What we collect, what we don't, and where it lives.

ClerkAPI indexes only the pages reachable from your public homepage: HTML pages, PDFs, ordinance documents, and meeting minutes. We respect robots.txt directives and identify ourselves in the user-agent string as ClerkAPI-Crawler/1.0 (+https://clerkapi.com/crawler) so your IT team can see exactly what touched the site.

• No intranets, no staff portals, no authenticated pages.
• No third-party scraping, no Wayback Machine, no Google cache, no data from elsewhere.
• No outbound links followed off your domain (and any allowlisted subdomains you designate).
• Crawl frequency is configurable; you can pause or revoke crawl access at any time from the dashboard.

The assistant never asks a resident for their name, address, account number, license plate, or any personal information. Questions are processed in real time and logged anonymously for staff audit. Specifically:

• What we log: the question text, the answer returned, the sources cited, an anonymous session ID (rotates per browser per 30 days), timestamp, and whether the resident clicked through to a source.
• What we do not log: IP addresses (beyond short rate-limit windows under 60 minutes), browser fingerprints, geolocation, cookies that persist across sessions, or any identifier that survives a browser restart.
• PII redaction: a redaction pass on question text strips anything resembling an address, phone number, SSN, or email before storage in the audit log. The original is discarded.
• Audit-log retention: 90 days by default; configurable from 30 to 365 days per customer.

• In transit: TLS 1.2+ on every hop — resident → widget, widget → API, API → database, API → model providers.
• At rest: AES-256 on all stored content (indexed pages, embeddings, audit logs, account data).
• Database access: scoped per customer with row-level isolation. Only server-side service credentials read or write; they rotate on demand and on staff offboarding.
• Admin access: 2FA required for all ClerkAPI staff; access logged and reviewed monthly. Staff have read-only access to customer data only when responding to a support ticket the customer opened.

ClerkAPI uses commercial APIs from Anthropic (Claude family models) and OpenAI (embeddings and select fallback generation). Resident questions and the retrieved passages from your indexed content are sent to these providers at query time and the response is returned. Specifically:

• No training: both providers operate under commercial API terms that explicitly exclude API traffic from model training.
• Retention at the provider: 30 days for abuse monitoring, then deleted. No long-term retention by the model provider.
• What gets sent: the resident's question (after PII redaction), the top retrieved passages from your indexed content, and a system prompt instructing the model to ground in those passages and refuse otherwise.
• On-prem & BYO-model options are available on the County/State tier — contact us if you need to keep all inference inside your own boundary.

We use the following subprocessors. We'll notify you in writing 30 days before adding any new subprocessor.

We publish a pre-signed sample Data Processing Agreement based on the IAPP municipal template, with the redlines most city attorneys ask for already applied (no data sale, no AI training, US-only data residency, 90-day deletion on termination, GDPR Article 28 language for cross-border edge cases).

Request the sample DPA →

We'll also countersign your city's standard DPA on request, typically within 5 business days.

The resident widget meets WCAG 2.1 Level AAout of the box: keyboard navigable, full screen-reader labelling (Aria live-regions on the response, role=“log” on the transcript), 4.5:1 minimum contrast, no motion that can't be paused, focus management on every state transition.

• Self-assessed VPAT 2.x summary: available on request.
• Full third-party-audited VPAT: in progress, ETA Q3 2026.
• We treat accessibility regressions as P0 bugs and triage them within one business day.

• Target uptime: 99.9% on City tier and above (named SLA with credits on Metro tier).
• Status page: status.clerkapi.com
• Incident notification: customers notified within 24 hours of any incident with potential resident impact, with a full post-mortem within 5 business days.
• Security incidents: notification within 72 hours, in line with most state-level breach notification statutes.

• You own your indexed content. We process it on your behalf.
• Export anytime: full audit log, unanswered question history, and content gap reports as CSV from the dashboard.
• Delete on request: indexed content and account data deleted within 30 days; deletion certificate provided on request.
• No data sale, ever. We do not sell, license, or share customer data with third parties beyond the subprocessors listed above.