Clarity StreamClarity Stream
Create account
Now in private beta · CDC for MySQL, Postgres, MQTT

Operational intelligence
for industrial fleets.

Connect customer-owned databases and brokers with an outbound-only agent. Stream change data, materialize tenant analytics, and roll up across your entire fleet — in seconds, not days.

Book a demo See the platform
Customer site
Connector agent Outbound TLS
Secure edge
mTLS · device identity
Data plane
Stream bus · DLQ · Replay
Postgres
Tenant RLS · Global rollups
ingest.p99 142ms
events/s 38,412
tenants live 217
Bring your own data

MySQL binlog, Postgres logical replication, MQTT brokers. Snapshots + CDC with checkpointed resume.

Helium & LoRaWAN ready

Native Helium integration with uplink ingestion, dead-letter replay, and per-device measurement pipelines.

Tenant-isolated, by design

Partition by tenant_id end-to-end. Row-level security on every read model. SOC 2-ready audit trail.

Fleet-wide rollups

Allowlisted minute and hour aggregates across tenants — broken down by plan, region, or industry.

Outbound-only by default

No inbound DB exposure. Agents punch out with mTLS and device identity. Works behind NAT and dynamic IP.

Operational, not just analytical

Threshold alerts, anomaly windows, on-call routing, replayable DLQ — built for control rooms.

Granular notifications

Per-tenant preferences with role-scoped writes — operators tune their own alerts without touching others.

Bronze → silver → gold

Raw events preserved. Typed extras stored separately. Read models optimized per dashboard.

Role-based access

Owner, admin, and operator roles gate connector and data-source changes — viewers see signals, not secrets.

New · Security hardening

Secrets stay secret — even from your own team.

Webhook signing keys, MQTT credentials, and integration tokens are shielded by column-level grants. Tenant members can manage connectors without ever reading the underlying secret material.

Explore security documentation Trust center
Row-level security on every table
Tenant_id scoping enforced in Postgres policies — not application code. Verified by automated linter on each migration.
Outbound-only connector agents
Agents initiate mTLS sessions outward. No inbound ports, no public DB exposure, NAT-friendly.
Encryption in transit & at rest
TLS 1.3 on every hop. AES-256 at rest on managed Postgres and object storage with rotating KMS keys.
Immutable audit log
Every connector, role, and data-source change written to audit_log with tenant scoping and configurable retention.
Least-privilege secret access
tenant_webhooks.secret, mqtt_username, and webhook_secret revoked from SELECT — only service roles can read material.
Role-gated mutations
Owner, admin, operator enforced via has_tenant_role() in policies for connectors, data sources, and notifications.
Column-level secret isolation

tenant_webhooks.secret and helium_integrations credentials are revoked from SELECT for all app roles.

Role-gated mutations

Connector and data-source writes require owner, admin, or operator — enforced in the database, not the UI.

Scoped notification preferences

Update and delete policies confined to tenant members so cross-tenant tampering is impossible.

Continuous scanning

Supabase security linter runs on every migration with findings tracked alongside the codebase.

Ready to see your fleet, live?

A 30-minute working session. We'll connect a sample source, light up a tenant dashboard, and walk the data plane.

Book your demo