ClearPath Hours
Security overviewLaunch-ready legal surface

Where the security boundary actually lives.

ClearPath Hours stores licensure-evidence records that pre-licensure clinicians plan to submit to state boards. This page describes — in plain language — how the product protects those records, what it doesn't claim, and how to reach us if you find an issue.

Start freeSee pricing
TLS in transit, AES-256 at restRow-level security on every workspace tableExplicit supervisor relationships, no shared workspaces

Plain-language summary

Authentication, encryption, row-level isolation. No surprises about scope.

Every record in ClearPath is gated by Postgres row-level security keyed to the authenticated user. Data rides TLS in motion and AES-256 at rest. The supervisor flow grants exactly the permission the clinician approved — and nothing else. If you're evaluating ClearPath against an employer or program requirement, this is the page to share.

Product posture

Rules-first workflow

The product presents deterministic review, bounded AI, and human release as separate layers.

Clinical responsibility

You remain the decision-maker

Records, supervision, and submission readiness still require clinician and supervisor judgment.

Launch standard

Readable, explicit, same-source

These pages mirror the same tone and product boundaries visible across the rest of the site.

Reading note

This is product-facing legal copy, not clinical advice or board guidance.

ClearPath helps organize records, surface review posture, and prepare handoff materials. Final compliance decisions and licensure submissions still belong to the clinician, supervisor, and state board.

Authentication & Account Access

ClearPath uses Supabase Auth for sign-in. Passwords are hashed with bcrypt-class algorithms server-side; the cleartext value never reaches the application database. Session tokens are short-lived JWTs delivered as HttpOnly cookies, refreshed on activity, and revoked on sign-out across the active browser. Email confirmation is required on signup, and password resets land at a single-use link that expires.

Accounts can be deleted by writing to support@clearpathhours.com. Deletion removes the auth record and the associated workspace rows; backups age out on the standard cloud-vendor schedule.

Encryption

All traffic to clearpathhours.com is served over TLS 1.2+ with HSTS pinned at the edge. Data at rest in Supabase Postgres is encrypted with AES-256, including primary database, automated backups, and replication targets. The same applies to the assets we store for state-board PDF generation and document exports.

Internal service-to-service calls (Vercel ↔ Supabase, Stripe webhooks, Resend email) ride TLS the entire way. We do not log payload bodies for these calls — only metadata required to operate them (status codes, durations, request ids).

Authorization (Row-Level Security)

Every workspace table in ClearPath has Postgres row-level security policies that restrict reads and writes to the authenticated user who owns the row, plus the explicitly-granted supervisor relationships they accept. Cross-user reads only happen through the supervisor flow: when a supervisor accepts an invitation, a relationship row is created that grants them visibility into the supervisee's submitted hours and nothing else.

Server routes that need to bypass RLS (admin self-heal, supervisor accept) use a separately-scoped service-role connection and pass the validated authenticated user id from the session to every write. The service-role key never reaches the browser.

Clinical Privacy Posture

ClearPath is an hour-tracking and licensure-evidence product, not a clinical record system. We strongly encourage clinicians to log hours without identifiable client information, and the entry forms are structured around session metadata (date, duration, category, setting type) rather than clinical content.

We do not currently hold a formal HIPAA certification and we do not market ClearPath as a HIPAA-covered platform. If your employer or supervisor program requires a Business Associate Agreement, please contact us at support@clearpathhours.com before signing up so we can confirm whether your specific use case is appropriate for the product today.

Subprocessors

ClearPath relies on a small set of vendors to operate the service: Supabase (managed Postgres + auth, AWS-backed), Vercel (application hosting + edge), Stripe (billing), Resend (transactional email), and Cloudflare (DNS + email routing). Each is selected for SOC 2 compliance and an established security posture. The full list, the data each receives, and the region they store it in is available on request.

Optional AI review (audit assist) sends a bounded subset of workspace context to a third-party LLM provider acting on our instructions. The deterministic state-rules audit remains the primary compliance answer; the LLM does not silently rewrite source records.

Disclosure & Reporting

If you believe you've found a security issue affecting ClearPath Hours, please email support@clearpathhours.com with the words 'Security' in the subject line and as much detail as you can share (a reproduction, the affected URL, and the impact you observed). We aim to acknowledge inbound security reports within one business day.

We do not currently run a paid bug bounty. We will, however, credit researchers who report issues responsibly in writing on this page once the issue is patched, with their permission.

What ClearPath Does Not Do

ClearPath does not sell or rent your data, ever. It does not insert third-party tracking pixels for advertising. It does not silently change your hour records on your behalf — every audit and AI suggestion is an explicit prompt the user reviews and approves.

ClearPath is not a substitute for your state board's authority. The product surfaces rules and prepares the same forms boards publish, but the licensure decision is theirs and the responsibility for what you submit is yours.