Security

Security at Claimaro

How we protect customer data and Protected Health Information — encryption, access controls, audit logging, SOC 2-aligned controls, and incident response.

Last updated: May 16, 2026

Quick read: Claimaro is built for HIPAA-regulated workloads. We encrypt PHI in transit (TLS 1.2+) and at rest (AES-256), enforce role-based access with multi-factor authentication, log every PHI access to an immutable audit trail, sign BAAs with every PHI subprocessor, and run a SOC 2-aligned control environment. A current SOC 2 report, penetration test summary, and subprocessor list are available to qualified customers under NDA.

1. Compliance & frameworks

  • HIPAA — Claimaro operates as a Business Associate to covered entities and other business associates. We sign a Business Associate Agreement (BAA) with every customer whose data includes Protected Health Information (PHI) before any PHI is processed.
  • SOC 2 Type II — We maintain a SOC 2-aligned control environment covering security, availability, confidentiality, and processing integrity. Reports are available under NDA to customers and qualified prospects.
  • HITECH, ACA, and state insurance regulations — Our controls are designed to support customer obligations under HITECH, the Affordable Care Act, and applicable state insurance and consumer-protection laws.
  • PCI DSS — Card data is handled by PCI-DSS Level 1 payment processors (Stripe, NMI, Authorize.net, Deluxe). Claimaro does not store full card numbers; tokenization happens in the processor's hosted fields.

2. Encryption

  • In transit: all traffic to and from Claimaro is encrypted with TLS 1.2 or higher. HSTS is enforced on all public domains. Internal service-to-service traffic uses TLS or runs over private networks.
  • At rest: all customer data — including PHI, files, and backups — is encrypted at rest with AES-256. Database storage, object storage, and backups inherit encryption from our managed cloud providers.
  • Key management: encryption keys are managed by our cloud providers (AWS KMS via Supabase, Vercel-managed secrets) with regular rotation. Application secrets are stored in environment variables scoped per environment (production, preview, development) and never committed to source control.
  • Field-level masking: highly sensitive fields (SSN, government ID, full DOB) are masked by default in the administrative UI. Reveal actions are logged with the user, timestamp, and reason.

3. Access control & authentication

  • Role-based access control (RBAC): seven system roles with permissions enforced server-side. Customer admins can further scope users to specific teams, plans, or tenants.
  • Multi-factor authentication (MFA): required for all administrative access to the platform and for all Claimaro employee accounts that can reach production systems.
  • Single sign-on (SSO): SAML and OIDC SSO with Just-In-Time provisioning is available on enterprise plans.
  • Tenant isolation: every read and write is scoped at the application layer to the authenticated user's tenant, with a database-level Row Level Security (RLS) backstop. Cross-tenant data exposure is an automatic security incident.
  • Least privilege for staff: Claimaro employees access customer environments only when necessary to support, debug, or maintain the Service. Production access is gated, time-boxed, MFA-protected, and logged. Engineers do not have standing access to PHI.

4. Audit logging

Every authenticated action that touches PHI or sensitive configuration is recorded in an immutable, append-only audit log that captures the actor, action, resource, tenant, timestamp, IP, and user-agent. Logs are retained for a minimum of six years to support HIPAA audit requirements. Customer admins can export their own tenant's audit log on demand; longer retention or SIEM forwarding is available on enterprise plans.

5. Infrastructure & network security

  • Hosting: Claimaro runs on Vercel (compute, CDN, edge) and Supabase / AWS (managed Postgres, storage, authentication) in U.S. regions. Both vendors are SOC 2 Type II certified and sign BAAs with us for the workloads that handle PHI.
  • Network controls: production databases are not exposed to the public internet for direct connections; application access goes through the Supabase connection pooler with credentials scoped per environment. Administrative database access requires VPN and is restricted to a small named set of engineers.
  • DDoS & bot protection: edge-level DDoS mitigation, WAF, and bot detection (Vercel BotID) are enabled on public surfaces. Authentication endpoints are rate-limited.
  • Logging & monitoring: application logs, error events, and performance traces are forwarded to Sentry and the Vercel observability stack. On-call engineers receive paging alerts for availability and security-relevant events.

6. Application security

  • Secure development lifecycle: all production changes go through pull request review, automated testing, type checking, and linting before merge. Security-sensitive changes (auth, RLS policies, payment paths) require a second reviewer.
  • Static analysis & dependency scanning: ESLint, TypeScript strict mode, secret-scanning, and automated dependency vulnerability scanning run on every commit. Critical CVEs in production dependencies are remediated within seven days.
  • Input validation & output encoding: all server actions validate input with Zod schemas at the trust boundary. The framework escapes output by default to prevent XSS. Parameterized queries prevent SQL injection.
  • RLS-first data model: tables with PHI carry tenant-scoped Row Level Security policies in addition to application-layer filters, so a code bug cannot leak data across tenants.
  • Browser security headers: we set HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a Content Security Policy on application surfaces.

7. Vulnerability management

  • Penetration testing: we engage independent third-party penetration testers at least annually and on major architectural changes. Summary reports are available to qualified customers under NDA.
  • Continuous scanning: dependency, container, and infrastructure-as-code scanning run continuously. Findings are triaged into our standard severity workflow.
  • Patch cadence: critical vulnerabilities in production are remediated within seven days, high within 30 days, medium within 90 days, low at the next scheduled release.
  • Coordinated disclosure: see Section 13 below — we welcome reports from security researchers.

8. Incident response & breach notification

Claimaro maintains a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. On-call engineers operate 24/7 for production availability events; security events follow a parallel escalation path that involves engineering leadership, legal, and (when applicable) the customer's HIPAA privacy officer.

In the event of a breach of unsecured PHI, we notify affected customers without unreasonable delay and within the timelines required by HIPAA and the signed BAA — typically within five business days and not later than 60 days from discovery. Notifications include the nature of the breach, the PHI involved, the steps customers should take, and the steps Claimaro is taking to investigate and mitigate.

9. Backups & business continuity

  • Backups: production databases are backed up continuously (point-in-time recovery) with daily snapshots retained for at least 30 days. Backups are encrypted and stored in a separate region.
  • Recovery objectives: our target Recovery Time Objective (RTO) is four hours and Recovery Point Objective (RPO) is one hour for production data. We test recovery procedures at least annually.
  • Multi-region resilience: compute is globally distributed via the Vercel edge. The primary database is regional with cross-region backups; failover plans are documented and exercised.

10. Subprocessors & vendor management

We rely on a short list of subprocessors to deliver the Service. Every subprocessor that may access PHI signs a BAA with us before being engaged. New subprocessors go through a documented vendor security review covering SOC 2 (or equivalent), HIPAA posture, data residency, and incident history.

Current core subprocessors include: Vercel (hosting, edge, build), Supabase / AWS (Postgres, storage, authentication), SendGrid (transactional and marketing email), Twilio (SMS), Sentry (error monitoring), and PCI-DSS Level 1 payment processors selected by the customer (Stripe, NMI, Authorize.net, Deluxe).

The current, complete subprocessor list is available to customers on request at security@claimaro.com. We notify customers in advance of material changes to the subprocessor list and provide a reasonable window to object.

11. Personnel security

  • Background checks: all employees and contractors with access to production systems complete a background check at hire.
  • Security & HIPAA training: all employees complete security and HIPAA privacy training at onboarding and annually thereafter. Engineering staff receive additional secure-development training.
  • Confidentiality agreements: all employees and contractors sign confidentiality agreements covering customer data and PHI.
  • Access reviews: production access is reviewed quarterly and revoked immediately upon role change or termination.

12. Shared responsibility

Security is a shared responsibility between Claimaro and our customers.

Claimaro is responsible for the security of the platform — infrastructure, encryption, application code, tenant isolation, audit logging, vendor management, and the controls described above.

Customers are responsible for the security of how they use the platform, including: configuring user accounts and roles, enforcing strong passwords and MFA for their own users, training their staff on HIPAA, controlling who they share access with, accurately classifying their data, and notifying us promptly of suspected account compromise.

13. Reporting a security issue

If you believe you have found a security vulnerability in Claimaro, please report it to security@claimaro.com. Include a clear description, steps to reproduce, and any relevant proof-of-concept. We acknowledge reports within two business days and will keep you updated through remediation. We do not pursue legal action against researchers who report in good faith, stay within the scope below, and give us a reasonable window to remediate before public disclosure.

In scope: claimaro.com, app.claimaro.com, and authenticated areas of the platform using a researcher-owned test account.

Out of scope: denial-of-service testing, social engineering of employees or customers, physical attacks, testing against other customers' tenants, and any access to real PHI.

14. Contact

Note: This document describes the security program at Claimaro at the date above. Specific control descriptions, certifications, and subprocessor lists evolve over time — request the current SOC 2 report and subprocessor list before relying on this page for procurement decisions.