Technical Documentation

Architecture & Security

Design Principle

Core Architecture

Deliberate blindness. CLEARANCE stores attestation records and aggregate metadata. It does not routinely access, review, or analyse the contents of individual contributor records. This is an architectural choice, not a limitation — it preserves the independence required for third-party documentation and prevents CLEARANCE from inheriting compliance liability.

The structural argument is straightforward: if the entity that documents compliance can also read and interpret that documentation, it ceases to be an independent standard. It becomes an assessor. CLEARANCE is the former, not the latter.

What CLEARANCE Is — and Is Not

LAYER 0

Background Screening

Identity verification, criminal checks, sanctions screening, OFAC/FCA, right-to-work. Providers: Zinc, Certn, Sterling, etc. Answers: "Is this person real and clean?"

LAYER 1

CLEARANCE

OBA status, employer restrictions, permissible task types, contemporaneous attestation. Answers: "Is this person's employer aware, and what can they do?"

Background screening and CLEARANCE are complementary. Screening verifies who someone is; CLEARANCE documents what their employer permits them to do. Neither replaces the other.

Data Flow

Record Creation

Contributors complete a structured attestation form covering their professional status, employer information, OBA policy status, task restrictions, and sector-specific permissions. On submission, the system generates:

A unique verification ID (CLR-XXXXXXXX) linked to the record
A SHA-256 content hash of the attestation data for tamper-evidence
A timestamped record stored in the CLEARANCE system
A signed PDF receipt delivered to the contributor

Verification

Any party with a valid verification ID can query the CLEARANCE gate check API. The API returns one of three statuses:

COMPLETE — A record exists and all required fields have been attested
INCOMPLETE — A record exists but one or more required fields are missing
NO_RECORD — No record found for this verification ID

The API does not return the contents of the attestation. It confirms whether documentation exists and is complete. This is by design.

What the API Does Not Do

The gate check API does not disclose: the contributor's name, employer, role, sector, task restrictions, OBA status, or any other field in the attestation. It confirms the existence and completeness of a record. Nothing more.

Infrastructure Security

CLEARANCE operates on enterprise-grade cloud infrastructure with the following security posture:

All data transmitted over TLS 1.3 encryption
Data at rest encrypted via provider-managed encryption
Serverless architecture with no persistent server attack surface
HTTPS enforced on all endpoints
No contributor data stored on local devices or personal machines

Data Minimisation

CLEARANCE collects only the data necessary for the attestation record. It does not collect: employer login credentials, personal financial information, trading history, portfolio positions, social security or national insurance numbers, or any data from the contributor's employer systems.

Contributors control their own records. Deletion requests are processed within 30 days of receipt at legal@clearanceid.com.

Tamper Evidence

Each attestation record includes a SHA-256 hash computed at the time of submission. If any field in the record is modified after submission, the hash will no longer match, making tampering detectable. Verification IDs and timestamps are immutable once created.

Access Controls

Administrative access to CLEARANCE systems is restricted to authorised Clearance Advisory personnel. Access logs are maintained. Contributor data is never shared with third parties except: (a) at the explicit request of the record holder, (b) as required by law, or (c) in aggregate, anonymised form where no individual record can be identified.

Regulatory Alignment

CLEARANCE is designed with the following regulatory frameworks in mind:

FINRA Rules 3270/3280 (current) and proposed Rule 3290: Outside business activity documentation requirements for registered persons
FCA SM&CR: Senior Managers and Certification Regime personal accountability obligations
SEC Examination Priorities (FY2026): AI oversight, vendor management, third-party risk
UK GDPR / EU GDPR: Data minimisation, purpose limitation, right to erasure

CLEARANCE does not provide compliance with any of these frameworks. It provides documentation that may support compliance efforts by contributors, platforms, and their respective legal counsel.

Enterprise Integration

Platforms can integrate CLEARANCE via the gate check API to verify contributor documentation status during onboarding or on an ongoing basis. For enterprise integration enquiries, contact enterprise@clearanceid.com.

Contact

Security concerns or architecture questions: legal@clearanceid.com

Enterprise integrations: enterprise@clearanceid.com