Trust

IP & defensibility

Clamper is the standalone surface of Module B (CI/CD gate with policy DSL) on the ARIADA mosaic platform. Module-by-module IP-portfolio status, prosecution roadmap, and conversion deadlines are disclosed for accredited-investor due diligence at ariada.ai/investors/legal.

Module B's six core capabilities cover (1) policy-based pipeline gating, (2) baseline delta classification via deterministic fingerprinting, (3) hierarchical policy resolution (org/team/repo/branch/env), (4) exemption ledger with mandatory expiry + DOM-change auto-invalidation, (5) gradient enforcement curve, and (6) multi-domain composite gating.

Data handling

• No PII storage from scanned sites. DOM analysis only — no end-user data is captured.
• EU residency by default. All scan data, baseline storage, and audit chain in eu-north-1 (Stockholm) / Hetzner FSN1.
• DPA available for Team, Business, and Enterprise tiers.
• Audit retention: 90 days (Free), 1 year (Team), 7 years (Business — matches EU AI Act Art. 50 + EAA evidence retention requirement), customer-controlled (Enterprise self-hosted).
• Signing keys: Clamper-managed Ed25519 by default; customer-managed (HSM optional) on the Enterprise self-hosted edition.

Compliance & audits

• SOC 2 Type II — in flight
• GDPR Article 28 DPA — available
• EAA / EN 301 549 §10/§11 — signed audit record cross-walks to the standard's evidence requirements
• EU AI Act Article 50 — audit chain retention satisfies the 7-year evidence rule (Business+ tier)
• ADA Title II / Title III — gate enforcement evidence admissible as part of a remediation defence

Security posture

• Tenant isolation at policy + baseline + exemption layers; one tenant’s configuration cannot affect another’s evaluation.
• Hash-chained audit record (SHA-256 chain + Ed25519 signature) — tampering with any field invalidates downstream hashes.
• Canonical JSON (RFC 8785) for record canonicalisation — deterministic, language-independent signature input.
• Least-privilege GitHub permissions: contents: read, pull-requests: write, checks: write only.
• No third-party trackers on this site or in the gate runtime. PostHog analytics is self-hosted.

Cobbler’s shoes

Clamper enforces accessibility gates. Clamper itself must be impeccable. Every page on this site is checked with axe-core (target: 0 violations) and Lighthouse (target: a11y score 100). If you find an accessibility issue, email a11y@clamper.ai and we will fix it — just as we expect our customers to fix what we flag.

GitHub identity

The Clamper GitHub Action is published from the ariada-ai organisation as github.com/ariada-ai, sibling to blamer.ai and reverter.ai Marketplace Actions. This is per the 2026-04-29 GitHub identity strategy architecture decision: one brand-family = one GitHub org, with each Marketplace Action as its own repository under the org. Clamper, Blamer, and Reverter are sister Actions; the ariada.ai umbrella product bundles all three plus the rest of the ADOPTA portfolio.