// Trust & Security Report
Clay Labs Inc.
Clay - GTM data enrichment, AI research agents (Claygent), and go-to-market workflow orchestration platform
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.clay.com“Compliance: SOC 2 Type 2 ... Audit Reports: SOC 2 Type 2 Report”
Verify on trust.clay.com“Compliance: SOC 2 Type 1 ... Audit Reports: ... SOC 2 Type 1”
Verify on trust.clay.com“Compliance: ... ISO 27001:2022 ... Other resources: ... ISO 27001 Certificate”
Verify on trust.clay.com“Compliance: ... GDPR ... To request a signed Data Processing Agreement (DPA) by Clay, please email security@clay.com.”
> Show 1 unconfirmed / not-held certifications
source: trust.clay.comNo HIPAA listed in the Trust Center compliance section (SOC 2 Type 1/2, GDPR, CCPA, ISO 27001:2022 are the listed frameworks).
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
USA (all listed subprocessors - AWS, Amplitude, Anthropic, Braintrust - are hosted in the USA)
Clay states customer data is never used to train AI models: 'Your data is never used for AI model training. Clay has contractual agreements with all AI providers (OpenAI, Anthropic, Google, and others) that strictly prohibit using customer data to train their models.' Enterprise customers can also bring their own AI provider API keys. Note: Clay is a data-enrichment broker; for third-party data it acts as a data processor and resells professional contact data sourced from 150+/200+ providers, which is a separate privacy consideration from AI model training.
// Security controls
Penetration testing
Performed; executive summary available via Trust Center ('Penetration testing performed'; resource 'Pentest Report Executive Summary')
trust.clay.comEncryption
Data encrypted at rest and in transit; 'Encryption key access restricted', 'Data encryption utilized'
trust.clay.comBug bounty
No public HackerOne or Bugcrowd program found; not advertised on Trust Center
trust.clay.comAuthentication
Unique account authentication enforced; production application access restricted; SSO via Google/Okta/Azure supported
trust.clay.comAI governance
Dedicated AI Controls program (AI system impact assessment, AI management system scope, AI objectives and planning) plus contractual no-training clauses with LLM providers
trust.clay.comData deletion
'Customer data deleted upon leaving'; cybersecurity insurance maintained; incident response plan in place
trust.clay.com// Products & data scope
data: Stores customer-uploaded records and enriched third-party data in Clay tables; account data (name, email, company), professional contact data sourced from 150+/200+ data providers
Free trial and paid self-serve tiers aimed at startups and individual GTM teams
data: Adds Headless CRM mode where no data is stored in Clay, and bring-your-own AI provider API keys; signed DPA available
Strongest data-minimization posture; SSO and stricter access controls. Best fit for security-sensitive buyers.
data: Connects Clay's data layer to external CRMs (Salesforce), AI assistants (MCP), and data warehouses; data flows governed by the same DPA and subprocessor list
Used to push enriched data into existing GTM tooling
// What to watch
- Clay is a data broker / data-enrichment reseller: it resells professional contact data from 150+/200+ third-party providers. This is a privacy/compliance consideration distinct from its strong corporate security posture - buyers should review the DPA and data-sourcing terms for GDPR lawful-basis and CCPA obligations.
- No public bug-bounty program (HackerOne/Bugcrowd) found; relies on third-party penetration testing instead.
- No HIPAA - not suitable for PHI workloads.
// At a glance
Pricing model
Freemium / credit-based SaaS subscription (free trial, self-serve Starter/Explorer/Pro tiers, plus custom Enterprise)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Clay Labs Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.clay.com