.com. PGP key on /security. We respond within 24 hours and follow coordinated-disclosure norms.

See also

• Setting up Microsoft Entra SSO
• Setting up Google SSO
• MFA and account protection