// Trust & Security Report

    Clay Labs Inc. logo

    Clay Labs Inc.

    Clay - GTM data enrichment, AI research agents (Claygent), and go-to-market workflow orchestration platform

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Compliance: SOC 2 Type 2 ... Audit Reports: SOC 2 Type 2 Report

    Verify on trust.clay.com
    SOC 2 Type 1
    HELD

    Compliance: SOC 2 Type 1 ... Audit Reports: ... SOC 2 Type 1

    Verify on trust.clay.com
    ISO 27001:2022
    HELD

    Compliance: ... ISO 27001:2022 ... Other resources: ... ISO 27001 Certificate

    Verify on trust.clay.com
    GDPR
    HELD

    Compliance: ... GDPR ... To request a signed Data Processing Agreement (DPA) by Clay, please email security@clay.com.

    Verify on trust.clay.com
    CCPA
    HELD

    Compliance: ... CCPA COMPLIANT CCPA

    Verify on trust.clay.com
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No HIPAA listed in the Trust Center compliance section (SOC 2 Type 1/2, GDPR, CCPA, ISO 27001:2022 are the listed frameworks).

    source: trust.clay.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    USA (all listed subprocessors - AWS, Amplitude, Anthropic, Braintrust - are hosted in the USA)

    Clay states customer data is never used to train AI models: 'Your data is never used for AI model training. Clay has contractual agreements with all AI providers (OpenAI, Anthropic, Google, and others) that strictly prohibit using customer data to train their models.' Enterprise customers can also bring their own AI provider API keys. Note: Clay is a data-enrichment broker; for third-party data it acts as a data processor and resells professional contact data sourced from 150+/200+ providers, which is a separate privacy consideration from AI model training.

    // Security controls

    Penetration testing

    Performed; executive summary available via Trust Center ('Penetration testing performed'; resource 'Pentest Report Executive Summary')

    trust.clay.com

    Encryption

    Data encrypted at rest and in transit; 'Encryption key access restricted', 'Data encryption utilized'

    trust.clay.com

    Bug bounty

    No public HackerOne or Bugcrowd program found; not advertised on Trust Center

    trust.clay.com

    Authentication

    Unique account authentication enforced; production application access restricted; SSO via Google/Okta/Azure supported

    trust.clay.com

    AI governance

    Dedicated AI Controls program (AI system impact assessment, AI management system scope, AI objectives and planning) plus contractual no-training clauses with LLM providers

    trust.clay.com

    Data deletion

    'Customer data deleted upon leaving'; cybersecurity insurance maintained; incident response plan in place

    trust.clay.com

    // Products & data scope

    Clay platform (self-serve: Starter/Explorer/Pro)GTM data enrichment + AI research agents

    data: Stores customer-uploaded records and enriched third-party data in Clay tables; account data (name, email, company), professional contact data sourced from 150+/200+ data providers

    Free trial and paid self-serve tiers aimed at startups and individual GTM teams

    Clay EnterpriseGTM infrastructure for large orgs

    data: Adds Headless CRM mode where no data is stored in Clay, and bring-your-own AI provider API keys; signed DPA available

    Strongest data-minimization posture; SSO and stricter access controls. Best fit for security-sensitive buyers.

    Clay MCP / Clay for Salesforce / APIIntegrations and programmatic access

    data: Connects Clay's data layer to external CRMs (Salesforce), AI assistants (MCP), and data warehouses; data flows governed by the same DPA and subprocessor list

    Used to push enriched data into existing GTM tooling

    // What to watch

    • Clay is a data broker / data-enrichment reseller: it resells professional contact data from 150+/200+ third-party providers. This is a privacy/compliance consideration distinct from its strong corporate security posture - buyers should review the DPA and data-sourcing terms for GDPR lawful-basis and CCPA obligations.
    • No public bug-bounty program (HackerOne/Bugcrowd) found; relies on third-party penetration testing instead.
    • No HIPAA - not suitable for PHI workloads.

    // At a glance

    Pricing model

    Freemium / credit-based SaaS subscription (free trial, self-serve Starter/Explorer/Pro tiers, plus custom Enterprise)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Clay Labs Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.clay.com

    > Browse all vendor trust reports