# Clarity VDR security-review guide

This guide helps a buyer organize due diligence. Confirm current answers through the Trust Center and customer review packet; do not treat this template as certification evidence.

## Identity and access

- How are individual accounts verified?
- Which roles can govern rooms, participants, publication, and downloads?
- How are group, folder, document, and external-share permissions evaluated?
- How are sessions, MFA, revocation, and failed verification handled?

## Documents and processing

- Where are source files and generated previews stored?
- Which file types and sizes are supported?
- When is malware screening required, and does failure block registration?
- How are watermarks, downloads, versions, redactions, and archives governed?

## Evidence and monitoring

- Which administrative, permission, session, document, Q&A, and download events are retained?
- Which exports support access review, incident response, and closeout?
- How are security reports routed and preserved?

## Providers and resilience

- Which identity, database, storage, hosting, billing, email, and scanning providers support the configured service?
- Which regions apply to the customer's room?
- What backup ownership, restore testing, rollback, and status processes are current?
- How are material provider changes communicated?

## Contract and shared responsibility

- Which security statements are contractual, configurable, or roadmap items?
- What must the customer configure, approve, export, or preserve?
- Is a DPA or additional security schedule required?
- Which incident-notification and deletion obligations appear in the executed Order?
