Security
The honest answer starts with what ClariLayer never does: we never hold your warehouse credentials, and we never run SQL on our servers. Your agent runs queries with its own access and sends back the result shape; ClariLayer reconciles that against the context you saved.
ClariLayer is a trust product that sits next to your warehouse data, so the first question prospects ask is fair: what actually touches my data, and where does it go? This page answers that plainly. We would rather state a posture you can verify than a slogan you have to take on faith.
The short version: ClariLayer is delivered over MCP and runs inside the agent you already use, on your own machine. Your agent is the only connector to your warehouse. ClariLayer never sits in that connection — it has no credentials to your database and runs no queries against it. What reaches ClariLayer is the result shape your agent chooses to send back, which we reconcile against your saved definitions.
The data flow
Trust boundary — everything in this box runs on your machine
Your machine + agent
Claude Code, Cursor, or Codex with ClariLayer installed as an MCP server.
Your warehouse
Your database, your credentials. The agent is the only thing that connects.
Leaves your machine — assembled and sent by your agent
ClariLayer reconciles
Compares the result shape against your saved definition and records a caveat on drift. No warehouse credentials. No SQL executed server-side.
ClariLayer lives at the last step only. We do not claim your raw data never leaves your machine — if your agent includes preview rows in the result shape, those rows can carry real values. What we can state plainly is the boundary: no warehouse credentials reach us, and no SQL runs on our servers.
Step by step
Each request follows the same path. The agent on your machine does the warehouse work; ClariLayer only ever sees what the agent sends back, and only uses it to reconcile against the context you saved.
ClariLayer installs as an MCP server inside the agent you already run — Claude Code, Cursor, or Codex — on your own machine. The agent is the only thing that ever touches your warehouse, using the credentials you already have configured locally.
When a question needs live data, your agent runs the query itself against your warehouse with its own access. ClariLayer is not in that connection. We hold no warehouse credentials, open no connection to your database, and execute no SQL on our servers.
Your agent reports back the shape of what it got: the column names, the aggregates and grouping the query implies, an optional row count, and any preview rows it chooses to include. That payload is what reaches ClariLayer — assembled and sent by your agent, on your machine.
ClariLayer compares that result shape against the definition you saved earlier. If the live result drifts from what the saved definition declares, we record a caveat so you and your agent know to look closer. We compare shapes; we do not adjudicate your numbers.
What we promise — and what we won’t pretend
The same honesty that runs through the product runs through our security posture: we state exactly what is true, and we refuse the comforting overstatement. A claim you cannot verify is just asserted text — and asserted text is the trust problem ClariLayer exists to fix.
ClariLayer stores no database passwords, connection strings, or warehouse tokens. There is no integration form where you hand us read access to your data warehouse — because there is nothing on our side that would connect to it.
We never execute your queries. Every query runs inside your agent, on your machine, under your own access. ClariLayer's job begins after the result comes back: structuring saved SQL deterministically and reconciling result shapes against context.
We will not claim "your raw data never leaves your machine." If your agent includes preview rows in the result shape it sends, those rows can contain real values from your warehouse. You and your agent decide what to include; we are upfront that it is a choice, not a guarantee of zero data.
The context you save — definitions, schema notes, reusable SQL, caveats — is stored against your account and isolated by row-level security. Single-player by default: it is yours until you deliberately bring it into a shared team layer.
Stated plainly, not over-claimed
ClariLayer’s whole reason to exist is that an asserted claim and a checked one are not the same thing. We apply that to our own posture. The architecture above is how the product is built today: your agent connects to the warehouse, ClariLayer does not. We describe that as the current design rather than stamping it “verified,” because the honest word for a claim is the one you can check — and we would rather you check this against the docs, the quickstart, and the MCP install than take a badge at face value.
Connect ClariLayer to Claude Code, Cursor, or Codex. Your agent keeps its own warehouse access; ClariLayer never asks for your credentials and never runs your SQL — it reconciles what your agent sends back against the context you save.
Connect your AIWe use privacy-friendly analytics
With your consent we use PostHog and Vercel Analytics to understand how ClariLayer is used so we can improve it. We never sell your data. Errors are always monitored (without analytics) so we can keep the app reliable. You can change your mind anytime.